A top security intelligence analyst at one of the UK’s largest banks recently shared how their team is reshaping its intelligence program. What follows is their perspective on the transition from a cyber-only approach to a truly blended intelligence function that brings together geopolitical, cyber, and physical risks.
The Convergence of Geopolitical, Cyber, and Physical Risk
In today’s interconnected world, the line between geopolitical risk, cyber threats, and physical security has all but disappeared. A regional conflict can lead to nation-state cyberattacks on financial institutions, travel risks for employees, sanctions impacting investments, and fraud campaigns exploiting global uncertainty.
For a bank with operations spanning continents and billions of transactions at stake, treating these domains separately is no longer an option. To stay ahead, this large UK bank has built a blended intelligence team that unites geopolitical, cyber, and physical intelligence into a single mission—powered by Dataminr for Cyber Defense.
From Cyber-Only to Blended Intelligence
Their intelligence function began with a purely cyber focus. However, as the geopolitical climate shifted and threats became more complex, the team realized that cyber intelligence alone couldn’t give the business the answers it needed.
Elections, armed conflicts, disinformation campaigns, and sanctions all created ripple effects across the bank’s operations. Executive impersonation scams on social media weren’t just a cyber risk—they raised fraud concerns, reputational issues, and even physical safety considerations.
The solution was to evolve. Over the last two years, the bank has expanded into a blended team, combining specialists in geopolitics, physical security, and cyber intelligence. As one analyst put it: “We used to be just cyber. Now we’re looking at how physical and geopolitical events create cyber risks—and vice versa.”
How the Bank Operationalizes Geopolitical Intelligence
Daily Workflows and Triage
Each morning begins with triage. Analysts review incoming alerts, events, and reports—but what used to take hours can now be done in minutes. Dashboards are tuned to specific Priority Intelligence Requirements (PIRs), letting analysts pivot between cyber indicators, geopolitical developments, and physical threats.
For example, the bank tracks specific nation-state actors across multiple domains. A dashboard pulls together cyber threat activity from actors like “Famous Cholima” and “Scattered Spider,” as well as physical security data on restricted travel. They also use automated workflows to track cases related to executive impersonation campaigns. Through integrations, takedowns of fraudulent social media accounts are now automated and auditable.
Priority Intelligence Requirements (PIRs)
The bank’s PIRs once focused only on malware families and actor groups. Now, they include geopolitical flashpoints such as Russia/Ukraine, China/Taiwan, and global election interference.
Until recently, PIR reviews were quarterly and tracked in spreadsheets. This year, the bank moved the entire process into a centralized, auditable workflow, transforming it into a monthly process aligned with real-world conditions. Analysts now update their PIRs directly in-platform, mapping each case to the evolving threat landscape. For every PIR, they explain the current threat level and whether it should remain active.
This shift means PIRs are continuously aligned with real-time developments rather than waiting for quarterly reviews. It also provides a traceable record of why each PIR matters—and ensures nothing falls through the cracks.
For each PIR, analysts ask:
- Do we still need this PIR?
- Has the threat level changed?
- What credible scenarios should we model?
These auditable workflows improve accuracy and build trust with stakeholders across the bank.
Intelligence in Action: The Technical Side
A centralized intelligence platform serves as the backbone for this bank’s blended intelligence program. Analysts use:
- Country profiles and dashboards that centralize reports, indicators, and tags
- Nation-state dashboards mapping activity from known adversaries
- Automated workflows for key use cases, such as:
- ATM security: If an attack occurs near one ATM, nearby ATMs are automatically risk-rated higher
- Executive impersonation: Fraudulent social media accounts are flagged and removed through API integrations with takedown providers
This centralization and automation turn intelligence into action.
For example, the team uses a centralized system to identify high-fidelity intelligence from multiple sources, automatically enrich it, and push it to perimeter controls to support proactive mitigation. Without this, the organization would face increased manual workload and a higher risk of exposure to emerging threats.
The Business Impact
For this bank, intelligence isn’t just about feeds and alerts—it’s about supporting business decisions. The team produces:
- Monthly briefings for 200–300 stakeholders across the bank
- Quarterly forecasts mapping out flashpoints and credible scenarios
- Threat forecasts for the next year and beyond across cyber, geopolitical, fraud, and physical domains
“Tippers” (short threat advisories) can trigger the creation of cross-bank response groups, ensuring all stakeholders—from fraud to incident response—act in lockstep. Intelligence is centralized across the response lifecycle, allowing the bank to track everything from incident creation to associated threat context.
The impact of these deliverables is measured in two ways: through qualitative feedback and quantitative metrics. Stakeholders provide feedback during monthly calls or in surveys, helping validate relevance. At the same time, dashboards track outcomes such as the number of indicators blocked at the perimeter or vulnerabilities escalated for remediation.
Together, this combination demonstrates how intelligence translates into measurable business outcomes.
Looking Ahead: The Future of Blended Intelligence
This bank’s intelligence team is clear: they are only at the beginning of what’s possible. Among their goals:
- Automated country risk ratings tied to physical assets like ATMs
- Expanded integrations to further streamline workflows
- Deeper automation of reporting to scale forecasting and advisories
As one analyst put it: “The exciting part is we’re only at the beginning of what’s possible.”
A Blueprint for Modern Intelligence Programs
This bank’s story is a blueprint for the future of intelligence.
By breaking down silos between cyber, physical, and geopolitical domains—and operationalizing intelligence into real workflows—they’ve built a model that is faster, more aligned with business risk, and better equipped to act on emerging threats.
For organizations facing similar challenges, the lesson is clear: modern threats don’t respect boundaries—and intelligence must operate in real time to keep pace.
Ready to see Dataminr for Cyber Defense in action? Contact us for a demo.
