October 24, 2019 By Derek Brink 3 min read

You’re trying to make the business case for your organization’s threat intelligence initiative, but members of the senior leadership team remain puzzled about the value of their investments in cybersecurity.

Should we really be surprised? Consider the cold, hard facts:

  • Companies worldwide are investing tens of billions of dollars per year on security, with a forecast increase of more than 9 percent per year, according to IDC.

  • Security solution providers number in the thousands, which underscores the importance of the problem — but also highlights the complexity of managing a large portfolio of solutions.

  • Attackers are consistently outperforming defenders, with attacker dwell times — i.e., the time it takes defenders to detect a successful compromise by the attackers — improving to a global median of 78 days (10 to 11 weeks) in 2018, but with 25 percent of compromises still going undetected for one to four years, according to FireEye.

  • Data breaches continue unabated, with public disclosures of more than 3,200 in 2017–2018. And while 75 percent of these breaches involved less than 10,000 records, the run rate for mega breaches of 1 million records or more was more than two per week.

To put this in perspective, when you consider both the likelihood and the total business impact of a data breach, a straightforward Monte Carlo analysis conducted by Aberdeen in June 2019 found that the median annualized total cost of a data breach under the status quo is about $500,000 — with a 10 percent likelihood of exceeding $1.8 billion (this particular quantification is about the compromise of confidentiality, and doesn’t address the impact of a compromise to the availability or integrity of the organization’s information assets).

Said another way: In spite of their ever-growing investments in a dazzling array of security solutions, the risk of a data breach remains unacceptably high. This is the starting point for making a business case for investing in your organization’s threat intelligence initiative; a clear and quantified explanation, expressed in business terms, of why it matters.

Connecting Activities With Outcomes

The business case should be described from the top down (i.e., starting with outcomes), but execution obviously happens from the bottom up. Now it makes sense to talk about the value chain for threat intelligence, in the context of how it will help to prevent and detect compromises and reduce the risk to an acceptable level.

The data that’s relevant to your organization needs to be collected from multiple sources and integrated. To be useful, the data you’ve integrated must be processed — ideally, in an automated manner — to be put into the specific context of your organization’s business environment. Contextualized information must then be analyzed to uncover insights about what’s happening and develop recommended actions. Most importantly, these insights and actions need to be effectively shared with the people and teams throughout your organization who will use it to inform their decisions.

Making the Case for Threat Intelligence

The next step is to explain how a successful threat intelligence initiative can generate insights and actions to help inform the decisions of multiple people and teams throughout your organization, including:

  • Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation and escalation that takes place in the security operations center (SOC).

  • Level 2/3 analysts — for example, to support the in-depth prioritization, investigation, containment and remediation of an incident response team and the proactive efforts of experts on threat hunting and counter-fraud teams.

  • Operational leaders — for example, to help the leaders of security operations and IT operations guide and prioritize the day-to-day actions and activities of their respective technical staff.

  • Strategic leaders — for example, to help chief information security officers (CISOs) and other senior leaders allocate resources and make better-informed business decisions about managing cybersecurity-related risks to an acceptable level.

Making the connections between technical activities, critical capabilities and, ultimately, the resulting value to the organization is a perfect application for the well-known balanced scorecard framework, which, since 1992, has helped organizations of all types describe, communicate and execute their strategies more effectively. The graphical depiction of these connections is referred to as a strategy map.

Build Your Threat Intelligence Strategy Map Today

With this in mind, check out the white paper that provides you with a base to create your own strategy map for threat intelligence and understand how investments in your organization’s threat intelligence initiative translate to business value. With a little practice, you’ll find that it supports a wide range of discussions with the senior leadership team, from higher-level strategy to deeper technical dives.

Learn more about threat intelligence in practice during the webinar on November 7th.

Reigster for the webinar

More from Threat Intelligence

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today