Peter Steinfeld: Hello and welcome to The Employee Safety Podcast from AlertMedia, where you’ll hear advice from industry leaders on how to protect your people and business. I’m Peter Steinfeld. Today’s guest is Mike Evans, who leads the Risk Intelligence Center within Securitas Risk Intelligence.

Mike’s work sits at the center of a growing challenge for many organizations. They have more intelligence and data than ever before, but still struggle to analyze and interpret it.

In this episode, Mike explains why that disconnect exists and how organizations can turn intelligence into clear, actionable decisions across security teams and business leadership. Here’s our conversation. Hey Mike, thanks for being here.

Mike Evans: Thanks, Peter. It’s great to be on the podcast today.

Peter Steinfeld: All right, well, let’s jump right into it. What is the Risk Intelligence Center at Securitas actually responsible for?

Mike Evans: So the Risk Intelligence Center, as part of the Securitas Risk Intelligence Business Unit, we do go by a couple of different names.

One indeed is SRI or Securitas Risk Intelligence shortened into an acronym because hey, every good intelligence outfit needs a three letter acronym for its name — or the Bad News Brigade — because typically where the bad news is happening in the world, that’s where we are trying to stop it from impacting our customers.

But it’s our mission to provide accurate, timely, relevant and actionable intelligence to organizations, individuals within those organizations and provide them with the decision making advantage and the confidence those are the right decisions they’re making to protect their people, their property, assets and whatever else that matters most.

As a global security company, Securitas works with organizations of every size of every sector, providing everything from on-site services including guarding and technology solutions, to remote and digital solutions including SOC services and of course risk intelligence.

When it comes to risk intelligence, core to our purpose is not just doing risk intelligence, it’s connecting the dots and delivering intelligence led security in everything that we do.

For example, providing officers on the front line with tactical intelligence for disruptive events that are happening nearby to a site or an operation. At the intelligence level, providing intelligence to customers and account teams on industry related threats or threats to assets they’re wanting to safeguard.

Or from a strategic perspective, it could be things like geopolitical intelligence or horizon scanning for what’s coming up in 12, 24, 36 months so that the business can focus on its operations and its objectives. To deliver these kinds of myriad capabilities — SRI or Securitas Risk Intelligence — we have different teams that specialize in different domains of intelligence.

We have our Global Intelligence team which is a 24/7/365 feed of intelligence on things that are happening around the world.

The key developments, whether or not it’s from a terrorism perspective, from a severe weather perspective, geopolitics, et cetera. We then have our Protective Intelligence team. And our Protective Intelligence team traditionally has been focused on executive protection and intelligence related to that domain.

But in today’s interconnected world and the ecosystems and operating environment of organizations, protective intelligence in our space is not just executive protection intelligence, it’s protective intelligence for the sites, it’s for suppliers, it’s for brand names. Because a threat actor, the way that it looks at targeting an organization, it targets anything and everything that you want to protect.

So we’ve widened the kind of protective intelligence net.

We have our consultancy team that does ad hoc or short term bits of work, or indeed our embedded services team, where we take embedded experts, analysts and deploy them onto client sites or client account teams to provide them with additional support, whatever that may be.

So by combining global, protective, consultancy and embedded services, the Risk Intelligence Center is there to provide that accurate, timely, relevant and actionable intelligence, both as is, but also connected to intelligence led security.

Peter Steinfeld: I love this idea of intelligence led security and getting people to be more proactive instead of reactive. And I definitely want to dig into that more.

But before we go there, I have noticed an accelerated pace of evolution in this space since I got involved back in 2001. I can’t believe it’s been that long. And I wonder if you’re seeing the same thing when you look at the job today. What feels most different from even just a few years ago?

Mike Evans: I completely agree.

I think what’s really happened is that the demand for these types of services has significantly increased, which is driven by the awareness of these types of services. What I would say is that the understanding of what intelligence and intelligence led security is — that’s a little bit more unclear.

The awareness is being very much driven by the VUCA threat landscape — Volatile, Uncertain, Complex, Ambiguous. We can all see that on a day to day basis.

Traditionally, security functions have dealt with things like criminality and terrorism. That evolved to then include other kinds of non-traditional threats, things like the travel security domain and crisis management. Now we’re looking at the next generation of threats and the security requirements to answer to those.

Additionally, in the past couple of years we’ve seen an explosion in the use of technology and AI and the integration of that into the intelligence domain. What’s very interesting here is that the combination of AI and human expertise is key to making the most successful intelligence programs.

We’re aware of that and we are aware of the opportunities that AI offers. But we’re not fully understanding in the industry at this point in time what that needs to actually look like in the real world.

The other thing I think that’s really interesting is an increase in convergence. The industry has long spoken about threat convergence and security convergence.

Traditionally, in the convergence of the cyber domain and the physical security domain, convergence ultimately means the convergence of two or more distinct ideas or trends or domains, which is really key to the next generation of threats and security. Convergence is not just about cyber and physical. It’s about the convergence of public and private sector security domains.

Traditionally, we kind of think of public sector as national security and public safety — those types of threats are also increasingly impacting private sector organizations. It’s the convergence of international threats and local domains, with geopolitics being a hotspot word right now.

It’s the convergence of outsider threats and insider threats. Traditionally, we think of insider threats as financially motivated.

If you look at insider threats today, we’re increasingly seeing them being ideologically motivated. So again, that convergence of outsider and insider threats.

And of course, it’s the convergence of the information domain threats and real world or tangible physical threats. A single post on social media could be key to mitigating a workplace violence threat.

It could be key to mitigating a brand crisis, or indeed it could be the start of a geopolitical crisis. So for me, awareness has increased. We’re a bit more unclear on whether organizations fully understand how to best leverage these capabilities.

But also that convergence — not just traditional convergence — the next generation.

Peter Steinfeld: So it sounds like intelligence really can and should do much more than simply inform people, which is historically what it’s done. So how do you think about the concept of intelligence led security in real world practice?

Mike Evans: Intelligence led defines the proactive approach to security strategy and operations and the connecting of the two, even to the front line at a tactical level. And that’s to use intelligence to understand threats, vulnerabilities and the associated risks.

With these, intelligence led is both a capability and a state of being. Now, what does this look like in the real world? Intelligence led security is not just about traditional security.

It’s about the entirety of an organization. It could be securing the physical assets, people, property, et cetera, or the more geopolitical and social physical side of an organization.

But arguably, and more importantly, intelligence led is about actionability and operationalizing what may be perceived as something that’s insightful, but actually turning it into real world action. That could be increasing security patrols as a means of deterrence against a threat that’s been identified.

It could be deploying new technologies to mitigate new threats such as drone-based threats, or it could be providing early warning of longer term shifts in the security threat and risk landscape that will impact an organization as a whole.

Peter Steinfeld: It seems to me this would work best if you have buy-in directly from the top and you have executives realizing that investing in security is just as important to the company as investing in that new piece of software or that new piece of machinery on the factory floor. Otherwise it’s just not going to be optimal.

Mike Evans: 100%. I think this then comes back to the awareness and the understanding equation.

Anyone could put together a report and send it out to some key stakeholders and say, hey, we’ve identified this as a potential threat, we want you to be aware of it.

But unless you can translate that with context — what this means for an organization, what this means for its assets, its operations, what this could mean next, either in the short term or in the longer term, and most importantly, what you can do about it. So what, what if, or next, and indeed what you can do about it. Intelligence is not just a dashboard on a screen.

It’s not just someone sat there in a GSOC or an office environment powering through emails. True risk intelligence is integrating that intelligence into actionable outcomes within an organization.

Peter Steinfeld: Yeah, it’s not just about keeping the business or the people within it safe. It’s also about making everyone more productive and allowing the business to flourish. That’s a really big part of it. I think a lot of people don’t fully appreciate that.

Mike Evans: I think there’s an interesting equation with risk intelligence in particular. Where there is risk, there is also opportunity.

And where there are scenarios for disruption, you can also disrupt back, as it were, and you can turn that into a moment of opportunity for a business to flourish.

Peter Steinfeld: Now you mentioned it before and I want to pull this thread a little bit, but organizations are swimming in data. You say they’ve got all this information and it’s not just the job of the GSOC to forward that on to someone else without providing analysis.

So where do things usually start to break down between having all this information and then using it effectively to make a good decision?

Mike Evans: I think the first thing, when we talk about where things break down, particularly when it comes to information versus intelligence, is that those two things are actually very different things.

When we break this down into the different information states, the first one we will come across is data, which is raw data in an unstructured form. It could be a single post on social media. It could be a single post or report from a guard on the front line, or it could even be a media article.

It’s just a single point of unstructured data.

When you get to the information stage, what you’re doing is taking multiple data points, multiple social media posts, multiple media articles or what have you, and processing all these individual data points into a single structured record of information — like a nice paragraph summary of what’s happening.

But we’re still not yet at the intelligence stage, because intelligence is analyzed information in context of an organization or a decision maker. Intelligence includes an assessment which has things such as a “so what?” or, you know, what is the impact or implications of this information to us as an organization?

And again, arguably most importantly, it can have an advisory of recommended courses of action or mitigation controls to mitigate a threat, manage a risk, or realize an opportunity. So we kind of think of data, information, intelligence.

We’re already starting to get into the understanding of why things break down and why they’re breaking down largely. There’s too much noise, there’s too much data. When we get into the information space, things are still unclear.

We haven’t gone the full process to producing intelligence, but if we can get to intelligence, we can then integrate this into the decision making apparatus of an organization.

Whether this is decision making for BAU operations on a day to day basis, or for more specific decision making processes — things like event security, travel security, decisions of opening up travel or closing travel to a country, due diligence or indeed business strategy.

Peter Steinfeld: So what separates something that’s actionable from something that’s just interesting? That’s something that people struggle with a lot.

Mike Evans: I think the first thing that I would ask analysts to really consider is does this provide added value?

Does the product you have produced provide additional value than the consumer could have received or realized from going on X or seeing something in the news themselves?

If you are not providing added value on top of what’s being reported elsewhere, that’s when it’s stuck in that information space instead of intelligence — it’s stuck in that insightful, interesting, maybe a bit entertaining space. But is the value really there?

The way to really think about that is not just is it providing value, but what you’ve produced — is this giving the advantage to the consumer? By receiving that intelligence, have you given them an advantage?

And if you weren’t to have sent it to them, would they be at a disadvantage?

Common pitfalls we see is that intelligence products either answer more questions or pose more questions than they answer. And it’s ensuring that all key stakeholders have the same key takeaways.

Really though, it’s about making sure that you’re providing that advantage, that added value to the recipient of intelligence so they can then do something with it.

Peter Steinfeld: So it’s not just passing on the tornado threat, but hey, there’s a tornado headed this way and we’ve got three offices that are full to the gills with people and running 24/7 trying to produce something — whatever it is — and that’s why we need to be concerned about it. Versus, hey, there’s a tornado headed here and there’s one office and there’s one guy that works in it, and he’s actually on vacation this week, so it’s not that big of a deal.

You gotta add that context.

Mike Evans: Spot on. That’s a fantastic example.

And where possible, again, also giving that advisory or recommended guidance, because you never know — that person who’s receiving that intelligence, that could be the very first time they receive intelligence about a tornado threat and they may not know what to do about it.

Peter Steinfeld: Well, there’s a lot of conversation right now around connected systems, open ecosystems, shared data everywhere. When all that’s working really well together, what does that look like in your opinion?

Mike Evans: I think the best mark of success in connected systems and the sharing of data and intelligence and what to do with it is making sure that ultimately what we’re trying to do is get to a state where everyone is equipped with everything they need to do what is required of them to the best of their ability in their job.

In practice, this is ensuring that you have the right people with the right training and tools in the right place, at the right time, with all the right information — or better yet, the right intelligence — to operate effectively and achieve their objectives on the front line.

This indeed could be ensuring that someone with security responsibility for maybe a site is fully aware of everything that’s happening nearby, one for incident response purposes in the event that something goes wrong.

But also they’re aware of the environment they’re in to identify trends, patterns, behaviours, where they need to shift their security postures or plans.

It also means that having someone, maybe with operational accountability, is aware of what’s happening both now, but also what’s happening next — maybe the next seven days or the next month — so they can plan what to do about it in a proactive way.

But ultimately it’s making sure that everybody involved in security, risk, crisis and associated domains has everything they need to be able to succeed.

Peter Steinfeld: Do you see that the way people in the industry look at the sharing of information has changed over the last 20, 25 years? For example, it used to be, oh, it’s security, it’s need to know, I’m not sharing anything with you.

And over time it seems like that’s shifting to wait a minute, we could all be much safer if we’re sharing information in a safe way. Do you see that happening in the industry?

Mike Evans: I do. I think the saying that a rising tide lifts all boats is really true.

Getting engagement across an organization is the best way to enhance security and also to be able to detect, identify and indeed mitigate threats.

There’s a reason why security awareness campaigns run throughout the year — that includes things like May being US National Operations Security Awareness Month, promoting awareness of what operations security is. And there’s a reason why every September it’s National Insider Threat Awareness Month. These things are key to driving awareness. To be clear, there are certain things that are more sensitive than other types of intelligence.

Things like executive protection threats, for example, or targeted workplace violence threats to an individual — you’re not going to share those details across an organization.

But by providing that awareness, you’re increasing vigilance across the entirety of an organization at every level, from the tactical frontline to the strategic in the boardroom.

Peter Steinfeld: Now, once all these different teams out there or partners are sharing intelligence, who ends up owning the decision or decisions that need to be made? How do you coordinate all that effectively?

Mike Evans: To coordinate effectively, the first thing that I would recommend organizations do is understand the audience — know your customer — of who you’re sending this intelligence onto. Because they’re going to have their own distinct needs and you have to find ways of being able to translate what it means to them.

Think of layering. Is this intelligence for the front line, the tactical side of life? Is it for operational decision makers or is it for more strategic stakeholders?

When we’re thinking about particularly the front line and also operations, you’re going to have to leverage things like clear standard operating procedures or SOPs for the most common scenarios so that they can run the playbook in a very much no-touch, low-touch environment for low risk scenarios.

Hey, there’s a current incident nearby the site, or like severe weather that’s not too severe that it’s going to pose a critical severity event, but it’s going to be something that disrupts access to the site.

A clear SOP for basic flooding or basic heavy rain scenarios can be run, but there are going to be more severe or more significant events where you’re going to have to go into more of a dynamic decision making process — there can still be an SOP, but it’s going to be more of a playbook of individuals making the call on the day as the situation begins to unfold. Decision ownership ultimately shifts depending on the situation.

You can have as much baked-in capability, SOPs, playbooks, even utilizing things like AI and technology to automate where possible.

But there are certain scenarios, certain occasions when you are going to have to make sure that people are in the loop, and that’s when that sharing of intelligence and the ownership of the decision really kicks into play.

Peter Steinfeld: Do you find that a lot of organizations — perhaps they swim in information, they’re starting to make the transition to turning it into intelligence, but they maybe fall down a little bit on those SOPs and the practice they need to go through to make sure everyone knows what to do in an emergency? And they know that hey, not everything’s gonna go according to plan, but just by going through the practice, it makes you more aware of what you might be able to do in case something happens. Do you find a lot of organizations struggle with that?

Mike Evans: I think what’s really interesting with practice and rehearsals as such is that they can help build muscle memory, they can help build connective tissue in how things should work. What’s also really important is the idea of train hard, fight easy.

But even if you’re in that mindset of training hard to fight easy, scenarios unfold differently every single time. So be prepared for surprise.

There’s a saying out there, particularly in public sector and military circles, of no plan survives contact with the enemy. And that’s true. You can have the best scripted playbook for a scenario. But is it going to work every time? No.

Peter Steinfeld: And I think it’s as simple as if you’ve gone through an exercise, you at least know who to call if something is not right.

Whereas if you haven’t gone through the exercise, you didn’t meet Susan or you didn’t meet Jim, and then when the bad thing happens, you don’t know who to call. So just going through the exercise to meet people can be a massive benefit if something bad happens.

Mike Evans: And I think that’s a really good way of highlighting the fact that we’re talking about people here, and security and intelligence — it’s a team sport. And it’s all about people.

And in security, we often kind of focus on, hey, people and humans, they’re the weakness in the chain, right? They’re the weak link. Actually, they’re also the strongest link in the chain.

Peter Steinfeld: I love how you keep turning these things around on me.

Mike Evans: It’s not my first rodeo.

Peter Steinfeld: Do less, more. More, less. All these sound bites — it’s fantastic. Now, even when systems are connected, decisions don’t always improve.

In fact, when you have that kind of connection and flow of information, it can mess things up in people’s heads. So what’s your opinion? Why is it that decisions don’t always improve?

Mike Evans: I think a big part of it is awareness versus understanding. We crave to know more, we crave to understand more.

But particularly in today’s information landscape with the huge amounts of information available at all of our fingertips, it’s just too much.

We almost get stuck in that doom scrolling mentality of tell me more, tell me more, tell me more, without taking a step back and going, hey, what does this actually mean for me? And if we don’t get into that mindset, decisions aren’t going to improve because we are too busy chasing what’s happening next.

With that mindset of I am receiving something, it is being sent to me, I can see it and feel it — we almost get into a mindset of what does this mean for me, as opposed to going, what does this mean for we? What does this mean for us as an organization?

And we all know that what happens on one side of the world right now has a butterfly impact and effect on the other side of the world. So the “what’s in it for we” mindset — the context of what this means for the organization as a whole — is key.

Peter Steinfeld: So where do people make the biggest difference in the intelligence process?

Mike Evans: I think when we look at the world at this point in time, there’s ever more information, ever more data and we’re never going to get away from that now. We are producing more data per day than we did in some years previously.

So we are going to have to use AI and technologies and automation to get on top of that. But the human in the loop is there to run and own that.

Particularly on the direction side of the intelligence cycle, and particularly in the analysis side of the cycle, to provide that “so what, what if, and what you can do about it.”

Focusing on intelligence — too often the industry laments the fact that we don’t have the time to focus on things like structured analytical techniques, or SATs, or the fact that there’s an expectation that intelligence is a bit like a crystal ball — like it can tell you what’s coming next and read the future. If only. And that’s not real, that’s not going to happen.

But we can focus more time on things like scenario generation and establishing what is the most likely course of action or the most dangerous course of action — realistic worst case scenarios — so that organizations can increasingly prepare for the question of what when, as opposed to what if. I think the other thing as well, focusing on the humans in the loop, is the one thing that AI is not going to be able to do.

No technology is able to humanize intelligence. And by that I mean to make it really real world and relatable.

We spend a lot of time in intelligence making sure that we are objective, we’re unbiased, and we fundamentally need to do that because that is key to credible intelligence. But also when we’re producing intelligence, we want to be mindful of the human factors that intelligence is going to have.

When you send it on to a consumer, you want to be able to convey a state of alarm — such that you as a consumer need to do something about this — otherwise they may do nothing. You may also want to convey a state of assurance. Hey, we’ve seen this, we’re letting you know about it.

Here’s our assessment that it’s not posing an immediate credible threat. But had you not conveyed that intelligence for assurance purposes, without that intelligence, a customer may jump straight to alarm.

They have no context, they do not understand what’s going on. So assurance is there to provide peace of mind. Or it could be for awareness purposes — hey, we’ve seen this thing happen in the world.

It’s got no immediate impact for us. But if this scenario was to play out and target us, here’s what it could look like.

So for me, really focusing on the human side of life — the humanization of intelligence.

Peter Steinfeld: Yeah, I mean words can absolutely hit hard and, to your point, it can send someone into alarm and they freak out. Or you could communicate too much that never pans out and then it’s boy who cried wolf, and then they don’t believe anything you say going forward.

So I think that’s where the human is so important in this.

AI is going to help those humans be better in determining what they actually need to share, and they can spend more time thinking about how should I relay this? Should I not relay it? Should I think about toning it down a little bit to make sure it hits exactly like I want it to hit.

Mike Evans: We emphasize a lot about credibility in intelligence, but when you strip that back, actually it’s trust. Do you trust the product in front of you? And a big part of that trust is knowing who put it together.

Peter Steinfeld: Can you share an example of what good intelligence led decision making looks like in practice?

Mike Evans: Okay, so an interesting example from the past 12 months or so. Not to get too close to home, as it were.

We were monitoring for threats towards a data center client, both within the industry and indeed the organization itself and their assets.

We’d identified some indicators in various information channels that this organization was going to be specifically targeted by various threat actors — typically sabotage-based threat actors — because of a geopolitical grievance and an ideological grievance.

So by identifying this chatter, as it were, and assessing the intent and the capability and the opportunity to act of the associated threat actors, we were able to communicate to the organization and decision makers that look, these particular assets in this part of the world are likely to be targeted in the next 24 to 48 hours because there is a window of opportunity for this group to take action. That allowed the decision maker to deploy additional security based on the threat.

So this was a sabotage threat targeting things like infrastructure at the site, trying to get through the perimeter, and also to carry out some kind of occupation-style tactics. The organization was best equipped then to deploy the assets that it felt fit to mitigate that threat, which it did successfully.

What was interesting is that as that scenario began to unfold, it inspired other sabotage-based actors in other parts of the world to carry out similar actions — copycat style, as it were. So we were able to communicate to the organization, hey, this is happening here.

But actually in this other region, these other sites are also being exposed to this particular threat. And now they’re also talking about targeting not just the data center sites, but also targeting the corporate offices.

And that then started to get attention on the more open spaces from potential insider threats.

And also indeed things like mentions of an executive, which transformed the threat into a more targeted workplace violence and indeed home-based violence scenario.

But it wouldn’t have been possible to successfully mitigate that threat if we weren’t asking the right questions and going, hey, what threats could impact this organization? What threats could impact this industry — utilizing all the available and appropriate sources and indeed integrating that in the decision making.

Peter Steinfeld: Well, before we wrap up, for any organizations out there that are just trying to make better decisions with the data and intelligence that they already have, what’s a really good practical first step they can take?

Mike Evans: I would break it down into three practical steps. One — are you asking the right questions? Two — are you using all of the available sources? And three — are you actually integrating intelligence in decision making?

Asking the right questions: have you got your intelligence requirements formalized? Are they written down somewhere so everyone knows what it is they should be looking for and being aware of?

Because if they don’t know, you’re assuming that someone else is. Secondly, using all available sources.

Use everything from open source to your closed sources in your own operating environment and leverage that — whether it’s guard reporting or social media or everything else in between. And ultimately, are you really integrating intelligence in decision making?

Is it just being sent out via an email and someone’s reading it and storing it in a file for later? Or are they using it as part of their day to day decision making, or are there certain forums or decision making processes it could be included in?

So ultimately — ask the right questions, use all available sources and really make sure you’re integrating intelligence into decision making activity.

Peter Steinfeld: Mike, a lot of fantastic advice and insight. I really enjoyed the conversation. Thank you so much for being on the show.

Mike Evans: Thank you, Peter. Really enjoyed it.

Peter Steinfeld: To learn more about Mike and Securitas Risk Intelligence, click the links in the episode description. You can also watch the video highlights on AlertMedia’s YouTube channel.

Don’t forget to subscribe, rate and review the show wherever you get your podcasts. Stay safe out there.

Outro: Thank you for listening to The Employee Safety Podcast from AlertMedia, the world’s leading provider of risk intelligence and response solutions. To learn more about how to protect your people in business during critical incidents, visit alertmedia.com.