Need-to-Know Versus Need-to-Share

Photo by Pixabay on

BLUF – At opposite ends of the intelligence spectrum, need-to-know (limited audiences) and need-to-share (expansive audiences) vie for dominance. Here we define these practices, associated concerns, and circumstances where one approach is likely preferable.


Intelligence practitioners have collectively rolled their eyes at the title, and with good reason: this is an age old issue for our area. Call it what you will: framework, spectrum, argument, balance, the dichotomy is the same throughout the ages… deciding on how much intel/ information/ data to share with whom.

Let’s clarify:

Need-to-know offers challenge, recognising what may be at stake. A common limitation set in classified channels, need-to-know (NtK) requires proof of an audience’s legitimacy in learning specific intelligence. Seems controlling – which it is – but theoretically for the right reasons. With potential catastrophic impacts or lives in the balance, we want to know only the right people will have access to findings. Private sector equates business holdings and potentially damaging information in the same way. There is of course a counter-argument. Need-to-know or higher classifications are often imposed for convenience (laziness in determining actual classifications, we go with the highest logical choice) or to secure political advantage (others can’t impose on a fiefdom they can’t have access to information about, leaving assessments to what is/ isn’t being done to chance).

Need-to-share is based on relative trust, recognising we can’t go it alone. Generally used for non-proprietary information/ intelligence, need-to-share (NtS) mindsets are more expansive in dealing with other trusted parties. Knowing the broader ecosystem may be at stake, this offers to keep everyone closer to the same page. In classified channels this is making a report releasable (often requiring further scrutiny and outside judgement), in private sector it comes from info sharing groups and partnerships. The counter-argument is that need-to-share assumes trust in all parties involved, requiring everyone in the loop to respect others’ concerns. Intel shared in these groups often comes with NDAs, best practices offered (rather than training or intelligence), and limited or no attribution to the party’s contribution. Otherwise, liability ensues (at best). This framework takes a long time to build, but like so many bridges takes very little to bring down.

Scaling the two shows the mindsets of the people and the organisations at play.

At an individual or organisational level, NtK is obviously safer, though those organisational islands are either fragile to bad actor threats or they have a great deal of resources tied up in protecting themselves.

On a larger scale – be it a sector or a region – NtS offers greater overall resilience, though the larger NtS communities dilute items shared for self preservation. The fear of weaponised information exploitation is very real, coming from both legal and illegal channels.

Why are we talking about this?

Normally I fall into the NtS camp as evidenced by past posts such as Islands and Continents.

My days in the IC helped me understand the approach’s hassle (although a TS/ NF, TS/ REL, S/ NF, S/ REL* meant I published four reports for the evals), and the relative value. Private sector has shown me even greater need, between the scale and response options.

But there are cases where I don’t want to share, much as it goes against my nature.

In the midst of audit and operational risk challenges, I don’t want to share intel openly. I appreciate they are wanting to help make things better, but improvement comes from understanding the processes with the mission as priority. Until they understand and seek to facilitate, I’m less keen on their having additional information to misinterpret; leading to corrective actions forcing misalignment into organisations charged with protecting the business. I was an auditor, long ago. I know why I wasn’t well received.

Until cyber becomes part of the P&L, we only have limited resources. We must make certain NtS doesn’t hamstring us internally.


(*TS – Top Secret; NF – No Foreign; REL – Releasable; S – Secret)

One thought on “Need-to-Know Versus Need-to-Share

  1. Destiny M.

    I think this is really interesting. As a cyber security newbie, I completely understand why everything is on a need-to-know basis (it’s called “principle of least privilege” for a reason). I also struggle with filtering out what directly impacts me and what doesn’t, so limiting everything to what I really “need to know” does that for me. On the flip side, *not* sharing information unless solicited can lead to silos and multiple teams independently working on the same project. It’s such a balancing act and I’m curious to see how the two methods will evolve over the course of my career.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s