Three dimensional chess is an apt analogy for the mental contortions the CEO of a multinational company must endure when contemplating risks to the enterprise. The variants to this game, played out in real life, involve global time zones, shifting business alliances, natural disasters and climatic events, geo-political upheaval, and of course the eternal push and pull of market forces and competition.
Security becomes a relative term when considered in this context. From the perspective of the CEO, the definition of security is whatever “safeguards” business operations and preserves corporate health. It is a much more inclusive term from the top, and the more a corporate CSO understands and relates to this, the better. This is particularly true in lean times, when corporate layoffs are commonplace and there is no end in sight to a raging bear market. Preservation, indeed becomes the priority.
Don’t fly blind
A company without a good intelligence collection and analysis capability is flying blind. Good intelligence means the ability to translate and sort the multiplicity of business data into actionable information. It must be good enough to cut through complexity and present the executive with a simple decision-point for execution before, and not after a risk event. This iterative process should be repeatable, reliable, and fast. Ultimately, the goal of business intelligence is to examine all manner of threats to the enterprise, assess each in turn in a way that gives the CEO the ability to anticipate and predict risk as it is rising, not after the fact.
Risk mitigation does not have to be costly. We have seen the cost savings that a company can realize by the adoption of preventative measures in advance of entirely predictable problems. Unfortunately, the “cost-savings” message frequently gets lost in translation – either due to layers of company bureaucracy that cloud the message or solutions that are ineffectively represented in the board-room. Security, which has a notorious reputation as a cost-center [even when it is not], typically does not go to the top of the list of priorities unless an incident happens. Reflection and spending after-the-fact is like closing and locking the barn door after the horses have bolted.
So how can this knee-jerk cycle be avoided?
Good timing, and the ability to act before an incident, whether it is a security event or a sudden shift in the market, if possible. It is about making your own luck. As a CEO develops business policy initiatives and strategy, having a good intelligence capability in-house ensures that the corporate executive is not blindsided in complex business negotiations and knows when to be aggressive and when to withdraw or hold. A security program that incorporates an intelligence capability makes “securing the business” much more comprehensive and inclusive. Security becomes a part of addressing the business risks to the corporation, both inside and out. Most of these risks do not arise in a security context, but rather in the course of business.
Elements of a good intelligence capability include:
- Identifying competitors’ strategies and initiatives to capture more market share by taking advantage of volatility in pricing or supply chain
- Identifying the right data to predict volatility patterns and indicators to mitigate losses and capitalize on gains
- Spotting and evaluating deteriorating security situations inside countries where the organization has business interests
Timing is crucial
An intelligence capability itself is useless without the ability to reliably detect, weigh and alert for specific shifts in risk. How the alert function is designed is crucial, because it is the bridge between analysis and execution. Alerts can fail to do their job properly in two ways: inadequate threat intelligence that lacks sufficient supporting data or too much raw threat data that goes unfiltered. This can happen when an intelligence capability is either outsourced to a vendor who churns out anodyne strategic analysis that lacks specificity, or if it is developed around a cadre of analysts who look almost exclusively at tactical updates without the benefit of context. In the former case, alerts do not happen because there is insufficient granularity to detect and weigh. In the latter case, alerts are ignored because there is so much tactical “noise” that alerts become meaningless. In both cases, the oft-cited “failure of intelligence” is in fact failure of well-timed and equipped executive action due to an inadequate alerting function in the system.
Overcoming this challenge requires one thing: a finely-tuned, iterative and self-sustaining risk analysis function that can capably pull in and process large, disparate streams of relevant data, align them with strategic analysis and put it all into actionable context. bSMART AnalyticsTMaddresses this head on and mitigates the first failure of intelligence. Also, this provides the all-important “filtering” needed to sort the wheat from the chaff, and ensure that events rising to critical levels are alerted as opposed to reacting to unsupported spikes in “noise.” Having a well-designed risk engine such as bSMART RiskTM that sits astride ones business intelligence and risk program can ensure that the CEO’s daily decisions for the enterprise are consistent, focused and well-timed. In our fluid, ever-changing world, this capability is critical.