Information imbalances can result in events that cost people significant resources or, in extreme cases, their lives. In the public sector, threats presented by information imbalances—known as “asymmetric” threats—can have a dramatic impact on a country, as the events of 9/11 illustrate. In the private sector, information imbalances do not typically bring consequences on that scale, but they can be devastating in other ways. The military has addressed the problems of information imbalances by formulating a doctrine of Information Superiority. The challenge is that the private sector has not followed suit.
The Department of Defense (DoD) defines Information Superiority as “a relative state achieved when a competitive advantage is derived from the ability to exploit an ‘Information Advantage’,” and as “the ability to develop and use information while denying an adversary the same capability.” In other words, an Information Advantage is achieved when one competitor outperforms its competitors in the information domain.
The United States Navy has been at the forefront of defining the role of information and its importance to warfighting capabilities. It compares information’s importance to the introduction of dreadnoughts, aircraft carriers, and nuclear power. The Chief of Naval Operations has elevated information to the Navy’s “Main Battery.” Part of that elevation includes the removal of sub-optimal stovepipes in exchange for “Warfighting Wholeness” involving information, as well as an increased concern with cybersecurity issues in order to protect information gathered by human and electronic means. These changes, according to the DoD, require technical and behavioral modifications to how data is collected and processed.
The public sector can create similar value by gathering intelligence that can be appropriately and quickly utilized—i.e. that can be transformed into actionable intelligence.
An important element in data use and protection is the classification system. The intelligence community utilizes a system that, at its core, protects the most sensitive information by dividing it into four categories: unclassified, confidential, secret, and top secret. These categories restrict who has access to the information, and they define how it is protected. While the information’s value does not necessarily determine its classification, higher value data usually receives a higher classification, which supports Information Superiority.
The most infamous asymmetric threat experienced by the United States in recent times was 9/11. The 9/11 Commission Report makes clear that enough intelligence was gathered by the United States government that could have revealed Al-Qaeda’s plot. However, existing structures did not allow information to be shared horizontally in a superior way. The dots were not connected, allowing one of the most heinous acts of terrorism to be perpetrated on American soil. These findings prompted the public sector to rethink and revamp how it collects, processes and analyzes information. The results can be seen by recent successes in preventing other acts of terrorism.
Credit for the daring raid that killed Bin Laden clearly belongs to the Navy SEAL team that executed the mission, but that mission could not have happened without actionable intelligence pinpointing Bin Laden’s location. The intelligence community was able to connect the dots, locate Bin Laden, and provide the SEALs with the information they needed. Had reforms to information sharing structures not occurred, the intelligence that made this raid possible might never have emerged. And these reforms have likely helped the United States to avoid other attacks.
The government’s new approach to Information Superiority is transferable to the private sector. But while many CEOs say that they aim to achieve an “information advantage” over their competitors, few look to the DoD’s doctrine for guidance.
As the private sector focuses more on information, it talks about cybersecurity issues, privacy, and behavioral advertising. Most companies, however, fail to recognize that the public sector has valuable research and ready-made tools that it too can use to manage information in an advantageous way. Simply put, the private sector needs to embrace the public sector’s approach to Information Superiority.
By borrowing the DoD’s concept of Information Superiority, private companies can make actionable use of “Big Data.” They can learn news methods of gathering the right information and sharing it with the right people at the right time. This creates value for the organization as an Information Advantage. It achieves five important goals: it increases profit; it reduces costs; it optimizes risk; it reduces the impact of cyber-threats, such as industrial espionage; and it mitigates potential brand damage caused by information-related crises. The challenge to implementing such as system is that the private sector typically thinks of information in a narrower way. However, by broadening its view, the private sector can achieve an Information Advantage through improved analytics and risk optimization.
Increasing Profit Through Business Intelligence and Analytics
Concerns about information typically focus on subjects like privacy—the private sector’s attempt to limit its legal exposure in the use of consumer data. While privacy is an important issue, an exclusive focus on privacy is too narrow if one is attempting to achieve Information Superiority. Achieving Information Superiority in private business has a broader sweep. It is concerned with any information that would aid executives in making decisions that drive revenue or reduce costs, which includes, in many cases, consumer data. It also includes other forms of intellectual property and proprietary data that is not associated with consumer behavior. For example, the customer service group in a mobile device manufacturer might have information on patterns of dropped calls resulting from a software or hardware flaw that was impossible to see until the product was deployed. Unless that information is effectively shared with the groups responsible for software patching and hardware design, a solution will not be incorporated into future updates, to the company’s detriment. The same is true for non-technology companies. For example, a hospital might be facing rising post-operative infection rates due to a faulty process. Unless that information is transformed into actionable intelligence, patient care will suffer and mortality rates increase.
An obvious example of profitability achieved through Information Superiority is presented by the dramatic shifts in the video rental industry. Established “big box” video rental businesses thrived for a long period, but consumers clearly wanted different options than offline stores. Those companies that quickly gathered information on what consumers wanted and acted on that intelligence by building new technological platforms to deliver movies online were the ones that prospered rather than perished.
There are any number of examples to illustrate the importance of Information Superiority in the private sector. In the end, however, companies that proactively gather and use information, and that do so in a superior way, will necessarily perform better than their competitors. This is also true in risk management.
Optimizing Risk and Reducing Cyber Threats
Using information in a superior way helps companies to optimize their risk and reduce cyber threats. By following the doctrine of Information Superiority, companies can understand where their most sensitive data resides and design better protections for those systems. In the case of company-centric information, such as formulas, IP, pricing, and similar data, implementing Information Superiority concentrates protection efforts on sensitive areas susceptible to cyber-attack.
In the case of protecting personally identifiable information, a consumer-centric issue, the Privacy 3.0 framework developed by The Lares Institute can be used to aid companies in assessing the sensitivity of information, and how best to protect it. Similar to the intelligence community’s data classification system, Privacy 3.0 utilizes consumer survey data to create four tiers—highly sensitive, sensitive, slightly sensitive, and non-sensitive—and these tiers permit companies to assess their collection, use, and protection of sensitive data. For example, companies could place increased protections on systems that contain highly sensitive forms of data under the Privacy 3.0 model, such as Social Security numbers, passwords, financial account information, and other similar forms of information. This allows companies to focus proportionally less resources on less sensitive forms of information such as online purchase history, search history, and certain forms of social media data.
While the threats are different, the solution for the public and private sector is the same—to reduce information imbalances that can lead to disruptive or asymmetric threats through the superior use of information, including data classification. The key question is how to implement Information Superiority in the private sector.
Building a Bridge Between the Public and Private Sector
In order to achieve Information Superiority, to paraphrase the DoD, the private sector must engage in technical and behavioral modifications in how information is collected and processed in order to add value. The first step private companies should take is to create a governance structure, or committee, that includes key senior stakeholders from departments such as IT, privacy, human resources, audit, legal, treasure, security, and others with the goal of increasing the horizontal sharing of information and making information the “Main Battery of Business.” Regular meetings of the Information Governance Committee will further reinforce the need to horizontally share information and implement Information Superiority in order to drive increases in revenue and to optimize risk.
More importantly, the Governance Committee should have the company engage in an information inventory so that it understands what information it has, and where it resides, with the goal of informing the key stakeholders and aiding executive decision-making. Once the information inventory is complete, the Information Governance structure can help the company engage in an information classification exercise that will help identify what information is most important to the company and to create better strategies for protecting it.
The Information Governance structure should also be charged with creating new ways of horizontally sharing information within the company. It should also report back to senior leadership on its progress and what new activities have been undertaken as a result of the information sharing initiative. Ultimately, by using these tools, the private sector can increasingly recognize the value of information and turn it into an Information Advantage in the increasingly competitive global economy.
While these seem like simple steps to take, the stark reality is that most companies have not taken them. Once these baseline steps are taken, however, there remains much more work to be done.
Andrew Serwin is CEO and Executive Director of The Lares Institute. He is also is the the founding chair of the Privacy, Security, and Information Management Practice and is a partner in the San Diego/Del Mar and Washington, DC offices of Foley & Lardner LLP.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.
a global affairs media network
Information Superiority: Turning “Big Data” into Actionable Intelligence
November 13, 2012
Information imbalances can result in events that cost people significant resources or, in extreme cases, their lives. In the public sector, threats presented by information imbalances—known as “asymmetric” threats—can have a dramatic impact on a country, as the events of 9/11 illustrate. In the private sector, information imbalances do not typically bring consequences on that scale, but they can be devastating in other ways. The military has addressed the problems of information imbalances by formulating a doctrine of Information Superiority. The challenge is that the private sector has not followed suit.
The Department of Defense (DoD) defines Information Superiority as “a relative state achieved when a competitive advantage is derived from the ability to exploit an ‘Information Advantage’,” and as “the ability to develop and use information while denying an adversary the same capability.” In other words, an Information Advantage is achieved when one competitor outperforms its competitors in the information domain.
The United States Navy has been at the forefront of defining the role of information and its importance to warfighting capabilities. It compares information’s importance to the introduction of dreadnoughts, aircraft carriers, and nuclear power. The Chief of Naval Operations has elevated information to the Navy’s “Main Battery.” Part of that elevation includes the removal of sub-optimal stovepipes in exchange for “Warfighting Wholeness” involving information, as well as an increased concern with cybersecurity issues in order to protect information gathered by human and electronic means. These changes, according to the DoD, require technical and behavioral modifications to how data is collected and processed.
The public sector can create similar value by gathering intelligence that can be appropriately and quickly utilized—i.e. that can be transformed into actionable intelligence.
An important element in data use and protection is the classification system. The intelligence community utilizes a system that, at its core, protects the most sensitive information by dividing it into four categories: unclassified, confidential, secret, and top secret. These categories restrict who has access to the information, and they define how it is protected. While the information’s value does not necessarily determine its classification, higher value data usually receives a higher classification, which supports Information Superiority.
The most infamous asymmetric threat experienced by the United States in recent times was 9/11. The 9/11 Commission Report makes clear that enough intelligence was gathered by the United States government that could have revealed Al-Qaeda’s plot. However, existing structures did not allow information to be shared horizontally in a superior way. The dots were not connected, allowing one of the most heinous acts of terrorism to be perpetrated on American soil. These findings prompted the public sector to rethink and revamp how it collects, processes and analyzes information. The results can be seen by recent successes in preventing other acts of terrorism.
Credit for the daring raid that killed Bin Laden clearly belongs to the Navy SEAL team that executed the mission, but that mission could not have happened without actionable intelligence pinpointing Bin Laden’s location. The intelligence community was able to connect the dots, locate Bin Laden, and provide the SEALs with the information they needed. Had reforms to information sharing structures not occurred, the intelligence that made this raid possible might never have emerged. And these reforms have likely helped the United States to avoid other attacks.
The government’s new approach to Information Superiority is transferable to the private sector. But while many CEOs say that they aim to achieve an “information advantage” over their competitors, few look to the DoD’s doctrine for guidance.
As the private sector focuses more on information, it talks about cybersecurity issues, privacy, and behavioral advertising. Most companies, however, fail to recognize that the public sector has valuable research and ready-made tools that it too can use to manage information in an advantageous way. Simply put, the private sector needs to embrace the public sector’s approach to Information Superiority.
By borrowing the DoD’s concept of Information Superiority, private companies can make actionable use of “Big Data.” They can learn news methods of gathering the right information and sharing it with the right people at the right time. This creates value for the organization as an Information Advantage. It achieves five important goals: it increases profit; it reduces costs; it optimizes risk; it reduces the impact of cyber-threats, such as industrial espionage; and it mitigates potential brand damage caused by information-related crises. The challenge to implementing such as system is that the private sector typically thinks of information in a narrower way. However, by broadening its view, the private sector can achieve an Information Advantage through improved analytics and risk optimization.
Increasing Profit Through Business Intelligence and Analytics
Concerns about information typically focus on subjects like privacy—the private sector’s attempt to limit its legal exposure in the use of consumer data. While privacy is an important issue, an exclusive focus on privacy is too narrow if one is attempting to achieve Information Superiority. Achieving Information Superiority in private business has a broader sweep. It is concerned with any information that would aid executives in making decisions that drive revenue or reduce costs, which includes, in many cases, consumer data. It also includes other forms of intellectual property and proprietary data that is not associated with consumer behavior. For example, the customer service group in a mobile device manufacturer might have information on patterns of dropped calls resulting from a software or hardware flaw that was impossible to see until the product was deployed. Unless that information is effectively shared with the groups responsible for software patching and hardware design, a solution will not be incorporated into future updates, to the company’s detriment. The same is true for non-technology companies. For example, a hospital might be facing rising post-operative infection rates due to a faulty process. Unless that information is transformed into actionable intelligence, patient care will suffer and mortality rates increase.
An obvious example of profitability achieved through Information Superiority is presented by the dramatic shifts in the video rental industry. Established “big box” video rental businesses thrived for a long period, but consumers clearly wanted different options than offline stores. Those companies that quickly gathered information on what consumers wanted and acted on that intelligence by building new technological platforms to deliver movies online were the ones that prospered rather than perished.
There are any number of examples to illustrate the importance of Information Superiority in the private sector. In the end, however, companies that proactively gather and use information, and that do so in a superior way, will necessarily perform better than their competitors. This is also true in risk management.
Optimizing Risk and Reducing Cyber Threats
Using information in a superior way helps companies to optimize their risk and reduce cyber threats. By following the doctrine of Information Superiority, companies can understand where their most sensitive data resides and design better protections for those systems. In the case of company-centric information, such as formulas, IP, pricing, and similar data, implementing Information Superiority concentrates protection efforts on sensitive areas susceptible to cyber-attack.
In the case of protecting personally identifiable information, a consumer-centric issue, the Privacy 3.0 framework developed by The Lares Institute can be used to aid companies in assessing the sensitivity of information, and how best to protect it. Similar to the intelligence community’s data classification system, Privacy 3.0 utilizes consumer survey data to create four tiers—highly sensitive, sensitive, slightly sensitive, and non-sensitive—and these tiers permit companies to assess their collection, use, and protection of sensitive data. For example, companies could place increased protections on systems that contain highly sensitive forms of data under the Privacy 3.0 model, such as Social Security numbers, passwords, financial account information, and other similar forms of information. This allows companies to focus proportionally less resources on less sensitive forms of information such as online purchase history, search history, and certain forms of social media data.
While the threats are different, the solution for the public and private sector is the same—to reduce information imbalances that can lead to disruptive or asymmetric threats through the superior use of information, including data classification. The key question is how to implement Information Superiority in the private sector.
Building a Bridge Between the Public and Private Sector
In order to achieve Information Superiority, to paraphrase the DoD, the private sector must engage in technical and behavioral modifications in how information is collected and processed in order to add value. The first step private companies should take is to create a governance structure, or committee, that includes key senior stakeholders from departments such as IT, privacy, human resources, audit, legal, treasure, security, and others with the goal of increasing the horizontal sharing of information and making information the “Main Battery of Business.” Regular meetings of the Information Governance Committee will further reinforce the need to horizontally share information and implement Information Superiority in order to drive increases in revenue and to optimize risk.
More importantly, the Governance Committee should have the company engage in an information inventory so that it understands what information it has, and where it resides, with the goal of informing the key stakeholders and aiding executive decision-making. Once the information inventory is complete, the Information Governance structure can help the company engage in an information classification exercise that will help identify what information is most important to the company and to create better strategies for protecting it.
The Information Governance structure should also be charged with creating new ways of horizontally sharing information within the company. It should also report back to senior leadership on its progress and what new activities have been undertaken as a result of the information sharing initiative. Ultimately, by using these tools, the private sector can increasingly recognize the value of information and turn it into an Information Advantage in the increasingly competitive global economy.
While these seem like simple steps to take, the stark reality is that most companies have not taken them. Once these baseline steps are taken, however, there remains much more work to be done.
Andrew Serwin is CEO and Executive Director of The Lares Institute. He is also is the the founding chair of the Privacy, Security, and Information Management Practice and is a partner in the San Diego/Del Mar and Washington, DC offices of Foley & Lardner LLP.
This article was originally published in the Diplomatic Courier's November/December 2012 print edition.
