CIOs are busy, we all know that. Busy is bad because it can lead to a reactive mindset, which puts us on the defensive. People on the defensive are under pressure, and as physics teaches us, pressure leads to material failure.
So how can CIOs move from a reactive to a proactive footing, and in so doing reduce organisational risk? The unlikely answer lies with military strategy.
In order to avoid the development of a reactive and defensive mindset, modern militaries have established various principles. These include “offensive action” (UK); “high combat readiness” and “aggressiveness and decisiveness” (United States); “offensive” (Russia); and “initiative and flexibility” (China).
To apply these principles, all modern militaries must have access to actionable “intelligence”. Without this, strategy becomes little more than a gamble, with troops stumbling around whilst their commanders cross their fingers and hope for success.
The intelligence cycle
Military theorists have developed various approaches to generate this intelligence – the most widely practiced of which is known as the “intelligence cycle”. This concept enables all levels of a military organisation to identify, collect and assess information, and then disseminate the intelligence output to those who require it.
The intelligence cycle can be reduced to five key stages: direction and planning, collection, processing and exploitation, analysis and production, and dissemination and integration.
Any CIO worth their salt will recognise that they own several of these stages. They understand the full corporate data landscape, and what can be processed in order to create information, as well as which clued-up professionals can draw conclusions as to its meaning, driving action.
If a challenge exists, more often than not it will lie in identifying and activating the disparate datasets across the organisation, so they can be analysed to produce actionable intelligence.
These datasets and information sources are legion in the corporate environment. They range from email platforms to physical security systems, and even traffic logs. They could also be complemented by open source data available on the world wide web – whether these are from open (e.g. news sites), closed (e.g. password-protected forums and groups), or ‘dark’ (e.g. The Onion Router) sources.
Effectively identified, collected, exploited, analysed and distributed, these datasets should enable the CIO to better profile evolving corporate risks – as well as enable appropriate proactive measures and countermeasures to protect the environment.
Proactive measures might involve engagement with customers, staff or contractors to change service delivery. It might involve commissioning legal services to enact site takedowns in foreign jurisdictions, or perhaps engaging vendor market places to remove unauthorised or grey goods. All of these actions reflect an intelligence-led approach, where CIOs are the orchestrators of positive action, like their battlefield counterparts.
We only need to look at insider threats to see how well the intelligence cycle can work in practice. When we stitch together and analyse different data sets, they can indicate which personnel represent a particular risk.
These data sets might include physical access control logs (who is arriving early and leaving late), intranet traffic logs (who is accessing what information), email traffic logs (who is communicating with whom), and social media feeds (what are staff talking about in locations associated with the organisation).
The CIO identifies the insider threat as a risk and directs that data to be collected from a selection of sources, as above. The data, triaged against a set of rules to sort the wheat from the chaff, is transformed into information that the human analyst can draw conclusions from and then take appropriate management action.
CIOs are responsible for the lifeblood of their organisation – its data. It’s time they embraced their position at the centre of things and began using this information more intelligently to assess risk and reduce threats.
By taking a leaf out of the military playbook not only will they be able to achieve this, but also drive the business forward with a more agile, proactive approach whilst cementing their position at the heart of the organisation.
Sourced from Guy Montgomery, chairman, Centient