You’re trying to make the business case for your organization’s threat intelligence initiative, but members of the senior leadership team remain puzzled about the value of their investments in cybersecurity.

Should we really be surprised? Consider the cold, hard facts:

  • Companies worldwide are investing tens of billions of dollars per year on security, with a forecast increase of more than 9 percent per year, according to IDC.

  • Security solution providers number in the thousands, which underscores the importance of the problem — but also highlights the complexity of managing a large portfolio of solutions.

  • Attackers are consistently outperforming defenders, with attacker dwell times — i.e., the time it takes defenders to detect a successful compromise by the attackers — improving to a global median of 78 days (10 to 11 weeks) in 2018, but with 25 percent of compromises still going undetected for one to four years, according to FireEye.

  • Data breaches continue unabated, with public disclosures of more than 3,200 in 2017–2018. And while 75 percent of these breaches involved less than 10,000 records, the run rate for mega breaches of 1 million records or more was more than two per week.

To put this in perspective, when you consider both the likelihood and the total business impact of a data breach, a straightforward Monte Carlo analysis conducted by Aberdeen in June 2019 found that the median annualized total cost of a data breach under the status quo is about $500,000 — with a 10 percent likelihood of exceeding $1.8 billion (this particular quantification is about the compromise of confidentiality, and doesn’t address the impact of a compromise to the availability or integrity of the organization’s information assets).

Said another way: In spite of their ever-growing investments in a dazzling array of security solutions, the risk of a data breach remains unacceptably high. This is the starting point for making a business case for investing in your organization’s threat intelligence initiative; a clear and quantified explanation, expressed in business terms, of why it matters.

Connecting Activities With Outcomes

The business case should be described from the top down (i.e., starting with outcomes), but execution obviously happens from the bottom up. Now it makes sense to talk about the value chain for threat intelligence, in the context of how it will help to prevent and detect compromises and reduce the risk to an acceptable level.

The data that’s relevant to your organization needs to be collected from multiple sources and integrated. To be useful, the data you’ve integrated must be processed — ideally, in an automated manner — to be put into the specific context of your organization’s business environment. Contextualized information must then be analyzed to uncover insights about what’s happening and develop recommended actions. Most importantly, these insights and actions need to be effectively shared with the people and teams throughout your organization who will use it to inform their decisions.

Making the Case for Threat Intelligence

The next step is to explain how a successful threat intelligence initiative can generate insights and actions to help inform the decisions of multiple people and teams throughout your organization, including:

  • Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation and escalation that takes place in the security operations center (SOC).

  • Level 2/3 analysts — for example, to support the in-depth prioritization, investigation, containment and remediation of an incident response team and the proactive efforts of experts on threat hunting and counter-fraud teams.

  • Operational leaders — for example, to help the leaders of security operations and IT operations guide and prioritize the day-to-day actions and activities of their respective technical staff.

  • Strategic leaders — for example, to help chief information security officers (CISOs) and other senior leaders allocate resources and make better-informed business decisions about managing cybersecurity-related risks to an acceptable level.

Making the connections between technical activities, critical capabilities and, ultimately, the resulting value to the organization is a perfect application for the well-known balanced scorecard framework, which, since 1992, has helped organizations of all types describe, communicate and execute their strategies more effectively. The graphical depiction of these connections is referred to as a strategy map.

Build Your Threat Intelligence Strategy Map Today

With this in mind, check out the white paper that provides you with a base to create your own strategy map for threat intelligence and understand how investments in your organization’s threat intelligence initiative translate to business value. With a little practice, you’ll find that it supports a wide range of discussions with the senior leadership team, from higher-level strategy to deeper technical dives.

Learn more about threat intelligence in practice during the webinar on November 7th.

Reigster for the webinar

More from Threat Intelligence

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

Old Habits Die Hard: New Report Finds Businesses Still Introducing Security Risk into Cloud Environments

While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations. Shedding light on…

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security research draws another link between the Raspberry Robin infections and the Russia-based cybercriminal group 'Evil Corp,' which is the same…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti group), who are not known to have had a previous connection with Ramnit. This year has so far proven tumultuous…