Phase 9 · The Integrator
A mature intelligence-led security program has nine interdependent disciplines that must be continuously synchronized. Threat intelligence feeds detection engineering. Detection gaps feed log strategy. DFIR findings feed hunting hypotheses. Recovery gaps feed hardening priorities. This program requires someone who understands all nine disciplines well enough to hold it together. Most organizations do not have that person.
There is a gap in most enterprise security programs that no tool fills and no budget line addresses. It sits between the CISO — who is accountable for the program but too far from the operational detail to synthesize across disciplines at this level — and the senior analysts and engineers who are deeply expert in their specific domain but rarely see across all of them simultaneously. The gap is the integrator: the person responsible for making a multi-discipline security program operate as a coherent whole rather than a collection of capable teams working in parallel silos.
This is not a coordination role. It is a synthesis role. The integrator understands what the threat intelligence team is producing and recognizes when it should change detection engineering priorities. They understand the detection coverage map and recognize when a hunting finding reveals a gap that the detection team has not yet addressed. They understand what DFIR found in the last incident and ensure those findings flow into the hunting hypothesis backlog and the log strategy review. They understand the recovery plan and recognize when it was built without input from the security team that understands the adversary's most likely destructive technique. None of these recognitions happen automatically. They require a person with the breadth to see across all disciplines and the authority to act on what they see.
In a military unit, the Commanding Officer sets intent and is accountable for mission success. The Executive Officer — one level below, technically competent across all the functions the unit executes — ensures that intent is translated into coordinated action across all disciplines simultaneously. The XO does not replace the intelligence officer, the operations officer, or the logistics officer. They ensure that what each of those officers is doing is synchronized with what the others are doing, and that the commander's intent is being faithfully executed across all of them at once. When the intelligence officer's assessment should change the operations officer's plan, the XO is the one who sees that connection and acts on it.
Enterprise security without this role produces exactly what military units without effective XOs produce: capable individual specialists working hard at their specific function, disconnected from what their peers are doing, with gaps at every seam where disciplines interact. The threat intelligence team produces excellent analysis that the detection engineering team never sees. The DFIR team identifies log gaps that the log strategy team never addresses. The recovery plan is built by IT without input from the threat intelligence team that knows exactly how the primary adversary executes destructive operations. Each team is doing good work. The program is not working — because no one is responsible for making it work as a whole.
Threat intelligence produces a report. Detection engineering never sees it because there is no structured process for threat intelligence outputs to become detection engineering inputs. The report sits in a shared folder. Three months later, the adversary executes a technique that the threat intelligence report identified as the most likely course of action — and the detection that should have been built from that report does not exist.
The DFIR team closes an incident. They document three detection gaps and two log coverage failures that allowed the adversary to operate undetected for three weeks. Those findings go into the incident report. The incident report is reviewed by the CISO. No one owns translating those findings into specific requirements for the detection engineering team and the log strategy review. Six months later, the same gaps are still there.
The recovery plan is tested in a tabletop exercise. The exercise reveals that the backup architecture was not designed to withstand the ransomware scenario that the threat intelligence assessment identifies as most likely. No one with authority over both the threat intelligence program and the IT infrastructure function is in the room to connect those two facts and drive a change. The gap persists.
The gap at every seam: Multi-discipline security programs fail at the interfaces between disciplines — not within them. Individual teams perform well. The connections between them are where intelligence is lost, where findings go unaddressed, where the program's left hand does not know what its right hand found. The integrator is responsible for those interfaces.
The integrator role is rare because it requires a career path that most organizations do not deliberately build. Technical depth across multiple security disciplines — not mastery of each, but enough competence in all of them to assess quality, recognize cross-discipline implications, and make defensible recommendations. Strategic thinking about how those disciplines interconnect and how changes in one should propagate through the others. And the communication ability to translate between the language of security operations and the language of executive risk — so that a CISO asking "how exposed are we?" gets a specific, defensible answer grounded in operational reality, not a score from a dashboard.
This combination is what determines whether a security program performs at the sum of its parts — or significantly below it. A program with excellent individual teams and no integrator produces less security than its budget and talent should deliver. A program with an effective integrator produces more — because every team's output is reaching the teams that need it, and the feedback loops that make the program continuously improve are actually functioning.
The question that reveals the gap: Ask your CISO: if your primary adversary executed their most likely course of action against your organization today, at what phase of their operation would you first detect them, and what would you see? If the answer is confident and specific — grounded in a current threat intelligence assessment, mapped to current detection coverage, validated by a recent purple team exercise — you have an integrator. If the answer is a dashboard score or a compliance certification, you have a gap.
That question is the integrator's core responsibility. To ensure it can always be answered. Specifically. With evidence.