Key Takeaways
Security without intelligence is blind security Risk decisions without intelligence are guesses Use intelligence as a foundation for security programs

Intelligence at the Heart of Security Risk Management

For a related topic, see my post about security risk management

During my time at InterContinental Hotels Group, I was fortunate enough to be a member and subsequently the Chairman of the Hotel Security Working Group (HSWG). The HSWG membership included the Chief Security Officers from 6 of the leading global hotel groups, 3 of which are now Northpoint International partners!, and was established to be a forum for intelligence and best practice sharing.  It was clear that intelligence was a central pillar on which these leading hotel groups based their security and anti-terrorism programs.  Speaking to representatives of smaller hotel companies, I was surprised to learn that most did not have a threat intelligence function, designing and operating security as a ‘set-piece’ or applying security techniques by numbers.  Other companies seemed to view security as a legal compliance function and often driven by fear or vendor pressure. My suggestion that this approach is effectively resulting in blind security risk management was often met with a shrug and a repost that ‘this is how their hotel company wanted to do things’.  Now that the current pandemic has offered an opportunity to review security risk management, I would recommend that hotel companies build their security capability around security intelligence to ensure effective capability and wise spending.

At its heart security risk management is about making decisions, decisions that shape programs, direct activities, and guide spending.  Good decisions lead to good risk management and effective threat response. Poor decision making, of course, has the opposite effect.  Good decisions are rarely derived from luck, they depend upon understanding based on reliable information which has been appropriately analysed and assessed. Intelligence enables companies to deploy the appropriate security, at the right place, at the right time and the right price.  From this, it can be deduced that security programs that do not rely on intelligence are likely to fail at some point and fail to meet the duty of care obligations.   

Ideally, hotel companies should employ someone who understands and is practised in intelligence techniques but also has a thorough understanding of hotel operations; this understanding is vital if intelligence is analysed and assessed in context and that threat management measures are appropriate and effective. Intelligence is also key to providing justification for security measures and supporting security enhancements and projects. The other advantage of utilising a qualified and experienced Intelligencer is that she/he will have an established intelligence network on which to call and partner. 

Intelligence relies on the quality and appropriateness of sources and agencies. As a rule, the more and varied sources the better.  Some hotel companies rely on governmental traveller advisory sites as their primary source of threat intelligence not understanding the purpose of these advisories which are largely designed to inform travellers of a high-level overview of potential travel risks.  They are not designed to give detail and insights required by companies to effectively manage threats and risks, especially in high-risk countries.  They are good for understanding potential guest security concerns and planning reassurance measures.  As a minimum, hotel companies should employ commercial security and geopolitical intelligence providers. Smaller companies with restricted budgets might consider partnering with similar companies or lodging associations to share the costs perhaps.  It is best practice to use the services of a number providers, a blend of boutique, such as Sibylline, and large providers, such as Control Risks; the former more likely to provide bespoke services especially in analysis and assessment, whilst the latter will likely have larger collection capability. I used larger providers to provide horizon scanning and first-level assessment and then smaller providers to deep dive on issues of interest/concern.  Of course, the more providers employed, the greater the perspectives, improved intelligence reliability and richness of the intelligence picture.

Companies often struggle to realize that many security threats emanate jointly from physical and cyberspaces.  This is the case and therefore any intelligence program must include cyber intelligence that is processed and fused with physical threat intelligence.  To overlook this, or to maintain cyber and physical intelligence establishes a strategic vulnerability. There are some excellent ground-breaking cyber intelligence providers, such as Senseon and Sovereign, who provide external and internal cyber intelligence that focuses on the ‘human end’ of cyber threat and its interface with the physical world.

Some advice for lodging buyers who consider hotel security as an important factor in their duty of care procedures, before asking questions about security ask about the hotel company’s threat intelligence program. If the company has no formal intelligence program, look even closer and be more challenging when considering security issues. 

Questions for Consideration:

  1. Does your company have a security intelligence capability?
  2. With regards to security threats, do you know what you should know?
  3. Do physical and cyber intelligence operate in a merged program?
  4. Can you justify the security measures you have taken?