Light Dark
October 24, 2019 By Derek Brink 3 min read
Threat Intelligence

You’re trying to make the business case for your organization’s threat intelligence initiative, but members of the senior leadership team remain puzzled about the value of their investments in cybersecurity.

Should we really be surprised? Consider the cold, hard facts:

  • Companies worldwide are investing tens of billions of dollars per year on security, with a forecast increase of more than 9 percent per year, according to IDC.

  • Security solution providers number in the thousands, which underscores the importance of the problem — but also highlights the complexity of managing a large portfolio of solutions.

  • Attackers are consistently outperforming defenders, with attacker dwell times — i.e., the time it takes defenders to detect a successful compromise by the attackers — improving to a global median of 78 days (10 to 11 weeks) in 2018, but with 25 percent of compromises still going undetected for one to four years, according to FireEye.

  • Data breaches continue unabated, with public disclosures of more than 3,200 in 2017–2018. And while 75 percent of these breaches involved less than 10,000 records, the run rate for mega breaches of 1 million records or more was more than two per week.

To put this in perspective, when you consider both the likelihood and the total business impact of a data breach, a straightforward Monte Carlo analysis conducted by Aberdeen in June 2019 found that the median annualized total cost of a data breach under the status quo is about $500,000 — with a 10 percent likelihood of exceeding $1.8 billion (this particular quantification is about the compromise of confidentiality, and doesn’t address the impact of a compromise to the availability or integrity of the organization’s information assets).

Said another way: In spite of their ever-growing investments in a dazzling array of security solutions, the risk of a data breach remains unacceptably high. This is the starting point for making a business case for investing in your organization’s threat intelligence initiative; a clear and quantified explanation, expressed in business terms, of why it matters.

Connecting Activities With Outcomes

The business case should be described from the top down (i.e., starting with outcomes), but execution obviously happens from the bottom up. Now it makes sense to talk about the value chain for threat intelligence, in the context of how it will help to prevent and detect compromises and reduce the risk to an acceptable level.

The data that’s relevant to your organization needs to be collected from multiple sources and integrated. To be useful, the data you’ve integrated must be processed — ideally, in an automated manner — to be put into the specific context of your organization’s business environment. Contextualized information must then be analyzed to uncover insights about what’s happening and develop recommended actions. Most importantly, these insights and actions need to be effectively shared with the people and teams throughout your organization who will use it to inform their decisions.

Making the Case for Threat Intelligence

The next step is to explain how a successful threat intelligence initiative can generate insights and actions to help inform the decisions of multiple people and teams throughout your organization, including:

  • Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation and escalation that takes place in the security operations center (SOC).

  • Level 2/3 analysts — for example, to support the in-depth prioritization, investigation, containment and remediation of an incident response team and the proactive efforts of experts on threat hunting and counter-fraud teams.

  • Operational leaders — for example, to help the leaders of security operations and IT operations guide and prioritize the day-to-day actions and activities of their respective technical staff.

  • Strategic leaders — for example, to help chief information security officers (CISOs) and other senior leaders allocate resources and make better-informed business decisions about managing cybersecurity-related risks to an acceptable level.

Making the connections between technical activities, critical capabilities and, ultimately, the resulting value to the organization is a perfect application for the well-known balanced scorecard framework, which, since 1992, has helped organizations of all types describe, communicate and execute their strategies more effectively. The graphical depiction of these connections is referred to as a strategy map.

Build Your Threat Intelligence Strategy Map Today

With this in mind, check out the white paper that provides you with a base to create your own strategy map for threat intelligence and understand how investments in your organization’s threat intelligence initiative translate to business value. With a little practice, you’ll find that it supports a wide range of discussions with the senior leadership team, from higher-level strategy to deeper technical dives.

Learn more about threat intelligence in practice during the webinar on November 7th.

Reigster for the webinar

 |  |  |  |  |  |  | 
Derek Brink
VP & Research Fellow, IT Security and IT GRC, Aberdeen Group

More from Threat Intelligence
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

March 11, 2024

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

February 29, 2024

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature