OSINT: Build or buy?
Fri 27 May 2016
The real value in bringing Open Source Intelligence (OSINT) inside an organization, argues Luca Scagliarini, CMO at Expert System, is the ability to create a knowledge base that transforms risk assessment from static or infrequent, to dynamic and immediate.
An OSINT system is one of the most important strategic tools a company can use. When it comes to mitigating risk, if you’re not taking advantage of open source intelligence, you’re leaving a tremendous amount of insight, and profit, on the table. And, if you’re not considering in-sourcing this activity—creating internal teams rather than or in parallel to outsourcing this to a vendor—you’re missing out on the real business value that this can bring your organization.
Websites and blogs, mass media, (journals, conference proceedings, etc.) maps and other geospatial information are all examples of information that is freely available to all, otherwise known as open source information. OSINT, or open source intelligence, is the practice of taking the raw data from openly available sources and processing it through a variety of techniques (including semantics), to produce actionable intelligence that can be used in a number of ways.
An OSINT tool helps you manage massive volumes of information… created or made available daily, in a very targeted way
As OSINT becomes ever more strategic, rather than outsourcing these activities to consulting firms, enterprises can actually increase the business value of OSINT by bringing it in house. However, many companies turn to an outside firm, often because they feel they don’t have the internal resources to handle an OSINT practice. This is often based on a common misconception about resources and a limited view of OSINT’s value for risk assessment.
Let’s look at OSINT in action. An OSINT tool helps you manage the massive volume of information, such as the sources listed above, that is created or made available daily, in a very targeted way. It helps you filter out the noise and the irrelevant, allowing you to select the sources, filter in the right information, define what to visualize based on what matters most, test possible alternatives and finally, create reports that foster collaboration and enable faster time to action. On the surface, this view of OSINT may support the idea that lots of resources are required, but stay with me…
Analysts who already know your business
In essence, the intelligence derived from this process requires people who understand your unique challenges, and who can connect the dots and communicate effectively inside the organization. Most organizations, in fact, already have many analysts in house, and while they may not be OSINT experts or boast certain three-letter-agency credentials on their resume, I bet they know how to process information. And they know a lot about your business.
Training people on OSINT techniques is much easier and faster than making them experts on your business. Bringing people up to speed on what the company does, as well as the nuances of your products, competitors and the sectors where you operate requires much more hands on experience and training over time. Leveraging experts on your business that you already have in house is a solid reason for building an internal OSINT team. But it’s not the best reason. The real upside to bringing OSINT in house relates to risk assessment.
Transforming your risk model from static to dynamic
Let’s look at how a traditional enterprise risk model is typically applied. In this example scenario, the risk model says that margins can be impacted by the price of oil. Usually, these models are reviewed at set, and not very frequent, intervals. Real-time analysis, however, could reveal new evidence that this scenario is true only when in parallel the price of other commodities grows. So the original assessment, while not wrong, was capturing only partially the events increasing the enterprise risk.
This discovery might not even have happened without a constant monitoring of many variables and world events by people who are deeply knowledgeable about the business of the company and could prompt an immediate review, and possible adjustments, to the risk model, mitigating the exposure to risk of the enterprise. The example is obviously overly simplified but what is at its core is much more common than you think.
Establish ownership of your system and simultaneously improve workflow efficiency
It’s this ability to be nimble and respond in real time to changes in the risk environment that makes all the difference. The real value in bringing OSINT inside the organization is this ability to transform risk assessment from static or infrequent, to dynamic and immediate. Not only can you identify events that could impact the business before they actually do, you can also suggest changes to the enterprise risk model, making it ever more valuable.
If you’re pondering the make vs. buy decision, remember these benefits of bringing OSINT in house; leverage the skills and expertise of the in-house talent who already understand your business; establish ownership of your system and simultaneously improve workflow efficiency inside the organization; and increase your responsiveness and ability to anticipate change through dynamic reporting and risk assessment.
Once you take these items into consideration then you and your organization can effectively build an approach and program that uses OSINT as a powerful strategic tool for tomorrow’s risk management world.