Liferaft Blog | Resources for Corporate Security

10 Ways to Supercharge Your Threat Intelligence Program

Written by Liferaft | January 28, 2022

 

At LifeRaft, we know from talking with hundreds of security professionals that many organizations have tasked their threat intelligence programs with a growing mandate.

Not only are analysts responsible for physical security. Increasingly, companies now count on these teams to safeguard intellectual property, monitor for data leaks, and ensure business continuity. 

Unfortunately, security leaders often fail to secure the resources they need to support this mandate. In the worst-case scenario, teams may find themselves siloed — prevented from expanding their function within the organization. 

So what’s the answer?

In a recent webinar, our very own Chief Growth Officer Mary Jane Leslie hosted a panel to explore how teams can establish, grow, and future-proof their intelligence function in the private sector.

She was joined by Ryan Long and Michael Mallard, co-hosts of The Business of Intelligence podcast. Phil Harris, co-founder and Chairman of Topo.ai, also joined the discussion. 

The key takeaway for attendees: Run your department like a business. 

Security leaders in the private sector can’t afford to take a passive attitude and wait for directions from leadership. 

Instead, they must adopt the mentality of a consultancy or advisory firm to seek out opportunities and position their department within their organization. 

But what does this look like exactly? 

Here are the 10 tips our panelists suggested to take your threat intelligence program from good to great.

 

 

1) Stop spreading your resources too thin 

Few companies have the resources to offer everything to everyone. Instead, most successful small businesses try to zero in on a small, profitable corner of the market and focus exclusively on that. 

  • Whole Foods targets only high-end shoppers by offering top-quality, organic foods. 
  • Etsy carved out a space in the highly competitive world of eCommerce by focusing on crafts and vintage goods. 
  • Tractor Supply Company competes against big-box hardware chains by catering to a niche clientele of farmers, ranchers, and rural homeowners. 

The same lesson applies to a resource-strapped intelligence team. 

Analysts, by their very nature, want to know everything about everything. That often leads to reports and analysis about many broad trends happening in the world — even if it doesn’t have much to do with the organization’s mission or operations.  


“Intelligence teams often make the mistake of trying to do everything,” Mallard explains. “But if you try to do everything well, you end up doing nothing well.” 

The solution? Mallard outlines what he calls the ‘Three-to-Five Rule.’

Go to every relevant stakeholder in your organization. Then identify their top three to five challenges. From there, you want to laser focus your team’s resources on those priorities.

Maybe your organization operates in far-flung locations with perhaps terrorism, executive travel, and employee safety is top of mind. 

Or maybe your company is more concerned about fraud, inventory theft, and organized crime. 

Regardless of specific priorities, zeroing in on these specific challenges will allow your team to stretch limited resources. And more importantly, this approach allows you to start creating value that your colleagues really care about. 

“Of course, teams are going to have to do some ad hoc contingency. Emergency things will pop up.” Mallard explains. “But it’s really important to zero in on the three to five things that the organization values most. That builds credibility.”

 

2) Aim for quick, small wins

Do you know one of the biggest challenges consumer businesses face? Getting existing customers, who have already parted ways with their hard-earned money, to actually use their product. 

Why is this such a big problem?

Customers that don’t use a product don’t purchase add-ons and upsells. They don’t refer new business by telling their friends and family. Or worst of all, they start showing up at stores requesting refunds. 

For this reason, business owners have started to appreciate the value of ‘small wins.’ 

If they can generate some immediate results, no matter how small, customers will continue using the product or service. And ultimately, this means higher customer satisfaction, longer-lasting relationships, more referral business, and fewer refunds.

Or perhaps most importantly of all, more money in the company’s pocket. 

Analysts can apply the same principle when building out their function in a private-sector organization. 

During the early stages of building a new intelligence program, you need to gain the trust of other stakeholders in your organization. And the fastest way you build trust is by generating quick wins. 

Here’s the thing: these accomplishments don’t need to be a grand slam home run. Even a small accomplishment can go a long way towards building credibility within your company.

“If you’re dealing with travel security, you build a relationship with corporate travel,” Mallard explains. “Even if it’s an executive going on a trip. Sometimes as little as finding a great restaurant. Or recommending they don’t take taxis there. These little victories get other stakeholders in the organization thinking, ‘Okay, maybe there’s some value in having an intelligence team.’

And with that trust established, analysts can become a go-to resource or advisor for future endeavors.

 

3) “Market” your intelligence services

As a best practice, you should strive to have direct conversations with the end-users. But for any number of reasons, that type of contact might not be possible. 

That creates a problem for analysts.

In these situations, it’s tough to determine exactly what type of intelligence a client may find useful. 

How can you create a valued product if you can’t ask a client what they would find valuable?

Long provides a suggestion: you need to learn to ‘market’ your intelligence services.

Take a shot in the dark and create a report on spec. See if you can produce something of value for customers.

In a sense, these reports amount to marketing materials. They give users a sense of what kind of value and intelligence your team can provide the organization.

So what type of intelligence should analysts produce in such situations? 


Long provides three suggestions:

1. Products that provide early warning to looming threats 

2. Products that can help you create demand for intelligence services

3. Products that demonstrate the breadth of expertise within your function

Early warning represents a core function of threat intelligence. And it probably serves as a good starting point for analysts and teams. 

“I can’t think of an organization that would not appreciate that when you think of potential business disruptions to operations, people, meetings, events, and facilities,” Long explains. “Anything that is timely, relevant, and actionable, whether it’s a situation report in the form of an email or maybe it’s a robust assessment, those are some good products to start off with.” 

Such reports may or may not answer the most important questions business leaders want to answer. But they can kick start a conversation. 

And through that feedback, you can begin to really dial into exactly what type of intelligence will create the most value for the organization.  

4) Understand how stakeholders perceive your department

What do doctors, lawyers, and stockbrokers have in common? 

Customers have all sorts of opinions and beliefs about these professions. Some of these may be positive or negative. Some may be accurate or inaccurate. 

Regardless, it’s critical for any service provider in these fields to understand how prospects might perceive them. 

If not, any marketing messages to prospective customers could fall flat. 

Or customers may have wildly inaccurate views about the results a practitioner can realistically provide. 

The same problem pops up in the world of security. 

Many intelligence analysts come from a military or law enforcement background. In those organizations, you can reasonably assume end-users understand the value of intelligence and what type of reporting best suits their needs. 

That assumption, however, rarely applies in the private sector. Clients may hold all sorts of false beliefs about your role and department. 

Some may view intelligence as a glorified news service. Others envision your peers as James Bond-like agents, schmoozing with people in exotic countries with a beverage in hand. 

As a result, end-users in the private sector rarely understand the real limits and capabilities of an intelligence team. 

So what’s the answer? It pays to proactively build relationships with key stakeholders in your organization.

  • Take a colleague out for lunch. 
  • Work the room at the office Christmas party. 
  • Deliver a presentation at a company town hall.

By getting away from the computer and having conversations with the people in the office, colleagues will develop a better sense of your role and responsibilities. 

And in the future, that makes it more likely that they will seek you out to discuss problems and opportunities. 

 

5) Demonstrate ROI to senior leadership

Here’s an unfortunate reality of the modern security profession in the private sector: you’re perceived as a cost center by those that control the P&L statement. A necessary expense they reluctantly have to pay to keep the place going. 

That creates a big problem for the leader of any intelligence team. 

Executives in Corporate America have a responsibility to investors to slash their expenses to the absolute minimum. 

For you, that means not having enough budget to hire the best people, buy the best technologies, and, ultimately, provide the best service for your organization.

So how do you address this challenge?

Generally, security leaders think their sole mandate is to keep people safe and ‘make nothing happen.’ That’s often especially true for those with a background in the public sector.

But your team can go beyond this function. Intelligence has an incredible, and often underappreciated, ability to help a business wring costs out of their operations.

If you can demonstrate to management that every $1.00 spent on intelligence saves the organization $2.00 in operating expenses, you transform the security department from a cost center into an investment opportunity. 

And with that comes the budget and resources to supercharge your threat intelligence program. 

“I think the first thing to recognize is that corporations have a different motive than government,” explains Phil Harris. 

“The profit motive is the prevailing motive. There are other agendas, priorities. [But] this support function has the ability to drive down cost and that really affects profitability.”

So how can security teams start this transition?

“Meet with the business unit owners and understand what is costing them money or what are the issues that they are facing – whether it’s their workforce, whether it’s their supply chain, whether it’s extreme weather impacts, or whatever it might be,” Harris says. 

“Understand what is really hurting them and then how you as a professional can align your program and activities to support the mitigation of those risks.” 

 

6) Retention is critical

Retention represents a critical but often overlooked part of an intelligence team’s success. 

It’s hard to build out your threat intelligence program with employees leaving your organization or transferring to different jobs within the company. 

And if you oversee a small department, the loss of one or two members can be especially devastating. 

Furthermore, recruiting and training replacements require a lot of time from your other team members. 

Time and resources that can’t be spent  analyzing data, monitoring for threats, and accomplishing the mission of your organization. 

And if this problem hasn’t bitten you yet, it will likely become a bigger headache in 2022 and beyond. 

As the economy reopens from the COVID pandemic, workers have started to quit their jobs in record numbers. Tenured employees, chasing higher salaries at competing firms, have also started to leave thanks to a tight labor market.

For security leaders, this means taking off your intelligence analyst cap and to start thinking like a human resources manager.

You need to brainstorm ways to bring team members along with your strategic plan. Because at the end of the day, they’re going to be the engine that makes it happen. 

“Just keep finding ways to keep people motivated. Provide incentives. Show them a glide path within the team.” Mallard explains. “Occasionally you have to bite the bullet and you kind of help guide them to a parallel team where they can get some well-rounded strength. [Do that] with a plan [of] getting them back in.”

 

7) Tailor your product to each customer

Ford allows customers to design their own vehicles. Nike lets you create your exact shoe made to order. Blue Apron allows buyers to select customized meal plans based on their dietary preferences. 

Why do businesses go to such lengths to create a unique experience for every customer?

Because it works. 

The days of mass production, one-size-fits-all have come to an end. Today, customers expect customized experiences and products that cater to their specific needs. 

And increasingly, customization represents an essential practice just to survive. Business owners that can’t adapt will not last long in this new reality.

The same principle applies to your threat intelligence program.

Executives don’t want a generic report they can grab from any risk intelligence company. They’re paying you to provide specific advice and commentary that caters to their mission.

“Say a client is going to Mexico,” Mallard suggests in one example. “You don’t provide them with an overview of Mexican security. You figure out the kind of trip for where they’re going and give them practical advice for what they’re doing. That way they realize this is custom made for them.”

Understanding the culture of your organization will go a long way towards tailoring the right product for end-users. 

Does your organization take a proactive stance to risk management? Then senior executives will appreciate warning alerts and reports of emerging trends on the horizon. 

Does your business operate with more of a reactive approach? Then incidents will happen and you should invest more resources in business continuity and resilience. 

The philosophy of customization applies to how information is delivered, too. 

Some customers don’t want to read emails. Some don’t even check their inbox. 

Some people want to get information over the phone or in person. Then they want to ask a series of follow-up questions.

Some end-users want a 20-page report with as many details as possible. Others might want a few key bullet points with a graphic or two. 

But the single best way to provide outstanding value to clients: study and anticipate upcoming challenges and opportunities. 

This requires doing a deep dive into your department, company, and industry. Try to get ahead of where your leadership team will need to be. 

If you have answers ready before customers even ask them, you can make a serious impression upon senior leadership and demonstrate the value of a threat intelligence program. 

 

8) Master the rule of 80/20

In any industry, 20% of the activities generate 80% of the profits. 

Smart companies, therefore, focus all of their efforts on the highest-margin parts of the supply chain. Then they ruthlessly outsource operations, leaving the grunt work to others. 

For example:

  • Coca-Cola makes most of its money selling syrup. It outsources the job of production and shipping to bottlers. 
  • Apple doesn’t manufacture most of its electronics. It focuses on the best part of the technology business — designing, licensing, and retailing devices. 
  • Owning a restaurant represents a capital-intensive, low-margin business. So McDonald’s chooses to only own the lucrative real estate beneath stores and lets franchisees actually run most locations.
 

The same rule applies to the intelligence community. 

On almost any team, 20% of their activities generate 80% of the value for business leaders. 

The question is, which activities fall into this high-value category? And perhaps more importantly, which activities are just a waste of time?

Both Long and Mallard offer a surprising solution to this puzzle: just stop doing things!

Intelligence teams get caught up in the grind of producing daily or weekly reports. And these ongoing tasks can suck up an enormous amount of time and resources. 

But all too often, our intended audience doesn’t derive much value from this on-going intelligence. And in a surprising number of cases, they might not be reading these reports at all. 

By quitting these projects cold turkey, security leaders can determine whether or not end-users actually value your product. 

Did your missed deadline cause an uproar among senior management and other stakeholders?

Great news! This analysis delivers enormous value to readers.

Did anyone in the organization even notice?

This outcome isn’t necessarily a bad thing. Obviously, this deliverable represented the 80% of your grunt work that created little value for your organization. 

By cutting this report out of your workflow, you can reallocate team members to more productive activities. 

 

9) Be more than an ‘analyst’

One of my favorite business coaches, Austin L. Church, offers a great piece of advice for freelancers looking to supercharge their incomes. 

Most contractors see themselves as commodity service providers. And thanks to growing competition worldwide, they face a race to the bottom in terms of wages.

In response, Church says freelancers have to do more than just exchange time for money. They have to position themselves as business advisors, helping clients research, organize, and execute on new initiatives.

An ambitious analyst may want to take a page out of Church’s playbook.

All too often, teams pigeonhole themselves into the job of producing intelligence reports or commentary. But all too often, that job description results from thinking small. 

Be a facilitator. Be a risk advisor. Be an information broker. Be a connector. 

“Most of all, be an alignment expert,” explains Long. “There are days when I definitely feel like my job is that of Chief Alignment Officer; just trying to get everyone on the same page.”

The upside of this approach?

By tapping into these higher-level functions, analysts can stand out from the competition, charge a premium for their services, and position themselves to take on more responsibility in an organization. 

Additionally, such higher-level functions are more difficult to cut, outsource, or replace. That can cement an intelligence team’s position in a company even through a downturn. 

 

10) Learn how to select the right vendors

You don’t need to be an intelligence analyst to see that the world is drowning in information.

Users upload terabytes of data to the web each day. Never mind the mountains of information that teams can access from brokers or private data banks.

This means security leaders increasingly need to rely on third-party software to collect, normalize, and analyze information. 

And given the large investments these purchases can represent, the ability for security leaders to pick the right technology represents a key factor in the success of a threat intelligence program. 

So what type of traits should teams look for in a vendor? 

The panel offers a few suggestions:

  • Minimal onboarding. Look for solutions that can be integrated with existing systems, serve multiple functions, or have an intuitive user interface. This minimizes the amount of time and money your organization will have to spend on training staff members to learn a new product.
  • Serves multiple departments. Can other departments in your organization use a particular piece of software? If so, this can be used to build a coalition of advocates around you when it comes time to pitch your request to decision-makers. 
  • Specialization. Be skeptical of vendors that claim to be ‘best-in-class’ of every function within the intelligence cycle. Instead, it usually makes more sense to partner with the top players in each specific service across the continuum, whether it be data feeds, visualizations, workflows, or crisis communications.
  • Interoperability. It’s no longer enough for purchases to ask vendors if their products integrate with existing systems. Businesses need to ask how a particular software package will integrate and connect. Any good vendor will want to understand what it is that you’re trying to integrate and why this needs to be done to ensure smooth onboarding. 
  • Good business partners. Purchasers also want to consider whether a company deals fairly and wants to be a good business partner. Do they nickel and dime customers at every turn? Do they hide hidden charges in their fee structure? Do they charge outrageous prices for on-boarding? Do they provide reliable customer service? It makes sense to reach out to your peers in the industry to get the real scoop on a vendor’s business practices. 

 

The Bottom Line for Security Leaders

The key takeaway for attendees: run your department with the same mentality as a private risk advisory or consultancy service. 

“How are you going to create long-term demand for your services within your business?” Long asks attendees to consider. “What service offerings are you going to provide? Where would you like to expand those service offerings? How are you going to market those services? What’s the competition? Who’s the competition?” 

Adopting such an approach can allow you to better position your intelligence function with an organization. 

And over time, that can mean getting stakeholders on board with future projects and getting the resources you need to tackle a growing mandate.