Is there a winning formula when it comes to both engaging the board about the espionage threat and then gaining commitment for investment into countermeasures? Emma Shaw, Managing Director of Esoteric Ltd, a specialist in counter-espionage solutions, offers her advice based on first-hand experience of influencing the C-Suite, while also offering insight into how the coronavirus pandemic has shifted risk appetite.
Emma Shaw, Managing Director of Esoteric
Mention espionage and the potential loss of information as a security threat to a CEO, and you usually get their attention. But if you’re a security professional who then outlines the investment and resource needed to counter the threat, you may well have experienced a very different reaction and struggled to secure the buy-in that you need to ensure adequate mitigation and protection.
Espionage is a threat to any organisation which has something of potential value to an adversary. Whether the adversary is a hostile state looking to advance their own economic agenda, a competitor wishing to build competitive advantage, or an organised criminal or rogue insider looking to financially benefit, getting covert access to sensitive information and assets is the adversary’s objective and the means of doing so is what security professionals have to assess and, ultimately, counter.
The pandemic has shown us that while there was certainly a quieter period in the initial months of the global lockdown in terms of espionage incidents, activity quickly ramped up when threat actors took advantage of the situation by placing their sights on newly valuable information and exploiting developing vulnerabilities.
Of course, one of those vulnerabilities was the diverted focus of much of the world to the pandemic itself, rather than security. A perfect example of espionage activity during the pandemic has been the Covid vaccine programme with reports of vaccine research and the supply chain being attacked, and the flooding of disinformation. Threat actors shifted to cyber techniques as we locked down, however, while the cyber threat has increased exponentially as digitisation has also accelerated, adversaries are still employing techniques such as social engineering and breaching physical and technical security barriers to gain access to what they seek.
It is this holistic view of the espionage risk which fuels the need to implement holistic countermeasures to effectively mitigate in a proactive, rather than reactive, way.
While the espionage risk is one which security professionals see and understand, it is not uncommon to encounter scepticism or a lack of buy-in from the company board on proactive countermeasures. While, positively, the representation of CISOs and CSOs is growing and strategic alignment between CIO, CISO and CSO is increasing, there can be difficulty in pushing counter-espionage up the board agenda. The key to securing that buy-in lies in how the security function briefs and communicates.
All too often, the security function is simply viewed as a value-protector, instead of a value-adder or business-enabler. A common scenario is that the the security team analyse the threat, the risks are outlined and calculated, protection measures are researched and the board are asked for a functional purchase decision. Context can be missing, which then leads to a perception that security is simply a cost centre, or the background is overly detailed in the effort to help the C-Suite gain an understanding of complexities, which it simply doesn’t need – that’s the knowledge that they trust the security function to have.
The raison d’être of the C-Suite is to lead and ultimately define the winning strategy for an organisation. Their priorities are ensuring competitiveness and compliance, and consistently adding value. Procurement is a strategic decision, not a functional one. So, what they really want to hear is how a security investment is going to ultimately help the business and if there will be a good Return On Investment (ROI).
In relation to the espionage threat, there is growing awareness by many boards of the potential risks and impact. The increasing scale of cyberattacks, documented espionage cases involving trusted and rogue insiders selling information to competitors or foreign state, and reports of growing hostile-state activity towards the UK by China, Russia and Iran are all reported daily.
If directors have multiple roles and responsibilities across companies, they will often have had some first-hand experience and knowledge of espionage and eavesdropping attacks. The personal liability and responsibility of directors themselves helps to sharpen the focus, as the need to ensure and maintain good security practices are often a legal requirement.
When briefing boards and directors in non-CNI organisations on the espionage threat, I often start by striving to bring strategic context. For an organisation that is a leader in its field, a loss of competitive advantage such as the theft of a trade secret or intellectual property is a major concern. For a legal firm, maintaining client confidentiality and privacy is likely the key driver, while for an organisation navigating a merger or acquisition there is a need to keep such strategic decisions within the inner circle.
Building a business case for proactive espionage threat mitigation should focus on providing context, outlining the risks to company assets in strategic terms and the potential impact to the organisation, to thus demonstrate how the investment will deliver ROI. While espionage is inherently ‘under the radar’, there are many publicly available examples of the impact and damage caused when you look for them, and don’t be afraid to tap into your security network: trusted colleagues may be more helpful than you think.
In summary, espionage is a reality and the most effective way to combat is a holistic, proactive threat mitigation approach. Securing buy-in and investment for proportionate countermeasures from the board involves using the same business language and focusing on ROI as any other strategic procurement decision. Providing context and calculating potential impact are key to building that business case.
Need support developing a business case? Get in touch with Esoteric here.
Author’s Note: In this article, the definition of the ‘Board’ is taken to be a Managing Board which includes the C-Suite managerial team.
About the Author
Emma Shaw is founder and Managing Director of Esoteric, a specialist provider of counter-espionage consultancy and TSCM, providing discreet and confidential services to a range of public and commercial sector clients and high-profile individuals around the world. Emma is an MBA graduate, and a Chartered Security Professional (CSyP), and spent her early career with the Royal Military Police, followed by a career in the Ministry of Defence, before founding Esoteric.
Emma is Chair Emeritus of the Security Institute, having previously been Chair (2013 to 2015); Board Director of Defence Industry Security Association (DISA), and Council Member for City and Security Resilience Networks (CSARN). Emma is a Trustee and member of the Board of the City of London Crime Prevention Association (ColCPA) and was recently appointed Deputy Chair of the UK TINYg (Terrorist Information Network) Advisory Council. Emma is also a Non-Executive Director of Cyber Security Challenge UK, Kings Security Group Ltd and Falanx Group Ltd.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
