CIA’s Risk Prism Model: Business Operations Apply Spycraft
By Andrew Bustamante, Contributing Author/ September 26, 2023
Andrew Bustamante is a former covert CIA intelligence officer, decorated wartime military veteran, US Air Force Academy graduate, and successful Fortune 10 corporate advisor. After 15 years in service to his Nation, Andrew skyrocketed through corporate America specializing in human and technical operations. With more than 20 years of experience in both private and public sectors, Andrew has become a highly demanded international private intelligence consultant and the founder of EverydaySpy.com. When he isn’t supporting private intelligence contracts abroad, Andrew lives with his wife (a fellow ex-CIA Officer) and two children in southern Florida.
A Massive Paradigm Shift
From 2000 to 2020, global GDP skyrocketed by more than 158% – faster than any other period in the history of mankind. Two decades of innovation, technological breakthroughs, global trade and environmental evolution created a massive paradigm shift from political and business norms that had prevailed for nearly 50 years before. And as American business leaders and investors today consider the operational business landscape for the next decade, hushed conversations in private boardrooms hint at uncertainty, confusion, and fear.
With an active war in Europe firmly in its second year, unprecedented economic and military tensions between the world’s two largest economies, and a myriad of new foreign policies ranging from domestic security to international espionage, the simple task of executing business has become fraught with financial, corporate, and even personal risk to US executives, investors, and shareholders.
After global public opinion of Americans peaked in 2016, a sharp decline in international confidence for US politics drove the lowest rating ever recorded in 2020. Running counterpoint to the decline in global favor for Americans, the UN published a peer-reviewed report detailing an increase in worldwide violence related to organized crime, extremists, and emerging technologies. As of February 2023, the US Department of State recommended American citizens avoid travel to 102 of 195 countries – more than 50% of the entire world – due to the direct threats posed against US citizens.
A New Security Imperative
U.S. business leaders today face an operational landscape that is unlike anything ever seen before. The blurring of business and national security policies, cyber threats executed by both criminal and state actors (and sometimes both together), and an ever-growing list of emerging threats have created a new security imperative that business elites must take seriously in order to safeguard human resources, proprietary assets, and corporate shareholders.
As a former CIA intelligence officer, I was trained to look at operational threats through a six-sided security prism – what we called a ‘Risk Prism.’ Each of the six sides in the prism refers to an independent security priority. Applied effectively, the Risk Prism creates a resilient, integrated operational model that increases positive outcomes, measurable impact, and comprehensive security.
Introducing: The CIA ‘Risk Prism’ Model for Operations
The ‘Risk Prism’ comprises six different risk areas that contribute to the overall integrated risk of an operation. The six areas of the Risk Prism are:
Emerging Risks: Anticipating, Planning and Responding to Emerging Threats
Insider Risks: Trust But Verify Your Human Resources Against External Infiltration
Political Risks: Weighing Operational Advantages Against Political Uncertainties
Targeting Risks: Who is Targeted, How They Find You, and How to Avoid Compromise
Proprietary Risks: Keeping Your Secrets Away from Nation States, Terrorists or Criminals
Social Risks: Anticipating Actions, Choices, and Behaviors Ahead of Impacts
The operational similarities between espionage and business are countless and virtually undocumented, due largely to the dearth of ex-intelligence operatives who run successful businesses. As my own business crosses the $1 million revenue mark, I count myself both proud and privileged to share the CIA ‘Risk Prism’ with you and apply it to your business objectives for 2023 and beyond.
Emerging Risks: Anticipating, Planning and Responding to Emerging Threats
American business professionals are entering an era of unprecedented operational risk. As political tensions grow between the US and China – the two largest economic markets on the planet – new legislation went into effect on July 1, 2023 that allows China to hold US business people under espionage charges without just cause. Per the US National Counterintelligence and Security Center:
“U.S. companies and individuals in China could also face penalties for traditional business activities that Beijing deems acts of espionage or for actions that Beijing believes assist foreign sanctions against China,” – June 2023
The biggest operational opportunities often carry with them the greatest operational risk. The most common factor in both opportunity and risk is a lack of certainty – the endless unknowns that surround people, places, processes, and politics. In intelligence operations, we are trained to offset our lack of certainty by planning and anticipating high-probability events and outcomes. For business leaders seeking opportunities in new markets with new partners, predicting operational risks is the key to increasing bottom-line revenue and corporate market value while simultaneously protecting against emerging threats.
Insider Threats: Trust But Verify Your Human Resources Against External Infiltration
The biggest threats to your business are not external – they are internal. In May 2023, a 28 year-old IT professional was convicted in the UK for unauthorized computer access with criminal intent to blackmail his employer. Using his privileged access to corporate systems, the employee targeted executives and board members using a ransomware attack directed against their private information. Because of the employee’s inside knowledge about company executives, corporate software systems, and company security protocols, his attack was far more effective than that of an external cyber criminal.
Traditional business practices teach that vetted, internal employees are the lifeblood of successful business operations. While I am not one to argue with proven business wisdom, history has also shown us that threats adapt, evolve, and target us where we are most vulnerable. The same employees you trust to run your business are the ones most capable of doing your company harm. Modern day HR practices can no longer end at hiring; they must evolve to include ongoing training and assessment protocols to safeguard against the inside threats posed by malicious and dishonest employees.
Political Risks: Weighing Operational Advantages Against Political Uncertainties
Uganda, a small country in central Africa, has been making headlines as one of the fastest growing economies in the world. As of May 2023, the Ugandan GDP had grown 6% – .5% above Chinese GDP and nearly double U.S. GDP. Though the economic opportunities in Uganda have international investors and corporate executives excited, the country also carries unique risks that often go overlooked… until it is too late. Violent demonstrations, armed militant groups, human and drug trafficking, sexual assault and kidnapping are common in Uganda, closely tied to political leadership, and known to target foreign business people.
Whether your business is large or small, geopolitics play an important and often complex role in your business operations. When considering supply chains, raw materials, logistics, joint ventures, or even marketing and sales, your bottom line is impacted by the politics of foreign countries. Political change, conflict, and corruption in foreign countries can not only impact your revenue, but also your company’s personnel, reputation and share price. It is imperative that visionary business leaders understand and properly analyze political risks in order to capitalize on unique opportunities and protect against preventable disasters.
Targeting Risks: Who is Targeted, How They Find You, and How to Avoid Compromise
The U.S. National Counterintelligence and Security Center has been engaging business and government leaders in an unprecedented public awareness campaign since 2021. Never before in history have foreign adversaries – state and non-state actors alike – been more aggressively targeting and collecting against U.S. persons. In today’s dynamic and interconnected world, the most valuable secrets are no longer classified government documents but rather financial and corporate proprietary information.
“Personal data, trade secrets, intellectual property, technology, and research and development are all being targeted by adversaries who have the capabilities, patience, and resources to get them. To achieve their objectives, foreign adversaries are employing a range of illegal techniques, including insider threats, cyber penetrations, supply chain attacks, and blended operations that combine some or all these methods.”
– Michael J. Orlando, Deputy Director NSCS
You already know that your business is a target for cyber-threats, foreign intelligence collection, common criminals and even corporate competitors. What you don’t know is the methods, tools, and tactics those threats use to compromise your security and steal your secrets. The types of security compromises that can negatively impact your top-line revenue and closing-bell stock price are preventable. The key is understanding your targeting risks and taking active measures to counter those threats with awareness and training.
Proprietary Risks: Keeping Your Secrets Away from Nation States, Terrorists or Criminals
In 2019, ASML Holding N.V. – the world’s largest supplier for semiconductors – discovered that they had been victims of critical IP theft going back as far as 2014. ASML was able to prove that a Chinese firm had successfully used a US software company as a cut-out to steal IP from ASML on behalf of the Chinese government. The IP theft cost ASML more than $100 million in IP they had taken 10 years to develop. While the courts sided in favor of ASML, they never recovered the $223 million they were awarded and the engineer responsible for the theft had fled the U.S. and relocated to China, where he resides today.
Business and government leaders all agree that secrets are valuable. And like any other valuable, secrets can be stolen. The risks to your IP are not only a matter of your own security practices, but the security protocols of your strategic partners, service providers, information infrastructure, and much more. Spies, criminals, and competitors want to steal your IP to sell, trade, and shut you down. Keeping your secrets safe is the easiest way to protect your profits, grow your market share, and safeguard your share price.
Social Risks: Balancing Actions, Choices, and Behaviors Ahead of Anticipated Impact
In a single flawed marketing decision in May 2023, America’s wealthiest beer company – Anheuser-Busch – lost 20% of its stock value and 24% of its sales revenue. Worst of all, the lost market share allowed its competitor to become the new largest beer brand in America. After suffering product boycotts, viral social media complaints, and reputational loss from distributors and vendors alike, market analysts were uncertain if Anheuser-Busch would ever be able to regain the customers and shareholder confidence it held for decades before their 2023 marketing blunder.
The wellbeing of any operation is closely tied to social perceptions. For companies fighting for market share and investor attention, social risks can become especially damaging if they are not identified and anticipated in advance. Individual actions, choices, and behaviors are the starting point for every social risk, from corporate controversies (like the arrest of an executive) to public tragedies (like a mass shooting on your property). Using proper social risk strategies that can balance potential benefits against losses is critical to reducing social risks and even turning them into business opportunities.
Conclusion: Risk Realities in the Field
The CIA trains its officers to accept that risk is inherent in every operation. Therefore the goal is not to manage or mitigate individual risk areas, but rather to understand how risks are related and implement strategies that minimize compounding risk and maximize overall security. This approach to addressing risk not only increases confidence and positive mission outcomes, but creates a scalable system for audit, oversight, and analysis that brings additional value on its own.
Traditional models of corporate risk assessment that treat risks as though they are independent vulnerabilities are incomplete. They ignore the fact that people, places, processes, and politics are interconnected – now, more than ever before. Even worse, outdated risk management models give corporate leaders a false sense of security and become a new vulnerability on their own…
That is, until they are identified, assessed and anticipated using the Risk Prism.
The Risk Prism has saved lives, prevented disasters, and kept our country safe for decades. I count myself humbled and privileged to have a front-row seat to watch the same framework boost US company profits, protect your corporate share prices, and safeguard another generation of American economic dominance!