Reflecting on OSAC 2022
A couple of weeks ago, the US State Department’s Overseas Advisory Council (OSAC) hosted its most recent Annual Briefing – the first in-person gathering in two years after switching the event to virtual during the peak of the COVID pandemic.
The event is held under Chatham House Rules, so attribution is restricted.
Ontic sent a delegation to the briefing to attend sessions, network with peers and friends, and meet new like-minded professionals. We also co-hosted an evening with AIRIP and IPSB were a proud sponsor of the 2022 ISF Awards dinner honoring OSAC contributions. Our values are aligned with the OSAC mission to support the “ongoing exchange of information and best practices for the protection of U.S. interests [and organizations operating] overseas.
We are grateful to the OSAC team for pulling everyone together again and hosting a remarkable set of panel discussions as well as topical and regional briefings.
Here are our key takeaways from the 2022 OSAC Annual Briefing:
Networks (and Networking) are Essential to Meet Current Challenges
We heard repeatedly about the challenges of “polycrises” – complex, interwoven, and highly dynamic crises that complicate operations and decision-making. It is rare, if not impossible to find a team – especially in the private sector – that has a firm grasp on every facet of these crises.
To address these gaps, security and intelligence teams must leverage professional and peer networks. Flipping the adage on its head, one panelist remarked (paraphrased), “Just as nation-states and intelligence agencies don’t have friends, only occasional mutual interests. Corporate security intelligence functions don’t have enemies (corporate rivals), they have many mutual interests.”
The modern security intelligence professional has an embarrassment of riches for mutual aid right now; from State Department Regional Security Officers (RSOs), professional networks like the Analyst Roundtables, AIRIP, and IPSB, and peers at other firms willing to engage in knowledge and resource sharing.
Given the complex challenges of the many polycrises confronting multinational corporations, combined with a climate of financial uncertainty and budget cuts, analysts and security professionals need to lean into their networks to tap into expertise and insights they may not have indigenously cultivated within their own organization.
Professionalization of Intelligence Analysts and Organizational Design in the Private Sector is Still in Nascent Stages
It was noted that in a survey of job titles for analysts there were some seventy (70+) different permutations. It was similarly noted that there is still very little consistency in organizational structure, with security and intelligence functions rolling up into operations, HR, legal, or directly to the chief executive officer. One example even had security rolling up into Intelligence.
While there is likely no “one right answer,” researchers, academics and practitioners anticipate greater standardization as the function matures from the traditional reactive “guns, gates, guards” mentality to a more proactive risk management/risk enablement function.
The background composition of those employed in the intelligence and security functions seems to be changing as well – especially as the requirements change from safety and security to risk management and enablement. We are seeing less focus on prior cleared military, intelligence, and law enforcement background and more on softer skills with greater business or management orientation.
Transitioning from Security Outcomes to Business Outcomes
As corporate leadership gains confidence in the span of challenges a strong security intelligence team can deliver against (such as stepping up to help provide insights and decision support associated with the COVID outbreak), teams are likely to be pulled into more business decisions, begetting the need for more analysts who understand the business of doing business.
As a profession we likely need to lean into – and mature – against the idea of providing decision support beyond safety and security questions and into business operations, resiliency, and other factors that support business value.
Reframing Insider Threats – “Support not Report”
The post-peak COVID work posture almost certainly will not see a massive return to office in the next 12-18 months. Employees will continue to work from home, conduct hybrid work from home and office, or take advantage of lax policies to work from “wherever.”
Consequently, cyber-security teams will continue to be challenged by not having solid views of colleagues’ INFOSEC practices such as seeing who else might be in the room with sensitive data, hearing when, how and who with company details are being discussed and assessing positive control of company laptops (e.g. employees working from a coffee shop or co-work area going to restroom leaving laptops behind, making them available for theft or compromise).
Further, the recent spate of layoffs is likely to lead to an increase in aggrieved employees and former employees with new motivation to do the organization harm or compromise data or networks.
Panelists suggested that the best way to handle these challenges is not to crack down and implement ever more draconian measures and monitoring schemes, but rather to foster engagement and a culture of security awareness with employees, making sure they feel supported in their work location and their current work habits.
They admitted that it is difficult to thread the needle. Evaluation and monitoring are absolutely an important part of the information security regime and teams should have the right tools to allow cyber and physical security teams to collaborate on potential threats and threatening actors, but organizations will find the best outcomes if they rotate towards a “support not report” mentality.
COVID Isn’t Over
Despite the return to in-person events, the threat of COVID still looms. Many Briefing participants commented jokingly about the quote, unquote, “end of COVID,” but acknowledged that the disease was still on their radar.
Last week there were over 300,000 cases and over 2,600 deaths reported in the US, and a member of our delegation received a COVID exposure notification on their smartphone upon return from the event.
While it wasn’t explicitly discussed in any of the panels, the theme of intelligence and security teams having to justify themselves and their budgets did come up at least a few times. While COVID might no longer be top of mind to leadership, epidemiologists are anticipating a potential winter surge in the US. With many workplaces shifting from fully remote to a hybrid work posture, illness-based absenteeism is likely to increase, potentially with a significant impact on operational readiness.
If your team was responsible for helping your organization make sense of and mitigate the effects of the pandemic, memorialize the efforts in annual reports and briefings to leadership. Find ways to remind the rest of the organization of your impact on the business. Even if the majority of work was done years ago, almost certainly there will be ongoing benefits from the insights and changes to processes to highlight.
It was a true pleasure to see our like-minded colleagues again at the OSAC Annual Briefing. We look forward to seeing the community again next year!
Looking to learn more about how you can lead your corporate security team through volatile times? Take a look at our on-demand webinar here.