FUDging the odds: Security as business enabler

Dave McMahon · Clairvoyance Cyber Corp. · Posted: September 22, 2020

Throughout my career, I have noticed that security is most often sold using Fear, Uncertainly and Doubt (FUD).  However, security is viewed by executives as a sunk cost or an insurance policy based upon the balance of probability that something bad may happen. Threat-risk is difficult to quantify and is weighed against business risks, which are measured in dollars. As they say, “If it can’t be measured, it can’t be managed”. There is limited persuasive weight to FUD pitches, in the absence of a clear and present direct threat, or stringent and prescriptive regulations which hold corporate officers or public servants personally liable.

Rather, I have found that leading with security as a business enabler resonates more effectively with the C-suite. By this I mean articulating how security can help:

  • increase sales;
  • produce valuable business intelligence;
  •  improve competitiveness;
  •  derive process efficiencies;  and
  •  reduce costs and losses.

 

If successful, solving for compliance and threats are bonus features to your solution.  Here is an example.

A major Canadian company was subject to substantial capital-at-risk owing to fraud from organized crime, the misuse of services by clients, and deliberate cyber attacks by nation states. However, much of this was unseen and off the books. The case for enhanced security was solid but failed to get the attention of the C-Suite who were consumed with more obvious business risks like operatng costs, quarterly sales, competitive market pressures and pricing regulation.

I was able to get their attention only after I was able to demonstrate, with security instrumentation and concrete examples, where the company could save over a billion dollars, increase sales with market intelligence and recover a hundred million in fraud.   An interesting consideration was that security systems were able to detect misconfiguration, bad process flows, financial mismanagement and business inefficiencies on the way to looking for deliberate threats. They also helped management understand a lot more about the business.  Similarly, I used business intelligence systems, network health monitoring, call centres and financial monitoring to assist in security investigations.

So here are some ideas for pitching security as a business enabler:

 

Strategic Business Objective

Security Enabler

Example

Talent Acquisition and Retention

Enhanced security measures, enable sound, evidence-based acquisition choices.  Active, vetting protects the health and safety of your staff, while thwarting infiltration. Continuous monitoring provides early warning of incidents, performance issues, accidental and deliberate threat behaviour, intellectual property theft and insider threat detection.  Active security controls provide privacy by design and organizational resilience value.

  • Pre-hire screening
  • Indicators of potential adverse behavioural shifts
  • Infiltration indicators
  • Resume falsification
  • Inappropriate or non-professional on-line behaviour
  • Insider Threat detection
  • Protection of employee online health, safety, privacy and security by early detection of social media enumeration and pretexting
  • Inside sales and communications

 

 

Technology Enablement and Process Improvement

Multi-purpose business systems generate economies of scale and allow for cross-domain analysis. Solving the security challenge enables the business. Sensing, fusing and correlating big data across all business intelligence systems provides contextual narratives through visual analytics and an executive dashboard. Enhanced situational understanding of the business. Real-time evidence based decision support. Optimizes business process flow by examining behavioural norms.

 

  • Integrated business intelligence and security systems
  • Real time data collection and analysis of network access and activities
  • Early detection of anomalies
  • Insider Threat detection
  • Executive dashboard
  • Big Data with AI/ML

 

 

Business Operations Service Delivery

Vulnerability analysis and threat risk assessment establish an asset inventory, make value and impact assessments, determine systemic weaknesses in the business and identify likely exposures from a wide spectrum of threats.  A security practice which focuses on risk identification and mitigation will ensure resiliency, continuity  and viability of the business by identifying efficacy issues, cost reduction, and cost recovery options.

  • Situational Analysis
  • Threat and Risk Assessments of internal and external challenges
  • Active, ongoing threat mitigation strategies
  • Business Continuity planning
  • Response and Recovery planning, testing, and execution
  • Net Revenue and profitability

 

Competitive Business Intelligence

Intelligence operations will identify malicious actors, competitors, partners, suppliers and clients as part of a continuously secured ecosystem.  Profit centre Scanning the global market for MARCOM threat intelligence.

Supply chain vulnerabilities

Business Intelligence methodologies will deliver unique and valuable insights, not achievable through traditional approaches.  Lawful exploitation of data sources and individuals are increasingly a business imperative in a hyper competitive, globalized environment.

Synergies can be achieved by amalgamating business intelligence,

security systems and big data.

  • Upstream security information
  • Early threat detection
  • Business situational awareness
  • Optimized business opportunities
  • Early warning of competitive shifts
  • Regulatory and compliance insights
  • Global information coverage
  • Integrated information stream
  • Global Cyber Threat Intelligence
  • Cyber Threat Hunt and adversary pursuit

Risk Management

Integrated risk management framework for multi-order and cross-domain risk compliance audit and scorecard

  • Real time risk assessment data generation
  • Optimizing risk management and performance indicators
  • Cross-domain Accountability measurement
  • Automated audit reports
  • Converged security and privacy solutions
  • Active Cyber Defence and automation

Business Capture

Profitability, partnerships coopetition, brand protection

Intelligence-lead sales, qualitative business case, targeted messaging and marketing, influencers, power mapping

Innovation and Trends

Disruptive technology trending, Over-the-horizon risk and opportunity forecasting

Strategic Planning and innovation, capability development, threat foresighting

Brand Marketing and Communications

Influence activities, Counter narrative, data leakage, deception, message high jacking, impersonation,

Measure message resonance and impact, enumerate vulnerable positing, social network and adversaries (identity and narrative). Social engineering protection

Strategic Business Planning

SWOT matching and converting

Application of format risk mitigation process

Business transformation

Break down stovepipes, and silos confidentiality integrity and availability physical, personnel and cyber domains

Common attributes of confidentiality, integrity and availability. Code of conduct and business ethics.

Network, Supply Chain Management and critical dependencies

Interdependency contagion econometrics, geolocation, social semantic and connectivity, contagion of malware, toxic content and toxic assets

Counter-shaping

Supply Chain security (Availability, resiliency, reliability)

Recovery effectiveness

Partner risk assessment

Supply chain efficiencies

 

In a nutshell, security cannot be seen as ‘oh I guess we need it’.  It has to be an integral part of the business model.  The last thing anyone needs is for some breach to happen and everyone goes “Oh, fudge!”

Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.


Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence.  Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp. 

Security, Economics & Technology Blog

Browse Recent Posts

October 13, 2020State Sponsored Kidnapping -  What are the oprions? 

October 06, 2020The Taliban Deal & U.S. - Jihadist Negotiations

September 28, 2020This Threat to National Security may be out of this World!

September 22, 2020FUDging the odds: Security as business enabler

September 14, 2020 - Is the violent extremist issue bigger than a shoebox?

September 1, 2020 - Canada is getting a failing grade when it comes to terrorism prosecutions

August 24, 2020 - Strike Back: Canadian context to cyber vigilantism and the active cyber defence certainty act

August 17, 2020 - Canada must send a strong message to Saudi Arabia

August 7, 2020 - Is Canada Really The 'True North Strong and Free' When It Ignores Arctic Sovereignty?

July 22, 2020 - Russian Espionage and Dirty Tricks During a Global Pandemic

June 24, 2020 - Déjà Vu for Canada’s Security Intelligence Service

June 17, 2020 - So Canada is Bringing Back ISIS Women – Now What?

June 11, 2020 - Terrorism means many things to many people and we may be heading down an unhelpful pathway

June 5, 2020 - Canada’s Supply Chain Vulnerabilities and the Links to National Interests

May 28, 2020 - How Foresight Could Help us Prepare for the Next Crisis

May 20, 2020 - Allegation from a Former Spy's Kiss 'n Tell Memoir

May 13, 2020 - "Money Often Costs too Much"

May 6, 2020 - Where is the COVID-19 terrorism spike?

Visit the SET Homepage for Upcoming Courses and Events


The SET (Security, Economics and Technology) program within the University of Ottawa's Professional Development Institute (PDI) is a practitioner-based initiative where seasoned veterans in Canada's security intelligence and specialist communities share their experiences, their knowledge and their best practices.  The members of our teaching staff collectively have more than 200 years of day-to-day involvement in national security spheres and are well-placed to offer reflections on what they have learned.

As part of their contributions to our understanding of security, economics and technology we are pleased to announce the inauguration of our weekly blog. You will read interesting takes on current events, all seen through the eyes of longstanding practitioners, and able to learn from them.  We would also like to hear from what you think of our specialists' thoughts.


Back to top