Written by Miles Tappin, VP of EMEA at ThreatConnect
Companies often suffer from a disconnect between their cyber security team and other departments across the organisation. But with cyber security becoming an increasingly vital part of board-level discussions, modern threat intelligence must speak the language of business.
Businesses of all sizes are beginning to realise the benefits of having a cyber threat intelligence (CTI) program. Eighty-five per cent of respondents to the 2021 SANS Cyber Threat Intelligence Survey said they had produced or procured CTI — a 7 per cent increase compared to the previous year. However, despite this increase in adoption, CTI programs must continue to evolve to add value.
A modern and effective CTI program goes beyond a dedicated team documenting intelligence requirements and analysing information about cyber adversaries’ capabilities and intent. It bridges the gap between the security team and the business leadership.
Connecting cyber security with the board
According to the SANS survey, more organisations are beginning to measure the effectiveness of their CTI programs. While that’s a positive sign, there remain significant questions about whether they are measuring the right things.
The vast majority of respondents to the SANS survey claimed to be measuring the effectiveness of their CTI program based on the number of threats and attacks detected (78%), the ability to block threats (70%), and conduct incident response (66%). However, the difference between a good CTI program and a great CTI program is how it communicates risk. Putting monetary values on threats and their potential consequences makes them compelling to any responsible board. For this reason, we can expect to see more and more companies turn towards cyber risk quantification (CRQ).
A great CTI program informs an organisation’s CRQ by adding context and enriching the understanding of cyber threats and vulnerabilities. It aligns the entire business to the most critical threats based on primary and secondary loss magnitude. Threat data can also feed a company’s security orchestration, automation and response (SOAR) platform.
By integrating intelligence with risk, businesses put themselves in a better position to plug vulnerabilities proactively and earmark threats before a cyber attack happens. Deloitte describes CRQ as something akin to a ship’s collision avoidance system: “Just like maritime operations, CRQ can help serve as a collision avoidance tactic in your organisation. A mature CRQ approach can provide a structured way for organisations to collect and report cyber risk in dollar terms in a way that both technical and non-technical stakeholders can understand. Without such efforts, organisations may find it increasingly more difficult to navigate the rough seas of cyber risk on the horizon.”
Roadmap to a modern cyber threat intelligence program
With that in mind, a modern CTI program should provide executives with a prioritised view of three key areas – financial risk, tactical threat and actions to take. It’s the brain of the operation, fusing risk, threat and response to create a complete decision and operational support system for cyber security. By combining cyber risk quantification, threat intelligence, and security orchestration and automation, the cyber security team can provide a single source of truth from the SOC to the C-Suite.
CRQ gives strategic leaders the ability to identify, measure and manage the financial or operational impact of cyber threats, and solve the issue of prioritisation once and for all. With this North Star understanding of where to focus, the entire organisation is on the same page regarding people, process and technology.
Taking it a step further, a Threat Intelligence Platform (TIP) will support this analysis and deliver deeper insight and context to help identify, analyse and take action against the threats that matter most to a business. Integrated SOAR capabilities with streamlined workflows and automated playbooks ensure security teams can make better, more informed decisions that enable faster SOC mitigations and incident response.
CTI – the business’ command center
Today’s modern CTI program should be the command center for cyber operations, maximising existing technologies and connecting the dots between business impact and cyber security. By integrating the strategic, analytical and operational functions of cyber security, a modern CTI program reduces complexity, improves efficiency and aligns security to the business’s objectives.
Threat Intelligence has played a crucial role for years and always will, but it’s time for it to evolve. A modern CTI program should speak the language of business, not solely of adversary tactics, techniques, and procedures. The best CTI will turn intelligence into actions that align with business objectives and protect operations, revenue, and reputation. Not only that, but cyber security must also move to a point where it creates value for the wider business – by saving money, protecting data and company reputation, and ensuring the correct tasks are prioritised. As Deloitte argues, “Today’s leading organisations are those that have learned how to protect their value through risk management. Tomorrow’s leaders will be those that recognise the opportunity for risk also to create value.”