Navigating the Future of Corporate Security: Insights from the Clarity Factory’s Annual CSO Survey

0:00

Manish:

Rachel Briggs is CEO of the Clarity Factory, which produces research, thought leadership, consultancy on corporate security and cybersecurity. She advised dozens of multinational corporations, provides benchmarking services, and regularly briefs security leadership teams. She is the author of the Business Value of Corporate Security, co-authored the Business of Resilience, Holistic Security, and most recently authored the Clarity Factory Annual CSO Survey. She is an associate fellow at Chatham House and a board member of the Risk and Security Management Forum and the Global Center of Cooperative Security. She was founding Executive Director of Hostage US and the first director of Hostage International. Please join me in welcoming back once again, Rachel Brigg to the Connected Intelligence Podcast. Great to have you with us again, Rachel. Thank you for joining.

Rachel:

Thank you for having me. It’s always a pleasure to join you.

01:25

Manish:

Listen, you have done an extensive amount of research. You’ve advised so many multinational corporations and security teams. What motivated you this time around to launch the annual CSO survey? And what have you seen, discovered, learned that you feel it will help shape our industry and conversations that we’re having?

Rachel:

Yeah, absolutely. I mean, as you and maybe some of the listeners for this podcast will know, I’m not a stranger to surveys. We run a lot of surveys with the Clarity Factory. And we also get very positive feedback for those surveys. We know that CSOs use them to make decisions, to prioritize. But I was always frustrated that our surveys provided a snapshot in time, rather than being able to show trends over time, because nine times out of ten, when I present a data point to a CSO, their immediate question is, how has this changed over time? And I wanted to be able to answer that question. I wanted to be able to demonstrate how this has changed over the last year, two years, five years, ten years, so that CSOs not only know what’s happening today, but they understand how things are changing, and I really hope that will help them to anticipate their future needs as well.

02:47

Manish:

I’m passionate about our next topic, which are silos. I believe silos are the enemy. I know you have spent a lot of time talking to CSOs, even in the survey, remarkable, but maybe not, that 77% of CSOs said silos and fragmented data still hinder their effectiveness. Why, Rachel, why in 2025 is this still so prevalent, so persistent?

Rachel:

It really is. And I spend nearly as much time obsessing over this as you do, Manish. I mean, I think there’s, I would probably point to four reasons why this is still dogging the security community. I think first and foremost is the fact that people are kind of busy. I mean, the world is turned upside down and corporate security functions, their workload has really dramatically increased in recent years. So I think they’re dealing with a lot and there aren’t many spare moments in the day, which of course, is an argument for getting connected, but getting connected, getting there is difficult when your workload is so heavy to start with. So I think that’s the first reason. I think secondly, and this isn’t sort of particularly unique to the security world, but we all tend to have our way of doing things and we as human beings don’t tend to find change very easy and I think one of the things that I got, I mean particularly you mentioned the holistic security report which came out a couple of months ago and that was all about connections and finding ways to work in partnership more. And one of the really strong messages from that was just, this stuff is hard. It’s hard to get people to go from working one way to now working another way, and certainly talked in some detail in that report about why that is and how you can encourage people and support people to do stuff differently. So I think there’s a need to sort of change working patterns, which are somewhat entrenched. I think, unfortunately, there is still a perception in some quarters, decreasing, but is still there, which is this idea that collaboration is nice to have, but is not necessarily essential. I think you and I would disagree with that. But I think that does still persist. So there’s still an argument to be made about why collaboration produces better security than siloed. And I think fourth and finally, and this will, of course, resonate with Onticians, is the fact that until fairly recently, being joined up was quite difficult. But we do now have technology and indeed your platform is one great example of this. We do now have technology and platforms that make all of this almost effortless. And so I think we are beginning to win the argument. I think there are far fewer folks within corporate security who would describe collaboration as a nice to have. And now we’re starting to see the kind of products on the market that make turning this into a reality so much easier than it was even just a handful of years ago.

Manish:

So our listeners are going to be thinking about, is the juice worth the squeeze at the end of the day? Is there a really measurable impact or a measurable difference from bridging or breaking these silos?

Rachel:

Yeah, I mean there’s so many examples I could point towards. I wanted to actually point towards an example which isn’t given very often, but I think will be more in the future, and draw on a case study from our annual CSO survey this year. And that’s a case study which is about the importance of corporate security working in partnership with corporate relations. Some companies might be called external relations or government relations, usually depending on what the sector is and what the focus of that particular function is. But in essence, the relationship between corporate security and the bit of the organization that is concerned about things like regulation trends, reputation management, stakeholder relationships, relationships with government, that whole kind of bundle of issues. And there’s a really interesting case study in there of how these two functions in a particular multinational corporation that we interviewed have now gone from being completely separate to having a moment of conflict where they sort of realized one another existed and sort of wondered why each other were sort of wandering into one another’s space to now having a really, really positive relationship. The importance of that is only growing, because if you think about the job that corporate security has, and if you think about the ways in which the threat environment is changing, the ways in which corporations now are, and I use air quotes here, are starting to be seen as being, quote unquote, fair game, whether that’s for protest, for activism, for killing CEOs, I mean, goodness, all manner of of threats to the organization because of the position of the organization, what it’s said on a particular issue, where it’s positioning itself in relation to its consumers etc. So the need for these two bits of the business to work together is just getting more and more critical and what the case study shows us is that they can do an okay job if they work in silos, but actually if they come together and you bring together the expertise of corporate security with its exceptional threat management, predictive intelligence, horizon scanning, along with the work of corporate relations who are thinking about how we positioned what should the CEO say in their next investor statement etc. How do we, what do we say, how do we position ourselves, where are we? If you bring those two perspectives together you suddenly have a 360 degree wraparound around this whole set of really quite complicated threats around, threats to executives, protest, activism, and so an insider, you suddenly have a far more effective all-seeing, all-knowing response, as opposed to when those two functions sort of get on with their own things and don’t connect. So it’s one of the, you know, you asked me up front what were some of the kind of key, interesting, surprising things of the survey, and I think one that I would really point out is that relationship with corporate relations, community relations, government affairs, and as that threat environment is changing it becomes incredibly critical for corporate security to kind of get out of its lane and start partnering more and more with that bit of the business. And I think that will deliver incredible value for CEOs and C-suite who know that this is a very complicated set of threats that they face. And I think we’ll have a high degree of reassurance knowing that those two teams are playing together.

10:23

Manish:

Couldn’t agree more. So what are practical steps that security teams can take? Think about cyber, physical, IT, HR, legal. Again, practical steps.

Rachel:

Yeah, and actually they’re pretty generic for all of them. I mean, the first and really obvious thing is to figure out where those dependencies are. Figure out for each given function, whether it’s as you say IT, HR, legal, figure out what sits in the middle of our Venn diagram and just do that in a super structured and organized way. Figure out how could you benefit from their input and vice versa. So the first thing is, map those dependencies, understand where the benefits of partnership are, reach out for a really open and curious conversation—I often, when I hear CSOs saying that a relationship hasn’t worked, there are many reasons why, but so often there’s a sense I get of somebody going into that conversation with a fixed idea of what they will do for legal or what legal will do for them or whoever it might be. And the really effective conversations are when both parties show up and say, hey, I think there is something here. Let’s have an open and curious conversation about where this is and let’s not start with a defined idea of what this partnership should be or has to look like. I think it’s really helpful as well to go into it asking yourself as a security leader, how you could deliver value for that partner on behalf of the business, that kind of mindset of value creation, I think is really critical. I think the final thing I would say is that it’s really important for security to talk less about the things it does and talk more about the why of what it does. You know, describing the ins and outs of your program is kind of confusing and bewildering enough for people within your own program. There’s so much there, there’s so much detail. Stepping back from that, and rather than describing all of these programs and activities you have, talk to the other side about the why. Why do you exist? Why do you create value for the organization? What’s your mission statement? And not only does that make it a lot easier to connect, it also makes it a lot more likely that that other party will lean in, because it’s something everyone can get behind. It’s the mission, and they will see part of themselves in it, as opposed to sort of arriving with a clipboard and a list of activities. Talk about why you’re there. Talk about the mission that security has. And I guarantee there will be a much more receptive audience to sort of start that conversation about partnership.

13:28

Manish:

Excellent advice. Let’s shift to a couple of other sections of your survey. One was insider risk. Fascinating data point where on average, the median cost of an incident is about four and a half million dollars. So what’s changed? What’s driving this urgency in insider risk compared to several years ago?

Rachel:

Yeah, I mean, I would say in short that we have a perfect storm where insider risk is concerned. In other words, there are a number of things that have happened around the same time, all of which come together to explain the quite significant rise that we’ve seen in insider risk. And in short, I would say four things. The first is this enormous digital transformation that we’ve seen within the workplace, which means that it has created vulnerabilities, shall we say, for most multinational organizations, that it’s easier to get in, and it’s easier to get data out. And it’s harder to sort of control who has data to who has access to what. And, you know, as we’ve talked about previously, the rise of AI will probably make that even more difficult to sort of control where your data is and who’s having access to it. So I think that’s the first thing. The second is around remote working and literally understanding who your workforce is. And we’ve seen stories of, you know, North Korean sort of agents infiltrating companies without them realizing, etc. So I think the rise of remote working has sort of made it harder to know who’s really working in your organization. Am I talking to the person I think I’m talking to when the camera’s off? And that obviously kind of, you know, rose significantly around the time of the pandemic where none of us had any choice but to do that. So I think that has happened. And then we also have a couple of things that have been going on in the external environment, like some of the economic changes, you know, really difficult financial times for many people in the West these days, and also the rise of sort of social and political polarization. And, you know, we see survey data from other organizations that shows that, you know, employees sort of expect more from their employers, they expect their company to take a stance on things. They get very disillusioned if they don’t. So all in all, a perfect storm of all of those things means that, I think that helps to explain why insider risk is really growing. And it’s not surprising to me that it’s not just a top risk for CSOs, but also for boards and C-suite as well.

16:52

Manish:

The beauty of your survey for our listeners is you didn’t just send out a survey, you interviewed many, many executives. So what stood out in terms of effective strategies or programs for insider risks that ended up working?

Rachel:

Yeah, I mean it’s an interesting one and you know we interviewed some experts on insider risk as well to really get their views on this and I think that there’s four things that really stood out to me from what they said. The first is use the data you’ve got. If part of the vulnerability is created by this huge digital transformation process that has gone on within organizations, that’s also part of the opportunity here as well. Most clients I work with and most insider risk experts I talk to who are working with clients on insider risk say that many organizations still don’t realize what they can find out about what is going on on their network, just from the information that is held on their network. So I think many organizations are getting good in this space, but I think don’t underestimate the intelligence you can gather internally about anomalies, triggers, etc. So that would be the first thing. The second thing is the importance of really targeting into high risk users. And high risk users are essentially the folks who either have access to the crown jewels or are able to sort of make changes that could be consequential. So that might be executives, it might be the executive assistants of executives, it might be the folks who are on the help desk who might not have the highest per hour salary of anybody in the organization but can do things like change passwords and give access to people who are pretending to be somebody they’re not. We’ve seen a number of instances where that has been the cause of quite a major breach. And the third important lesson that they shared with me was about, and again this brings us back to the scourge of silos, which is about the importance of insider risk programs being collaborative. This is not something that one function can do on behalf of the whole organization. To be effective, you have to have a range of different functions involved, corporate security often, cyber, IT, HR, legal, compliance, and actually our survey provides data on what proportion of those functions are involved in the insider risk programs of the companies that we surveyed. So the importance of collaboration, but also the importance of having a very clear leader for this. You know, you can’t sort of run this as a distributed program without one clear bit of the organization, one named individual where the buck really stops in reality. And I think that the fourth, and I certainly hear this from my clients, is about executive ownership of this. And certainly from a British perspective, you know, a growing number of sectors find themselves at senior level looking at this very carefully because we have regulators who are now awake to insider risk. We have investors who are now very awake to insider risk. And so boards and executive committees and C-suites are now being asked questions by those kind of stakeholders about what are you doing? How confident are you that your responses are effective? Can you guarantee us that we’ve got the best in show inside risk program for our organization? And so I hear that a lot from clients is help us to understand how can we put the right governance in place so that our executive can effectively own its responsibilities and disperse its responsibilities in this regard and a framework that can really map through the organization so everybody is kind of pointing in the right direction.

21:11

Manish:

Let’s shift over to executive protection. You know, the best surveys I’ve found are the ones that draw contrast. And there are some remarkable contrasts between the perceptions of and the leaning in of CSOs in the US versus the UK. Maybe tell our audience a little bit of what you learned.

Rachel:

Yeah, very, very interesting. You know, we found that US CSOs are more concerned about this. You know their executives are asking more questions about this and very much a higher priority there and I think you know we can point to a number of instances that would explain that. I think back to, of course, the murder of Brian Thompson in December of last year. We had the recent attack on the office building in Park Avenue in New York, any number of other attacks against political leaders, business leaders. We know from our other data that organizations are concerned about increased risk of protest and activism. People turning up at investor meetings, people turning up at board meetings, etc, etc, threats to executives being higher. And so I think it’s important to say that, as you point out, that there is a heightened concern about this in the US than there is in the UK. It’s not that there is no concern in the UK, I should add, and certainly UK CSOs that we interviewed said, yeah, I have had that question from my board of directors. They are more interested in it, but they are perhaps quicker to be reassured with the capability that we’ve got. You know, the big difference here, of course, and the sort of the elephant in the room is firearms. As a result of that, I’m not going to say the risk is none in the UK. Of course it’s not. There’s all sorts of other things you can do with or without the availability of firearms. But I think there’s a real concern amongst US businesses because an intent to harm can manifest quicker and easier because of the availability of firearms. And that’s just a reality.

23:40

Manish:

Let’s shift to technology and a topic that’s on everyone’s mind, AI. So in your survey, 67% of CSOs said they’re increasing their security budget and technology spend, which is amazing. And 60% are already using AI. So tell us what you’re learning from that survey, from some of the interviews. There’s a lot of components here, but I’ll turn it over to you. There’s a lot to unpack.

Rachel:

There’s a lot to unpack, which is great news, I should add, because it was reassuring to see stuff moving in this space, because not moving in this space is not an option. As one of the CSOs, we quote in the report said, if you stand still, you’ll get left behind. So it was great to see things moving. What I would say is that there is a clear concentration in a small number of activities where adoption of AI is at its highest. And there is still room to grow, but it is at its highest. And so we see in the area of intelligence, security technology, perhaps unsurprisingly, threat detection, predictive analysis. Those are the areas where we see the highest adoption of AI. And I think we see that for a number of reasons. We see it because in those areas, the tools are now available. So it is possible. And in some cases, it’s been integrated into tools kind of almost whether you like it or not, which is, in some ways, the best and easiest way to go about technology change. So it is available. There is, I think, in those areas as well, dare I say, mostly a younger cohort of workers who sort of are more adaptable, are sort of more comfortable, more tech curious, more tech confident. And so I think for those reasons, it doesn’t surprise me that both because of the availability of the tools, the cohort of workforce that we’re talking about, the uptake has been was higher than I expected, still has a distance to travel, but I think we’re seeing some pretty decent uptake. What I think, you know, there are some areas where I think we’re kind of in the early to middle ground, where I think we will start to see uptake, let’s say, let’s cast ahead and you can hold me to this in the 2026 and 2027, and your CSO report. But I think over the next couple of years, we’ll start to see the curve going upwards quite quickly. And those are areas like incident management, investigations, executive protection, and so on and so forth, where at the moment we see quite low adoption of AI. I think largely because the tools aren’t necessarily always there. Although this is changing and perception is catching up of that. And I think, you know, you have, you both have a different sort of cohort of workers trying to use technology in that space. And one of the things I also notice in conversations with CSOs, sort of being an observer of industry discussions on this, is that in some of those spaces, CSOs are asking themselves, but how? They’re sort of curious about the tools, they’re starting to make inroads, but they’re really looking for use cases. They’re trying to understand, how are my peers in my sector using it? They want to get kind of quite concrete in some of the use cases. And so I think it’s, you know, we try to add that kind of stuff into our reports. I’ve seen other organizations do that really effectively as well. I think the more that we can kind of get down to details on AI, give case studies, give examples, I think that’s when I really see the penny dropping. It’s not that there’s a lack of willingness. It’s not that we’re dealing with a bunch of Luddites, but sometimes it’s just difficult to make the connect between the opportunities you’re hearing about and actually how you can put it into practice in reality.

28:06

Manish:

Completely agree. We only have a few minutes left, so just a couple of final questions. Again, in your survey, and we all have felt this, that security leaders feel like there’s a very low understanding of security as you get high up in the organization. So how do CSOs, and what did you uncover as a good best practice of CSOs that were able to communicate and bridge and really demonstrate value to the C-suite?

Rachel:

Well, I’ll give you a don’t and I’ll give you a do. How about that? So I’ll start with the don’t. And the don’t is, don’t try to educate the C-suite about security. Because it is not their job to understand the ins and outs of what you do. Their job is to run a big organization that’s complex, and they’ve got many, many, many different parts of the business to understand. So the challenge here isn’t educating the C-suite, and actually conversations I’m in with C-suite members, they’ve actually got a pretty sophisticated understanding of all of this to start with. I don’t think that’s the problem. The do, is do make yourself a really effective storyteller. And there might be some people listening to this who say, well, she’s really lost the plot now. What she wants me to kind of, you know, become a, what, what, you know, my job is to protect the company. Your job is to protect the company, but your job is to help others understand why it is to help others connect to your mission. It is to get a sense of urgency around what you do that then unlocks the resources to really do that effectively, that unlocks those partnerships. You don’t do that by showing people bar charts and pie charts. You know, nobody ever went into war off the back of a pie chart. They went into war and went behind that leader because they told a really good story about why and why we together can do this. And, you know, this is a technical skill. This is not something you’re born with. This is something that great leaders, great orators, great storytellers learn how to do. And guess what? It’s now an essential skill for the C-suite. You know, any business leader you’re trying to communicate with has done the work to become a good storyteller themselves. And I think, you know, it’s so important because it shifts the emphasis onto how you’re trying to communicate. And the really effective CSOs that I see in practice are great storytellers. And the reason that that matter is because they’re able to connect what they do with what other people do. They’re able to create a sense of emotional connection. And you think, well, what does emotion got to do with business? Well, actually, it’s got everything to do with business because it’s how, whether we like it or not, most of us make most of the decisions that we make every minute of every day. And so telling a good story, which is not a yarn about your previous military experience, it’s a carefully constructed story that conveys meaning that builds trust and ultimately then creates the influence you need to be an effective leader. You don’t get given a budget just because, you have to influence that and the way that it gets done in really complicated organizations where nobody’s got time, everybody’s got a million different things going on at any one time is through a story because that is the way that people remember They absorb it, they connect with it, they retell it. So don’t educate the C-suite. That is not the answer. Create stories that convey to the C-suite your value, why they should trust you. And ultimately, that will be what brings you the influence you need.

Manish:

Very well said, Rachel. Thank you again for joining us today. Is there anything we missed that you think would be important to convey to our audience?

Rachel:

Well, I just wanted to close actually by thanking yourselves. Ontic was our platinum sponsor for this survey and our gold sponsors were ASIS International and Emergent Risk International. And I want to thank you all for being great thought leaders in the security community. The podcast is part of that, but you guys do so much else besides. And it’s really vital because the way that we grow as a community is by sharing ideas, creating data, having the conversation. So my closing words, I think, very aptly are thank you to Ontic for really spearheading so many important initiatives in our security community.

32:54

Manish:

Thank you, Rachel. And as is tradition here, we end every podcast with the question, what does Connected Intelligence mean to you?

Rachel:

Connected Intelligence, to me, that is intelligence. You can’t have intelligence without it having its tentacles out everywhere. It’s only effective when it is connected into so many different places. So intelligence without being connected is not intelligent.

Manish:

I love it. Thank you for joining us, Rachel.

Rachel:

Thank you for having me.