Proportionality is critical in cyber surveillance by intelligence services, says former MI5 head Eliza Manningham-Buller.
“The more intrusive the tool, the higher the level of authorisation,” she told attendees of Trend Micro’s 25th anniversary customer conference in London.
Adversaries have these tools, but applying that principle for intelligence services, she said, means that highly intrusive tools are approved only by the secretary of state with judicial supervision.
Manningham-Buller was responding to questions after a presentation about what she learned about managing responses to threats and risk while head of MI5 from 2002 to 2007.
First, she said, anyone in charge of responding to risks and threats needs to understand that choices need to be made because with finite resources no-one can do everything.
Second, that accumulating information about threats is pointless unless that information is turned into action that can result in better protection.
When faced with a new kind of threat or scale of threat, Manningham-Buller said it may be necessary to do things in a different way and agree that there will be no “sacred cows”.
Another successful strategy for MI5, she said, was to build partnerships with industry and other government departments to tap into all the tools and skills needed to get the job done.
“It is important not to say: this is exclusively our job,” she said.
This approach resulted in a cross-departmental threat assessment team that Manningham-Buller said was copied by the US, France, Australia and others.
“Through partnership we achieve a much richer intelligence capability,” she said.
Manningham-Buller said she learned at MI5 that it is important for security leaders to communicate that they value what their staff members are doing, but that they will take responsibility if things go wrong.
“I let my staff know that there would be no blame culture; that they would be able to discuss concerns, and that they aim was to work together to deliver better security,” she said.
Manningham-Buller said it was important not to forget the “soft” things when dealing with threats on a daily basis. “When people work hard, they need encouragement and thanks,” she said.
Overall, she said it is important to maintain clarity and simplicity, and to help people to deal with uncertainty.
Information security professionals, she said, are working to protect valuable data and to allow organisations to work securely.
“This is a motivating thing to do. But leaders can damage people’s natural motivation by not valuing, praising, and thanking,” she said.