- [Music] - Welcome to Cyber5, where security experts and leaders answer five burning questions on one hot topic, an actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss Co-Founder of NISOS, a managed intelligence company. In this episode, I talk with Executive Vice-President at Allied Universal, Ray O'Hara. We discussed the use of intelligence for Corporate Security Programs, usually overseen by a Chief Security Officer. We talked about some of the challenges being faced by Chief Security Officers, and how intelligence can be actionable to mitigate those risks. We also work through a variety of case studies. Talk about metrics for success, and what technology platforms are used to anchor data intelligence that might be useful months down the road. Stay with us. - Ray, welcome to the show, sir. Would you mind sharing a little about your background for our listeners? - Yeah. Good day, Landon. Happy to be here and happy to participate in the recording. So, I'm a veteran of the Security Industry for many years. Started my career in Law Enforcement in Los Angeles, and spent much of my career as a Security Practitioner, working for Fortune 100, and what have you. Second part of my career has been on the consulting side, and actually, today, I'm in an organization where we support 90 some countries around the world with Executive and Manager travel, and what have you. We spend a great deal of time with the high net worth crowd, both in their private enterprises, and their public enterprises. Living currently in Las Vegas, and it's 104 degrees today. Just beautiful. Just a reminder that the things that I mention are really my opinions in the world, and did not reflect anything with any organizations that I'm associated with. - Very few folks, I think, will say that 104 degrees is beautiful, but that's certainly a great perspective. Today, we'll be talking around, you know, the use of intelligence around Corporate Security Programs. And I think when a lot of folks hear Corporate Security Programs, they think of the guns, the guards, the gates of physical security programs, and probably that's what a lot of it is. But certainly, you know, as we're evolving in the digital age, I think we can all agree that intelligence, particularly open-source intelligence, has taken on a role, a different role, and a different meaning to ultimately solve business problems, particularly with around Fiscal Security Programs, whether it's the facilities, whether it's high net worth individuals, whether it's Executives, really varies. So, I guess, you know, to start out, provide a background of Corporate Security Programs at a high level, and what business problems and risks they really seek to address. - Well, just broadly about intelligence. You know, we haven't done this forever, unfortunately. And, I would say in the last five years, maybe a little bit longer, you know, it was kind of the best known secret that we really had the ability to gather data, analyze that data from around the world, and be a business partner to the company in interpreting that data. And whether that be market entry, brand new market entry, other issues, vendor intelligence, and what have you, now that we rely so much on the world to support our daily needs every day. Think that business intelligence angle is critical to being successful. - From that perspective, let's take, you know, if you're a Chief Security Officer, you know, in an enterprise, what is your general responsibilities that you, ultimately, in kind of need to protect just to kind of set the stage, you know, for our listeners? - Well, from an education standpoint, there's a Chief Security Officer standard, an ANSI standard in the United States has been developed by ASIS. So, it's actually a good guideline for a CSO, particularly a new CSO, to look at that and see, what's been written from a standard standpoint about security function in an organization. I mean, the first and foremost goal is to support the business, and obviously keep the people safe, and productive around the world, which is a challenge in the environment that we're in today, 'cuz there's people everywhere. It was a little bit easier when they were all in the same place, or in all in the same places. But now, you know, they're in every time zone. Many countries around the world, and, and working from Starbucks, or some other place where there's a connection. It's really pretty interesting from that standpoint. And, of course, we know that from recent history in the last couple of weeks, and history from 20 years ago, this Saturday's at business continuity, emergency planning, crisis management. All pretty high on the scale of things that should be paid attention to. So, the the daily operations of the gates, guns, and guards, it's really down in the organization, and can be managed locally. While the CSO would have some impact on that, it's really more from a strategy standpoint, and hopefully not being bogged down in the day to day operations of, oh, I forgot my ID card. I can't get in. - You mentioned, you know, being a partner to the business. And I think that that's certainly an important part of intelligence, and then intelligence disciplines, because ultimately intelligence disciplines are not reducing risk, and not supporting the business on aligning the business. Since, you know, it's really not that useful. So, broadly speaking, how have you seen intelligence impact or address risks for a Chief Security Officer? - Well, not sure everybody will agree with me, but many will that really risks drives our daily activities. And whether the risk is low, medium, or high, whatever that risk is to the business, and where they operate around the world, and what they do, and what they manufacture. It's really the Business Manager's decision to understand what risks are facing him or her in the organization that they work in, and security function, really, in my view, is to bring that risk to the table, whatever that is, what options are to mitigate that risk, if you need to mitigate it. But, the Business Manager needs to be informed that he or she has that decision 'cuz they own the business, and we're advisors to the business. Now, I know a lot of people won't always agree with that, but when you think about it, I can mitigate. Landon, you could mitigate, but really, it's the Business Manager's decision to understand whether they want to spend the money that may be needed to do that, or they want to insure that risk passed onto a third party, or they want to just understand that the risk is just, and they're going to work around it, and work with it. When I think about risk, today, that's what I think about. And, over the last several years, really transformed me to Enterprise Security Risk Management. Since, you know, the security function in the days gone by or many days gone by, you know, was fences and cameras and alarms and, and all of that, but then when you start thinking about the wholistic risk of the organization, it involves a lot of people that touch risk. They may not recognize that they do. Um, and you and I were just chatting briefly, before he had about kidnapping and, and what have you. That's certainly a risk, a risk to people, and while it is becoming more and more rare, and it did have its heyday. And, if you weren't prepared for that, you were missing the boat. And, you know, at two o'clock in the morning, if something happens to this person missing in Mexico city, you don't add anything, if they haven't prepared to deal with that. It's going to be a long night. - So I guess, walk through the different intelligence sources that are helpful, you know, to kind of mitigate certain some of those risks, right. I think, coming from, you know, United States Government backgrounds, there's certainly, you know, a varied multi-source approach. And I think that some of those variations certainly translate, you know, over to the Corporate Sector, just, you know, obviously, that's the collection capabilities, so certainly much more different, based on legal considerations and U.S. person interest, of course. But, I guess talk through the different intelligence sources that, you know, are kind of important to, you know, a Chief Security Officer. - Yeah. Well, this transition we've been in, in the last many years, I would say, Landon, so having a dedicated intelligence analysts on the team, whether they be a contract person, or an employee doesn't really matter, but having someone dedicated to intelligence and course that means then that they have an intelligence background. They could be from a three letter agency, or they could be, what we see today, a College grad with International Studies background, because they're interested in the world, and then, learning how to be an analyst, and dealing with data, and interpreting that data and sharing that data. And, of course, as you know, we could wake up every morning and read 10 or 15 pages of material about what's happening in the world, but, if it doesn't have anything to do with your organization in that material, then it's a waste of time. So, what we see today is a great benefit is that Intelligence Analyst, who's dedicated to the organization, their business around the world, their partners around the world, their competitors around the world, and their suppliers around the world. So, you have the whole picture of what's happening in your industry. That's important to you, and potentially could be a risk factor that should be dealt with. And I see, today, you know, a lot of opportunity to be better at that. You know, we think about, just, think about the supply chain for a moment. There's 40 some vessels sitting in the Port of Los Angeles, waiting to deberth and unload. And it probably take on average 10 days for each one of them, once they get a call to pull in. So, if your supply chain material is sitting there, or it got diverted to another port that you hadn't prepared for, then you have potentially the customer impact not getting the material that they're waiting for. And, it was actually funny yesterday. And I didn't go back and fact check this, but there was a talking head that I saw that was talking about the same thing about the supply chain and the ships in Port of Los Angeles, and she made the comment that you know, nobody knows what's in those containers. And, so you don't even know if your Christmas goods are coming that you ordered from China. Then I thought to myself, how could that be true? That there's no manifest that's of what's on this ship? But, I'll give her the benefit of the doubt, 'cuz I didn't bother to fact check it. - I'm going to say that, you know, most fortune 500 companies, even customs and border protection, probably would, strongly disagree. But, you know, moving on, right? If you're a Chief Security Officer, in addition to your business partners, in addition to your supplier partners, and intelligence analysts as well, do you feel that you need, you know, a human intelligence vendor? Do you feel like you need an open source intelligence vendor? What are the different intakes, I guess, you kind of need? And then, I guess, the follow-up question to that is, ultimately, have you seen pre-Chief Security Officers aggregate that and store that, you know, because what's relevant, today, certainly might not be, you know, relevant tomorrow. But, it might be, and you need to have the ability to kind of go back, and search, and find, you know, the different patterns, recognitions trends to prevent risks in the future. - Well, it's interesting the way you say that. Is in my view, the CSO really is a strategician, with a plan that's been developed that he or she is following. It has been approved by the board. It supports the company's vision and strategy. So, I think at that point, it comes down to how can I be the most efficient at this? That I can be? And you certainly can't build everything that you would need at least in many, or if not, most organizations, today. So, you have to have trusted partners that can help you. So, for example, the social media issue is all over the place, as you know, and I don't think there's any one's individually that could monitor social media activities that would support the strategy of the company, by themselves. I think you have to have partners to help you with that. It's like in the older days of technical security, countermeasures. You know, checking for bugs and what have you. You can't afford to get the equipment, keep it validated, train people to do it, and then move them around the world to effectively operate a TSCM program. So, you have to outsource that, or at least you should outsource that. And then you have experts that stay on top of what the issues are every day. And as, as the medium changes, they change with it. So, there's a great deal of interest in social media, today, and what people are saying about organizations, and so forth and so on. It is just too voluminous, in my view, for a person or persons to do that without some technical support, and some software support that helps synthesize that information, getting that boiled down to, okay, what do we have today that actually impacts the company? While it might be interesting in that it impacts a lot of people in the world. If it doesn't impact the company, shouldn't be bothered with it. - Yeah, I couldn't certainly agree more, you know, and then from that aspect, how have you seen social open source intelligence, including social media analysis, and technical digital investigations play a role in addressing risk for the Chief Security Officer? And how has that kind of evolved over the last five years? You mentioned that the Chief Security Officer's really that strategist. To be, you know, an ear to the business, to the executive team. That how have you seen them leverage in social media intelligence, and the open source intelligence to help in that mission? - Well, I think it's, it's similar to what we've been talking about. There's only so much of this that you really should do yourself, if you do any. For example, we do training for our Intel Analyst on a regular basis. And even though some of them may have some formal Intel background, in whatever they did in a different life, you know, now we're dealing with Intel about a business, and the business community that that business happens to be. So, it's a little bit different than, you know, a direct terrorism related issue that impacts the world at the organization and the company, and the USG and others like that. So, this is where I think you have to be very efficient, and making sure that you have the right tools in place, and your business knows that you have those right tools, and are available to help them with a critical issue somewhere in the world. Where you can do the front end research, or have it done, and turn it around in a reasonable amount of time in a document that reads easily for a Business Manager. - I think case studies and examples are always, usually, helpful, just to really come and have outside listeners make sense of this. What are some case studies that you've seen? - Well, if the CSO is sitting in the right position in the organization, and is an advisor, a trusted advisor to the C-suite, you know, market entry comes to mind. So, you know, we're going to expand our business. We're going to build a manufacturing plant in somewhere in the world. Columbia, or some Brazil, or somewhere else. Well, getting the Intel bright up on that, what that community is doing and who the community is, whether their assets are there, what other competitors might be there, what's the labor pool look like, and so on and so forth. That's critically important to the business. And really from the security function standpoint, that's where the value is, is that's why we do what we do. And, hopefully, we have that audience in those situations. And, and I think today a lot about social media, because people want to know what people are saying about the company or about individuals in the company. It's a great tool to be able to come back and say, they're saying nothing. You know, there might be some, some kind of a threat or what have you, but, oftentimes, today, it will look at social media first to see what's there because it's somewhat relatively simple. Certainly, it's not a Google search or a Facebook search or something like that, but there's enough open source information that's readily available, that it can get you at least started in the right direction as to whether or not you actually have a problem or not. And I think this is where your partners are critically important, as I mentioned earlier, to have, have them on your team, have them understand your company, and what the culture is in your company, and what it is that we're actually looking for. So, we're not going to drive a lot of information that doesn't really apply. And I think we keep that pretty narrow today. We have a great scope of work, and a great deliverable that everybody agrees to. So, then, then, you know, we have the basis for going forward and doing the work. Open source, as you mentioned, does play a role there, but if not a hundred percent of the role, and then the next level is a the dark net and the mysteries of the dark net and so forth. - On top of that as well, we've seen the difference, you know, with this as well. Where would you generally see a negative sentiment in social media and the open source? We generally seen that within the Chief Information Security Officer, or have you seen that within the Chief Security Officer roles? Sometimes. a combination of both? When you're talking about sentiment analysis and, you know, potential degradation to the brand that has certainly a lot of different impacts, where have you found that to be addressed the most effectively? - Well, definitely on the CSO side, occasionally you might see a little bit of activity by the CISO, but if the CSO and the CISO have partnered together, then it doesn't really matter where it comes from, because they're both the same team, and they both should have the same goal in mind of just rectifying whatever the issue is and minimizing exposure. So, I think it's important for the CSO, as we talked earlier, to really be a strong strategy person and have that built in, so that he or she regularly meets with his, his or her counterparts in the organization back to the ESRM that if someone is touching risk in another part of the organization, then they should be talking together. And we used to call this the Risk Committee, or something like that, but really today, because the organizations are so broad, those other stakeholders in risk should have a say at the table. - When you take those case studies, and you package those together, and you present, you know, a deliverable that ultimately answers a requirement to the business, right? 'Cuz that's really what we're talking about. You know, addressing requirements that are relevant to the business. Where data and information are processed to be timely, actionable, and relevant. And ultimately that's what intelligence is. Understanding that, you know, what is irrelevant or relevant, you know, weeks and months ahead, what integrations have you seen within enterprise tooling? How that makes it relevant and timely for a longer period of time? I mean, I think you mentioned tooling earlier, and, you know, you've been in Law Enforcement and I, you know, I've been various Law Enforcement Intelligence Organizations, where we're used to these massive behemoth databases that, you know, ultimately store intelligence reports, if you would. What are some examples, or some different case management systems that you've seen effective to kind of consume a lot of this type of information to make intelligence? - At the beginning of the day, back to what I've said a couple of times now, that the CSO really has to have the stage set, and the game plan developed for all kinds of contingencies. And, what I find unfortunate in some cases, today, is that we really, we hear about an issue, we think about that, we don't necessarily involve the business at the early stage of that. And I think that's a mistake, because the business is really what's at risk here, and not the individual. Not the business units. It's the business itself, as you said earlier, from a branding standpoint. And we know from history that there's some, in, some serious issues that have developed, because we went down the wrong path a couple of times. And then when you sit there, and, of course, it's always easy on Monday to say, well, they shouldn't have done that. Well, you know, that's the end of the game. If they shouldn't have done it, they shouldn't have done it. And they should have stood up and said, no, we're not going to be able to do this. So, keeping data that is sensitive about others and individuals, and what have you, does that really belong in the business community, or does that belong somewhere else? - I would probably argue, probably belongs somewhere else, right? So, I guess, have you seen Chief Security Officers put resources toward developing, you know, a case management system where they can be that strategist to the business and have information at their fingertips? Or, is this something that they've generally outsourced? Is this where they partner with a vendor? I guess kind of, how have you seen that operationalized, so to speak? - Well, I think that it's, it's really that relationship with the business set at the highest level. I mean, if there's things that need to be monitored that are beneficial to the business, and not a violation of anybody's ethics or anything else, then they should be monitored. But, I think the business needs to have that understanding that that's what we're going to do. And I think social media is the easiest to explain today that if we have a threat, a termination threat, and maybe it's a little bit advanced, you know, maybe there's a firearm involved in the discussion, and what have you. And, so, maybe we want to put a plan together to monitor that person's social media activity for a week or two, or whatever the timeframe is. But, I really don't take the security function should be doing that without the input of the business. And in some cases, the General Counsel. So that we know that we're doing it, and we know potentially what an outcome might be. And, it's really interesting sometimes to say, okay, let's just assume that this is true. Then what are we going to do about it? So now, you know, putting this back on the business and saying, okay, let's just assume that It is Joe is doing what we thought Joe was doing, and it's a detriment to the business. Is it a violation of the law? Can we turn it over to law enforcement, and have them take it? And then the answer today, as you know, is that's probably not an answer that's going to work too well. But then the business is the one that's at risk. So, you have the General Counsel, or the C-suite, or whoever the sponsor is on board, so that there's no surprises. And if we go out and we look and we find that, well, Joe, isn't really doing this anymore. It appears that he's moved on from that activity. And, are we done with that? Yeah, probably. But, it wouldn't be a bad idea to go monitor Joe a little bit, periodically, to make sure that he actually is done with it. So, we're kind of checking both ends of the spectrum there. - We've even seen this as well, where there's maybe is a valid threat, but realistically, to put 24/7 physical security monitoring around an Executive is expensive. And certainly to be able to use this around, you know, to be able to do this more from a social media monitoring perspective, sometimes is, you know, a little bit more cost effective to see if anything there is an escalation point. And we've even seen it, when there's the potential to escalate. You know, we've had even had assessments where we're using psychologists. We're using medical professionals to, ultimately, you know, then they make the assessment. I mean, if you do escalate, you know, that could even become more of an issue where there is a potential fiscal security threat. Just curious, you know, how you've seen these types of cost benefit analysis discussions kind of play out with Chief Security Officers. - I think your example is actually very accurate. You know, we, we could respond in a minute. If you need us to, then you can. And you need 10 people tomorrow, we'll get 10 people tomorrow. But to someone that needs to ask the question, okay, when are we going to know, and how are we going to know that we don't need that 10 people anymore? And what are going to be the milestones that tell us, okay, we could scale back. And I think we, sometimes we forget to ask that question on the front end, because we're all good at responding and responding quickly. So, I think you add that to your quiver of things that are important, and you get people, not, not, to give you a full answer, because they don't have to do that. It's just that they have to think about that. So, we're going to spend $10,000 a day doing X. Well, how many days are we going to do that until we get tired of it? And, then, have we really addressed the issue? - That's certainly, I think that's the fascinating part of our business. I think it's only going to evolve in the coming years, and I appreciate your expertise coming on the show today. Thanks for all your service, certainly in Law Enforcement. And, well done on a great career, and thanks for being on the show. [Outro Music] - For the latest subject matter expertise around major intelligence, please visit us at www.nisos.com. There, we feature all the latest content from NISOS experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all NISOS teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane, and conduct high state security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.