The Cyber5 Podcast

LANDON: Welcome to “The Cyber 5,” where security experts and leaders answer five burning questions on one hot topic and actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation and cyber threat intelligence. I’m your host Landon Winkelvoss, co-founder of Nisos Managed Intelligence Company.

In this episode, I’m joined by guest moderator and Nisos Director for Product Marketing, Stephen Helm and our guest program coordinator for the intelligence project of the Belfer Center of Harvard University’s Kennedy School, Maria Robson. We discussed the evolution of intelligence roles in enterprise and the ultimate path for intelligence professionals. We discuss ethics in private sector intelligence teams and the role academia plays in fostering, not only ethics but also the professionalization of private sector intelligence positions. Maria also discusses insights into what proactive intelligence gathering capabilities tends to provide the most value to enterprise. Finally, she gives an overview of the Association of International Risk Intelligence professionals. Stay with us.

STEPHEN: Welcome to “The Cyber 5”, where industry experts and leaders answer five burning questions on one hot topic in cyber. I’m your host, Steven Helm, product marketing director at Nisos. With us today, we have Maria Robson, program coordinator at the Intelligence Project at Harvard’s Belfer Center. Maria, welcome, and thank you so much for joining us today. Would you mind sharing a little bit about your background to get us started?

MARIA: Thank you very much, Steven. It’s such a pleasure to be here. Thank you for everything you do on this podcast. I’m happy to share a bit about my background and then I look forward to the discussion with you. My current role is at the Intelligence Project. As you mentioned at the Harvard Kennedy School’s Belfer Center where we’re focused on building a future generation of policy makers and intelligence professionals and building a better understanding of intelligence both public and private sector. And the latter is my passion and my background. I was an intelligence analyst in the energy industry in Canada, and then I went back to academia to do a PhD on Public Private Intelligence Sharing. And my recent research has been focused on the professionalization of private sector intelligence.

STEPHEN: Excellent, thank you for sharing that. I’ve seen a lot of your writing really focused on sort of the evolution of intelligence roles within the enterprise. And that’s something I found very fascinating and you’ve really talked about intelligence evolving into a distinct profession. I’m curious why you see that as the ultimate path for intelligence and really what defines a distinct profession in your mind.

MARIA: It’s something that’s intrigued me for quite a while as I’ve watched, as you said, the evolution of intelligence particularly in the private sector but this is a discussion that’s been underway for government intelligence for the us intelligence community in Britain and in other countries around the world in terms of professionalizing of intelligence but especially in the US, there’s been a literature on what constitutes a profession and how do we advance it. And so I’m happy to get into the pros and cons of professionalization and why I do think it’s desirable to move along this path but ultimately there are five pillars of a profession. There is a shared identity, a code of ethics a body of knowledge, education and training and then ultimately certification and licensing.

So right off the bat, we can see there isn’t really an intelligence certification, there isn’t, there are a couple of certificates. There are certainly training programs out there but there isn’t one recognized established body of knowledge, feeding into certification licensing as an intelligence professional in the private sector or in the government, the way that we would see in codified professions such as medicine and law. And delving into the literature and professionalization and professions, you see that it’s not a dichotomy. It’s not, you are a professional, you aren’t a profession. It’s really a spectrum. And medicine and law are codified examples that took decades and decades to develop with now educational programs and established path.

You and I aren’t in the medical field but we know about the Hippocratic Oath. We know about the different specializations and certifications in licensing to be medical providers. And it’s a similar story in law. Whereas in intelligence, there’s such widespread variation. And what really intrigued me when I started studying it was I had seen different models when I was a practitioner. I realized that not every team worked the way mine did and certainly across countries, there’s variation, but within industries, within different groups you gather Intel professionals together, ask what you do and the answers are widely different. And the most interesting finding for me was asking people what their job titles were and there’s this shared identity that everybody is doing the same thing, but the job titles were all over the map.

I asked 126 people and got 99 answers. And so, going back to your question about professionalization, there are reasons to move along the path of codifying and having more established standards. And there still needs to be a lot of variation because the nature of intelligence is that it has to be dynamic. It has to be dependent on the needs of the decision maker to be effective. It isn’t one size fits all. And yet if we have 99 different job titles, it’s hard for people to find out about it. It’s hard for grad students to enter the profession.

It’s a challenge for HR to benchmark or for managers to build out these roles. And that’s one of the reasons that professionalization has been a goal for the community. There’s an organization called The Association Of International Risk Intelligence Professionals which is quite new. It was only established in 2015. That’s trying to help with developing a body of knowledge to have knowledge that isn’t passed from master to apprentice in the Crafter Guild Style, but is actually shared and openly available over time.

STEPHEN: I find it very interesting you bring up the medical profession and law and really as an example of sort of the direction we’re going. And obviously these are very ethically focused in professions, right? So it’s a very high watermark to achieve to have that level of ethical focus. I wonder, what about intelligence do you think necessitates that sort of focus on ethos?

MARIA: The ethical focus is key and that is something that I’m watching for in the intelligence space, which isn’t really there. There are some attempts at codes of conduct the organization I mentioned earlier, AIRIP does have a a code of ethics, but where we are now is that it’s very dependent on individual analysts or professionals to draw those ethical lines. And there isn’t a professional standard for them to point to, or to go to if they’re not sure if something’s appropriate or not. And so, one of the reasons that an ethical code is important and is necessary is intelligence in the private sector is by nature different from intelligence than the government in a few respects, a lot of it’s the same open source collection analysis, very, very similar.

However, when it comes to human intelligence, for example if you work for the Central Intelligence Agency you might be conducting covert operations, covert action, surveillance that is not appropriate in the private sector. And there are some legal restrictions already but there are murkier cases that have emerged over time where professionals move from the government to the private sector. And perhaps don’t take off the governmental entirely and might port over some practices that aren’t necessarily appropriate in the private sector. There was one case that ended up with the Department of Justice where a retailer company ended up with their security intelligence team, cyber stalking and then physically stalking and intimidating a couple who were saying negative things about them online.

And that’s an example where the behavior was unethical in some cases illegal but there was a young analyst who was profiled in the New York Times who was part of this case, who said she wasn’t sure whether or not this was appropriate but she had no frame of reference, it was her first job. And so she was assured that this was what they were supposed to be doing. So that goes back to your question about why should we have ethical standards? It’s for those types of situations, it’s for drawing the line of what might be acceptable in one context in the government context but not in the private sector. And then also for those who are learning the ropes and figuring out where the boundaries are.

STEPHEN: And you talked about this self protective guild system. This obviously has some challenges too for this ethical conversation, right? And how you can pass some of those best practices and knowledge, right? ‘Cause it’s sort of a limited relationship there. I wonder if you could talk a little about that apprenticeship process and why it’s so important in intelligence and maybe what some of the challenges there are.

MARIA: The apprenticeship and Guild process is something where I’ve faced some gentle pushback from those in the community who really like it. And there is a lot to be said for it. There’s a reason that it’s worked effectively over time in many disciplines because mentorship is key. And even in established professions such as medicine and law, of course mentorship is still key. So the Crafter Guild System relies on that type of mentor process in lieu of established standards and education and a body of knowledge. So the professional literature talks about knowledge being passed from hand to hand, passed orally as opposed to having a recognized physical body of knowledge.

So what I found when I conducted surveys of private sector intelligence professionals was the most common way into this space when I asked how did you get your job was through personal network. It was word of mouth in some way. And again, that’s common even in established professions but it was very pronounced in this field because there isn’t a recognized linear set of pathways in it’s all over the map. And what I found was I collected a second variable as to whether or not the individual I was speaking with had a government background whether it was intelligence, community military or law enforcement. And I mapped those two variables onto each other.

And there was a stark picture that developed which was that if you did have public service as background in some capacity then you were equally likely it was 42% each to have gotten in through personal network or just through a traditional job application and posting. And I filtered out those who’d had both who’d applied and then also known someone. It was, you didn’t know someone you applied directly versus you knew someone, so it was equal. It was 42% each. But without that government background the number who got into the job posting plummeted, is approximately 25 or 28% around there. And then the personal network rocketed up to about half of respondents.

So it makes a big difference. So the mentorship and the Crafter Guild structure it’s very effective for those who have that but it’s also only as good as the mentorship you’re getting. And so the one last point I’ll make on this even is that I often see newer entrance into the private sector intelligence space who see their team and know how they’re leader, their mentor, their master in the master/apprentice relationship envisions intelligence in the corporate environment. And so for them, that’s the world. And then when they get exposed to others they realize this is one model and there are 20 or 30 different models out there. And this isn’t the only way we could do it.

And so that benchmarking across meeting people expanding your network is key there but that’s something where the professionalization helps share more of that picture of here’s your model. And here are all the other models out there.

STEPHEN: How are you seeing the academic community really respond to some of these challenges? Obviously the intelligence functions are really sort of a virgin territory in many ways. Just curious how academia is approaching this and really where you see that going over the next five years or so.

MARIA: It is a dynamic space. There are some universities and I’m mostly familiar with the United States. However, I know this is happening in the UK and France and elsewhere that are recognizing private sector intelligence as something that should be included in curricula that should be worked into courses maybe having standalone courses. There are a couple of them I know across the US but there are some challenges with this. One of them is that there’s a lot of literature that purports to talk about private sector intelligence, but there’s a lot of conflation and terminology and nuances to this. So there is some literature that really just focuses on corporate espionage.

And if we look at it, it sounds as though everyone who’s conducting intelligence outside of government is spying on other people and digging through garbage and things like that. And digging up dirt or sending bloody pigs masks to couples who are critical of the company. As in that previous case I mentioned, and this does exist. And yet this is a small portion of the whole. So I think part of the role for academia is clarifying the different disciplines that are out there, the different types of applications of intelligence in the private sector, whether it’s competitive intelligence, which is actually collecting on competitor companies or if it’s more security and geopolitical focused, private sector intelligence which is not about your competitors.

In fact, in many cases, you’re talking to your competitors about mutual threats in the common operating environment. If you’re both working in Nigeria it doesn’t matter if you’re both energy companies that are working in the same area. If you’re both airlines who are vying for the same market, it’s in nobody’s interest to have employees kidnapped or terrorists targeting your operations. So that is fundamentally quite different from the competitive intelligence side. And I see those two conflated in the literature. And then last thing I would mention is that there is literature on government outsourcing on the Booz Allen Hamilton’s, the Lockheed Martins and so forth.

And those companies, if they’re focused on the government if they’re providing intel for the government then that’s actually more akin to government intelligence and private sector intelligence. It’s a different type of product, different type of support. So those are distinctions where I think academia can help. And there is a nascent literature on this but there’s a long way to go.

STEPHEN: We see many corporate intelligence responsibilities really seem to fall under the corporate security team today. I’m just curious, is that really where you see the role should go? Is that where intelligence should report to, or where do you think that jurisdiction of hierarchy should exist in the average enterprise, let’s say?

MARIA: The landscape on the ground is changing so rapidly here where in the 1990s it was almost exclusively corporate security. And now when I have surveyed professionals about this, I get 20 different answers in terms of where they fall within the corporate structure, within different business units. It could be in legal, it could be in HR. Security is very common and sometimes you’ll have a situation where security reports into legal or something like that. And it really affects the nature of intelligence and how it’s envisioned in the company. In my experience, if you’re within legal then there are parameters around or you can or can’t do that are very compliance, driven and focused and quite different than if you’re within operations.

And the focus is really on, okay, where are we going next? And how do we build out our operations and business or different questions around security of operations. So to answer your question, I believe that the vast majority of private sector intelligence focus is on security questions. It’s on the threat landscape, whether it’s civil unrest, terrorism, kidnapping, piracy, crime, other security questions, there are also insider threat programs and other really security focused questions within the company. However, another big part of this is geopolitics and then there’s also cyber, which is rapidly growing within companies and should be part of this as well. And certain teams have integrated that through fusion model, others are separate, but work closely.

One of the most effective models I’ve heard of was an airline that told me that during the Russian invasion of Ukraine the security intelligence team and the cyber team started writing joint products in a way they’d never had before started collaborating. So I think the answer is that most of the focus is on security. And also many of the professionals who are drawn to the space are drawn to it because they’re interested in the security and geopolitical questions. However, being within corporate security can be quite limiting. So the key is for the intelligence team to have the buy-in to have support, to engage more broadly on bigger geopolitical questions and also opportunity questions of supporting decision making to grow the business not just for tactical security questions.

STEPHEN: Yeah, you gave a great example there of an intelligence really function coming together, doing a bit of a fusion center as a reaction to a security concern. It seems like a lot of intelligence functions seem to be reactionary. I wonder what your thoughts are on the reactive nature of the building of an intelligence function and really what are the benefits of taking a more proactive approach if you’re within an enterprise?

MARIA: The benefits are huge. Often you can run into concerns from legal teams of outstripping your headlights and going beyond the request because there’s a liability concern that comes in. But to the extent possible intelligence team should be proactively anticipating threats before they hit. And the teams that I’ve seen do this most effectively recently were the ones that for example were watching Russian activity on the border with Ukraine and alerted their executives to the potential before the invasion took place to the potential that this could happen so that the company could ask questions such as who are our employees in Ukraine?

Do we have employees who are working remotely and we don’t know where they are and we should determine whether they are in that area or what are our supply chain vulnerabilities? Do we have assets and operations? Do we have business partnerships in Ukraine? So the really effective teams were asking those questions before Russian boots entered Ukrainian territory. And that’s an example where the executives weren’t necessarily asking those questions. So if you have a reactive model, then the team would be waiting for an intel request. But what often happens in the private sector is that you have stakeholders who are thrilled when they receive intelligence, it’s valuable to them but they don’t necessarily know to ask the questions.

So the intel team has to be proactively scanning the threat environment for questions, for potential hazards that could impact the company before they do the other element of your question in terms of being reactive is that the creation of these teams is often reactive. And I found that a quarter of intel teams from the practitioners I surveyed had been created due to a threat or crisis. And that is certainly not the ideal, but that is all too often the reality and some of the best teams came out of a crisis. And a positive note on that at least is that a lot of that is learning from others’ experiences is not necessarily a crisis that hit the company directly but it could be a near miss, or it could be speaking with others and realizing this is gonna happen to us next if we don’t build out this capacity.

STEPHEN: Across industry sharing would be one of the impacts there potentially like that would motivate them to build a practice if one of their competitors let’s say in the space is what you’re suggesting.

MARIA: Absolutely.

STEPHEN: Yeah, so you talked a little bit about the Association of International Risk Intelligence Professionals and you’ve worked on this process of standards and codes of conduct. Tell me a little bit about the the organization and what that process has been like.

MARIA: It’s a wonderful organization. In my view, I have to declare my conflict that I have been part of it since the beginning and I am on the board now, but I wasn’t when it started and was founded again only in 2015 but it has been rapidly expanding in terms of membership and attempting to build out more knowledge and standards of intelligence, what it looks like in the private sector, where the boundaries are. And we recently developed a knowledge structure that is built off the intelligence cycle but tailored to the private sector. So what does direction look like for intelligence in the private sector? What does collection look like for intelligence in the private sector?

And part of the focus is again building out that knowledge over time. But one of the real benefits that I’ve seen is people who don’t have that traditional government background to come across AIRIP and then have it expand their horizons. I was speaking with the young analyst who was hired into a global security operations center within an intelligence consultancy. So she’s one of those individuals I was alluding to who don’t necessarily have access to the bigger landscape. And AIRIP was her gateway into that. Where now she’s been able to meet others who have very different types of teams and thought through what her career progression could look like and the bigger picture of intelligence in the private sector.

STEPHEN: Maria, thank you so much for joining us today. This has been a fascinating conversation. We’ve loved having you. Hopefully, we’ll have you on again some time. Thank you for spending the time with us today.

LANDON: For the latest subject matter expertise around managed intelligence, please visit us at nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world’s most challenging security problems on the digital plane and conduct high stakes security investigations without the value the team provides day in, day out, this podcast would not be possible, thank you for listening.