A Threat Intelligence Strategy Map: Connecting Technical Activities to Business Value

You’re trying to make the business case for your organization’s threat intelligence initiative, but members of the senior leadership team remain puzzled about the value of their investments in cybersecurity.

Should we really be surprised? Consider the cold, hard facts:

  • Companies worldwide are investing tens of billions of dollars per year on security, with a forecast increase of more than 9 percent per year, according to IDC.

  • Security solution providers number in the thousands, which underscores the importance of the problem — but also highlights the complexity of managing a large portfolio of solutions.

  • Attackers are consistently outperforming defenders, with attacker dwell times — i.e., the time it takes defenders to detect a successful compromise by the attackers — improving to a global median of 78 days (10 to 11 weeks) in 2018, but with 25 percent of compromises still going undetected for one to four years, according to FireEye.

  • Data breaches continue unabated, with public disclosures of more than 3,200 in 2017–2018. And while 75 percent of these breaches involved less than 10,000 records, the run rate for mega breaches of 1 million records or more was more than two per week.

To put this in perspective, when you consider both the likelihood and the total business impact of a data breach, a straightforward Monte Carlo analysis conducted by Aberdeen in June 2019 found that the median annualized total cost of a data breach under the status quo is about $500,000 — with a 10 percent likelihood of exceeding $1.8 billion (this particular quantification is about the compromise of confidentiality, and doesn’t address the impact of a compromise to the availability or integrity of the organization’s information assets).

Said another way: In spite of their ever-growing investments in a dazzling array of security solutions, the risk of a data breach remains unacceptably high. This is the starting point for making a business case for investing in your organization’s threat intelligence initiative; a clear and quantified explanation, expressed in business terms, of why it matters.

Connecting Activities With Outcomes

The business case should be described from the top down (i.e., starting with outcomes), but execution obviously happens from the bottom up. Now it makes sense to talk about the value chain for threat intelligence, in the context of how it will help to prevent and detect compromises and reduce the risk to an acceptable level.

The data that’s relevant to your organization needs to be collected from multiple sources and integrated. To be useful, the data you’ve integrated must be processed — ideally, in an automated manner — to be put into the specific context of your organization’s business environment. Contextualized information must then be analyzed to uncover insights about what’s happening and develop recommended actions. Most importantly, these insights and actions need to be effectively shared with the people and teams throughout your organization who will use it to inform their decisions.

Making the Case for Threat Intelligence

The next step is to explain how a successful threat intelligence initiative can generate insights and actions to help inform the decisions of multiple people and teams throughout your organization, including:

  • Level 1 analysts — for example, to support the real-time monitoring, detection, initial investigation and escalation that takes place in the security operations center (SOC).

  • Level 2/3 analysts — for example, to support the in-depth prioritization, investigation, containment and remediation of an incident response team and the proactive efforts of experts on threat hunting and counter-fraud teams.

  • Operational leaders — for example, to help the leaders of security operations and IT operations guide and prioritize the day-to-day actions and activities of their respective technical staff.

  • Strategic leaders — for example, to help chief information security officers (CISOs) and other senior leaders allocate resources and make better-informed business decisions about managing cybersecurity-related risks to an acceptable level.

Making the connections between technical activities, critical capabilities and, ultimately, the resulting value to the organization is a perfect application for the well-known balanced scorecard framework, which, since 1992, has helped organizations of all types describe, communicate and execute their strategies more effectively. The graphical depiction of these connections is referred to as a strategy map.

Build Your Threat Intelligence Strategy Map Today

With this in mind, stay tuned for the upcoming white paper that includes a general-purpose strategy map for threat intelligence — a model for a one-page summary of how investments in your organization’s threat intelligence initiative translate to business value. With a little practice, you’ll find that it supports a wide range of discussions with the senior leadership team, from higher-level strategy to deeper technical dives.

Learn more about threat intelligence in practice during the webinar on November 7th, and keep an eye out for the upcoming white paper.

Reigster for the webinar

The post A Threat Intelligence Strategy Map: Connecting Technical Activities to Business Value appeared first on Security Intelligence.