Building a ‘Team of Teams’ for Unified Threat Intelligence
As the lines between physical, cyber, and geopolitical threats continue to blur, traditional security approaches that operate in silos are becoming increasingly ineffective.
Today’s threat landscape demands a unified approach to threat intelligence—one that fosters cross-functional collaboration and integrates information for various domains to effectively counter complex, multifaceted threats.
The “Team of Teams” concept was made famous by a former commander of the premier U.S. military counter-terrorism force, Joint Special Operations Command (JSOC). Commander of the JSOC U.S. Army General (Ret.) Stanley McChrystal took what was an effective, but complicated, siloed military culture and replaced it with a much more efficient and unified counter-terrorism organization that revolutionized both interagency and international operating culture.
In his bestselling 2015 book, Team of Teams: New Rules of Engagement for a Complex World, McChrystal wrote:
“Today’s rapidly changing world, marked by increased speed and dense interdependencies, means that organizations everywhere are now facing dizzying challenges, from global terrorism to health epidemics to supply chain disruption to game-changing technologies. These issues can be solved only by creating sustained organizational adaptability through the establishment of a team of teams.”
For those of us working in private sector security intelligence, especially those with multinational interests and broad risk exposure, we have long known how vital open-source intelligence (OSINT) and cyber threat intelligence (CTI) can be to our strategic decision makers on boards of directors and in the C-suite against threats like terrorism.
These issues can be solved only by creating sustained organizational adaptability through the establishment of a team of teams.
But if we have worked in an organization headquartered among the allied nations of Europe, the Americas, Africa, or the Indo-Pacific for the past decade, we’ve also experienced an elevated role for the private sector in national security in “a new, hybrid cold war” in which advanced persistent threat actors, foreign intelligence services, and criminal organizations based in Russia, China, Iran, and North Korea have expanded their campaigns that can put people, property, and assets at risk.
The Role of the Private Sector
The private sector plays a crucial role in cyber, physical, and economic security of allied nations because much of the infrastructure targeted by cyberattacks is privately owned and operated.
As such, public-private partnerships are essential for a comprehensive approach to threat intelligence. These partnerships enable the sharing of critical information and resources, allowing both sectors to benefit from each other's strengths.
For instance, private companies often have access to advanced technologies and expertise that can enhance government-led intelligence efforts, while government agencies can provide legal and regulatory support to help protect private sector assets.
Moreover, the private sector's involvement is vital in addressing the increasingly sophisticated tactics used by cyber adversaries. Ransomware attacks, for example, have evolved beyond simple data encryption to include tactics like doxing executives or informing clients that a company is unwilling to pay to protect their data.
These complex threats require a coordinated response that involves both public and private entities, as well as the integration of intelligence from multiple sources.
Lessons from the Cyber Dimension
Cyber threats have emerged as a critical challenge in the global security landscape, often targeting infrastructure that is largely owned and operated by the private sector.
The cyber domain, much like the battlefields of counterterrorism, requires a collaborative approach that bridges the gap between national governments, international allies, and private entities. This need for collaboration is underscored by recent incidents, such as the ransomware attack on Colonial Pipeline and the explosions of the Nord Stream pipelines, which have highlighted the vulnerabilities of critical infrastructure to cyber and physical attacks. The private sector provides an excellent model, in the form of its Security Operations Centers (SOC) built on precisely that type of shared floorboards model.
In 2023, the U.S. National Intelligence University published an article by an officer on detail from the FBI. Her research explored the chemistry of inclusive intelligence teams and lessons learned from post-9/11 intelligence integration. She interviewed federal intelligence professionals working on interdisciplinary teams across the whole of the U.S. government. Each of the 41 teams with whom she conducted interviews was responsible for looking at different primary problem sets such as terrorism, counterintelligence, violent crime, public corruption, fraud, and cybersecurity.
The researcher observed in commentary on her article that as her interviews unfolded, the nation’s cybersecurity and Cyber Threat Intelligence (CTI) teams stood out as outliers of productive collaboration. Specifically, she noted that the success of U.S. cyber threat intelligence teams can provide a model for how this collaboration can be achieved. Cyber analysts throughout the U.S. Intelligence Community’s 18 agencies described themselves as "super-tight" and "seamless" in their teamwork, regardless of rank or title. She added that one of her management interviewees went so far as to say, “in the cyber community, integration is ‘supernatural’.”
This level of unity of effort and team integration is not only essential for effective cyber defense but also offers valuable insights for broader intelligence operations. By fostering a culture of cross-boundary inclusion and cooperation, cyber teams have been able to overcome the traditional divisions that often hinder collaboration between different departments, agencies, and occupational specialties.
Lessons from a Counterterrorism OSINT “Team of Teams”
Deep collaboration can ensure that overall intelligence analysis is greater than the sum of its parts.
On coalition OSINT teams for counterterrorism, for example, an environment among international partners with common purpose fosters a sense of collective identity and purpose, uniting participants against a common adversary. It breaks down traditional barriers and facilitates a unique cross-pollination of ideas and strategies. In these environments, inclusion across traditional boundaries is not just a practice but a norm. This approach brings together international governmental and military partners, all accessing the same foundational data, irrespective of their rank, title, service, or nationality.
Success stories from the past decades of allied international counterterrorism efforts can serve as powerful examples of how deep, voluntary, and willing collaboration can enhance intelligence operations and improve outcomes. Not long after JSOC’s own internal culture was radically changed by leaders like General McChrystal and his leadership philosophy adherents, international counterterrorism efforts also made a shift as security partner nations began to share OSINT in the planning and collections phases of the intelligence cycle. They embraced a collaborative model, where burden sharing, resource allocation, and the integration of diverse expertise proved critical in addressing a transnational security challenge.
Deep collaboration can ensure that overall intelligence analysis is greater than the sum of its parts.
For instance, Operation Gallant Phoenix, a groundbreaking initiative focused on in-person information sharing among a “coalition of the willing” expanded from a small group of fewer than 20 individuals from just two countries to a high-tech fusion center with more than 250 official representatives from more than 25 nations. According to then-Chairman of the Joint Chiefs of Staff, U.S. Marine Corps General Joseph Dunford, the completely voluntary work of coalition partners at Operation Gallant Phoenix led to significant numbers of thwarted terrorist attacks, preemptive arrests, and successful prosecutions in multiple jurisdictions.
Watch #LIVE as #GenDunford kicks off this year’s Chiefs of Defense conference on countering #violentextremism.
— The Joint Staff 🇺🇸 (@thejointstaff) October 16, 2018
https://t.co/eQf41VxykE
This broad campaign against violent extremists has also been effective in disrupting the movement of foreign fighters, cutting off resources to terrorist organizations, and challenging the narrative that extremist ideologies like those promoted by ISIS are successful.
A great deal of useful insight has been generated over the past 25 years as international coalitions and public-private partnerships in the counterterrorism field drove concepts like “burden-sharing” and “comparative advantage” into the mainstream of policy and planning to address a collective transnational risk. The modern world in which we live can take the best of those lessons and overlay that with some of the most valuable aspects of collaboration that have organically developed in the private sector cybersecurity community.
Comparative advantage, an economic theory typically applied to international trade, refers to the ability of a party to carry out a particular economic activity more efficiently than another activity. In the context of a complex challenge like global counterterrorism, this principle can be observed in how different partner countries contribute their unique strengths, authorities, and capabilities to overall investigative operations. Each participating nation brings specific expertise and resources to the table.
For example, some countries might have advanced technological capabilities for intelligence gathering, while others may possess crucial regional knowledge or linguistic skills. By combining these diverse capabilities, a small but combined international effort can become more effective than even a much larger effort by any single country.
Common threats and common operating pictures can be force multipliers in willing cooperation among diverse security partners with a common adversary.
“Swivel-chair access,” in reference to the ability to have short, face-to-face communication with a colleague rather than try to navigate up and down multiple layers of bureaucracy, is a unique term that I first heard used while I was overseas to assess an international coalition effort of counterterrorism professionals from many different countries who spoke of the great value in operating on “shared floorboards” rather than in silos. They loved that unclassified, open-source data could be collected and ingested on the front end of the intelligence analytical process. It empowered much faster information sharing than trying to obtain needed releases for proprietary information.
Three Key Considerations in a Unified Threat Intelligence Strategy
To counter today’s complex and converging threats, organizations need a unified threat intelligence strategy that integrates cyber, physical, and geopolitical intelligence into a cohesive framework. By breaking down silos and fostering cross-functional collaboration, this approach enhances the ability to detect, assess, and respond to multifaceted risks. Drawing on lessons from counterterrorism and cybersecurity, a unified strategy ensures intelligence is both actionable and timely, bolstering organizational resilience against modern threats.
“Comparative advantage” and “swivel-chair access” across cyber, physical, and personnel functions are particularly needed in multinational private sector threat intelligence because threats are no longer confined to any single domain. OSINT-based frameworks have proven effective not only in counterterrorism but also in laying the groundwork for broader applications, including countering cyber threats. Just as technology gives threat actors abilities to operate across domains, it also allows security professionals to create more comprehensive intelligence pictures to anticipate and more quickly operationalize responses to threats or recovery from incidents.
Here are three key points for every threat intelligence team to consider as they think about how to support their operational business leadership and board-level decision makers with the most comprehensive OSINT picture possible.
1. Integrate cyber and physical security. Lessons from international counterterrorism efforts show us benefits from integrating intelligence across various national and disciplinary lines. Private sector organizations can also unify their cyber and physical security efforts to effectively counter converging threats.
This integration can take several forms. For instance, intelligence gathered from digital platforms—such as social media or dark web forums—can provide early warnings of potential physical attacks. Taken another way, insights gained from good cybersecurity hygiene programs, insider threat awareness, and workforce wellness campaigns can inform cyber defense, allowing organizations being targeted with social engineering to preemptively mitigate digital threats before they materialize.
A unified approach also enhances situational awareness by providing a more comprehensive view of the threat landscape. When cyber and physical security teams share intelligence, they can identify connections between seemingly unrelated incidents, such as a cyberattack on a power grid that leads to physical disruptions. By breaking down the silos between these two domains, organizations can improve their ability to detect, assess, and respond to threats that span both the digital and physical worlds.
2. Leverage geopolitical insights. Business leaders must integrate geopolitical intelligence to anticipate and mitigate risks. Geopolitical events often serve as catalysts for both physical and cyber threats, making it essential for organizations to stay informed about international developments that could impact their operations.
For example, rising tensions between nations can lead to an increase in state-sponsored cyberattacks, as seen in the case of Russia’s involvement in cyber operations against critical infrastructure in the West. In another example, geopolitical conflicts and ethnic wars on separate continents can have ripple effects through diaspora populations in the form of demonstrations or protest activity that might target a specific business location.
By incorporating geopolitical analysis into their threat intelligence strategy, organizations can better understand threat motivations and develop more effective countermeasures. This integration also allows for a more nuanced approach to threat mitigation, as it enables organizations to tailor their responses with cultural sensitivity to the specific geopolitical context in which they operate.
3. Create collaborative platforms and shared intelligence. The key component of any unified threat intelligence strategy is the establishment of shared workspace and platforms where intelligence from all sources—cyber, physical, and geopolitical—can be consolidated. This ensures that all functional teams have access to collections as close to their raw state as possible, facilitating better decision-making and faster responses to emerging threats. Collaborative platforms also enable organizations to leverage the collective expertise of their security teams, allowing them to identify and prioritize the most pressing threats which may not all be in one domain.
For organizations seeking to implement a unified threat intelligence strategy, adopting similar cross-domain collaborative platforms and work sites where diverse representatives of several functional domains can have regular face-to-face access will enhance the effectiveness of their security operations and improve their overall resilience against complex threats.
The Bottom Line
The converging nature of today’s threats demands a unified response. By adopting a “Team of Teams” approach, organizations can break down silos and build robust, integrated threat intelligence programs. This approach not only enhances the effectiveness of security operations but also strengthens resilience against the complex and interconnected threats of the modern world.
The lessons learned from successful counterterrorism operations, combined with the best practices from cyber threat intelligence, provide a roadmap for achieving this integration and protecting our most critical assets.
As we move forward, the need for seamless collaboration between public and private sectors, as well as between national and international partners, will only become more critical. By investing in deep collaboration within and among diverse threat intelligence stakeholders, we can meet the security challenges of the 21st century head-on and better safeguard our enterprises.
The gains in efficiency and in effectiveness for better workforce safety, faster patch or response times, and quicker incident recoveries translate directly to higher returns on security investment for shareholders, boards, and C-suites.
Andrew Borene is executive director for global security at Flashpoint, a global threat intelligence firm, and an ASIS member. Borene has experience leading growth and corporate development for Fortune 500 technology companies including IBM, Symantec, and LexisNexis, and was CEO of a publicly traded cybersecurity company. A former senior official at the U.S. Office of the Director of National Intelligence (ODNI) and at the National Counterterrorism Center (NCTC), Borene led initiatives on counterintelligence, counterterrorism, open-source intelligence (OSINT), and advanced technology. Previously in government he was an associate deputy general counsel at the Pentagon and advisor at CIA. He is a U.S. Marine Corps combat veteran. Borene has a JD from the University of Minnesota Law School and BA from Macalester College. He is a past recipient of the FBI Director’s Award and the ODNI Exceptional Achievement Award.
© Andrew Borene