Light Dark
October 24, 2019 By Derek Brink 3 min read
Threat Intelligence

You’re trying to make the business case for your organization’s threat intelligence initiative, but members of the senior leadership team remain puzzled about the value of their investments in cybersecurity.

Should we really be surprised? Consider the cold, hard facts:

  • Companies worldwide are investing tens of billions of dollars per year on security, with a forecast increase of more than 9 percent per year, according to IDC.

  • Security solution providers number in the thousands, which underscores the importance of the problem — but also highlights the complexity of managing a large portfolio of solutions.

  • Attackers are consistently outperforming defenders, with attacker dwell times — i.e., the time it takes defenders to detect a successful compromise by the attackers — improving to a global median of 78 days (10 to 11 weeks) in 2018, but with 25 percent of compromises still going undetected for one to four years, according to FireEye.

  • Data breaches continue unabated, with public disclosures of more than 3,200 in 2017–2018. And while 75 percent of these breaches involved less than 10,000 records, the run rate for mega breaches of 1 million records or more was more than two per week.

To put this in perspective, when you consider both the likelihood and the total business impact of a data breach, a straightforward Monte Carlo analysis conducted by Aberdeen in June 2019 found that the median annualized total cost of a data breach under the status quo is about $500,000 — with a 10 percent likelihood of exceeding $1.8 billion (this particular quantification is about the compromise of confidentiality, and doesn’t address the impact of a compromise to the availability or integrity of the organization’s information assets).

Said another way: In spite of their ever-growing investments in a dazzling array of security solutions, the risk of a data breach remains unacceptably high. This is the starting point for making a business case for investing in your organization’s threat intelligence initiative; a clear and quantified explanation, expressed in business terms, of why it matters.

Connecting Activities With Outcomes

The business case should be described from the top down (i.e., starting with outcomes), but execution obviously happens from the bottom up. Now it makes sense to talk about the value chain for threat intelligence, in the context of how it will help to prevent and detect compromises and reduce the risk to an acceptable level.

The data that’s relevant to your organization needs to be collected from multiple sources and integrated. To be useful, the data you’ve integrated must be processed — ideally, in an automated manner — to be put into the specific context of your organization’s business environment. Contextualized information must then be analyzed to uncover insights about what’s happening and develop recommended actions. Most importantly, these insights and actions need to be effectively shared with the people and teams throughout your organization who will use it to inform their decisions.

Making the Case for Threat Intelligence

The next step is to explain how a successful threat intelligence initiative can generate insights and actions to help inform the decisions of multiple people and teams throughout your organization, including:

  • Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation and escalation that takes place in the security operations center (SOC).

  • Level 2/3 analysts — for example, to support the in-depth prioritization, investigation, containment and remediation of an incident response team and the proactive efforts of experts on threat hunting and counter-fraud teams.

  • Operational leaders — for example, to help the leaders of security operations and IT operations guide and prioritize the day-to-day actions and activities of their respective technical staff.

  • Strategic leaders — for example, to help chief information security officers (CISOs) and other senior leaders allocate resources and make better-informed business decisions about managing cybersecurity-related risks to an acceptable level.

Making the connections between technical activities, critical capabilities and, ultimately, the resulting value to the organization is a perfect application for the well-known balanced scorecard framework, which, since 1992, has helped organizations of all types describe, communicate and execute their strategies more effectively. The graphical depiction of these connections is referred to as a strategy map.

Build Your Threat Intelligence Strategy Map Today

With this in mind, check out the white paper that provides you with a base to create your own strategy map for threat intelligence and understand how investments in your organization’s threat intelligence initiative translate to business value. With a little practice, you’ll find that it supports a wide range of discussions with the senior leadership team, from higher-level strategy to deeper technical dives.

Learn more about threat intelligence in practice during the webinar on November 7th.

Reigster for the webinar

 |  |  |  |  |  |  | 
Derek Brink
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

More from Threat Intelligence
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature