Risk Management and Intelligence: What is Your End Game?
May 31, 2017
Anyone worth their salt in the world of cyber threat intelligence is always focused on the actionable outcome – how can I lower my business risk by making a more informed and/or timely decision? If your strategy for enterprise risk management lacks that same focus for return on investment (ROI) related to your cyber threat intelligence component, you’ll miss the mark on your desired outcome. Having strategic intention that is specific and measurable for intelligence tied to risk management is mission critical.
A solid cyber threat intelligence program cannot be successful without the foundation of a managed enterprise-based risk management program. Such a program puts into place policy, procedures, and people to enable a security culture and operational capability within an organization. Most organizations that are headed in this direction start with an IT program where “stuff works,” and eventually mature into auditing if it works well and/or is secure. In consulting, we often see small shops with solid IT departments looking to perform vulnerability or security assessments of their organizations to see where they may be vulnerable. Often they want to complete a penetration test before their program is mature enough for the test to provide proper value. Other components of governance and technical work are required prior to such a consultation to ensure desired outcomes for a company as they mature operations.
Once an organization has a managed enterprise-based security program, they are then ready to plan for and consume cyber threat intelligence. About 10 years ago, I provided cutting edge intelligence for a threat intel staff at a large commercial organization only to find out that they didn’t have the authority to change policies, make management decisions, or even populate indicators of compromise (IOCs) into the operational IT environment. I was left wondering: why are we doing cyber threat intelligence consulting if we can’t do anything with it in the client environment? This one example may be an extreme in 2017 for most organizations but reveals that an organization must be ready to receive and consume intel if it is to be successful. A solid managed enterprise security program creates that readiness from the standpoint of people and operations.
Cyber threat intelligence is best implemented as an integrated ‘overlay’ to the existing enterprise security program. Imagine having two maps where one is a transparent layer on top of the other. This overlay gives a clear view of the entire map. That’s how intel works for an organization that has both a managed security program and a managed intelligence strategy or program in place. As an organization plans for success with an intelligence program they must focus upon the vision, mission and objectives. This traditional form of commercial-based management translates into key questions, including:
- Where do I want to be when the intel program is in place?
- How do I get there?
- How do I measure success in a specific manner?
Since intelligence is action oriented, by definition, a cyber threat intelligence program needs clear, ROI related outcomes and actions that reduce risk for the organization.
How do you measure ROI for an organization? This begins by understanding your risk. Again, without an enterprise risk management program already in place you lack baseline metrics from which to draw or create ROI outcomes for the impact of intelligence. An organization ready to take on intelligence capacities likely has metrics related to the number and types of threats that they face in the cyber realm on a daily, monthly and annual basis. Taking phishing attacks as an example – an organization would know how many phishing attacks were detected, how many were actual security incidents, and what risk or cost was associated with those phishing incidents on an annual basis.
An intelligence program can then be integrated with the security risk management framework to specifically implement solutions to lower risk with respect to security issues that confront the business. Smart managers make sure that those existing metrics exist so that the ROI can clearly be shown as a result of implementing an intelligence program.
Going back to the phishing example, we should see our total number of incidents and risk exposure go down. Incidents should be minimized, and the ones that happen should be handled more quickly, thereby resulting in reduced risk, as well as savings in productivity and incident response costs. Make sure that you, as a C-level staff member, are ensuring that your stakeholders see the value of their intelligence investment.
I consider cyber threat intelligence to be at the tip of the spear for the industry and also for an organization as they mature enterprise risk management. It’s complex and requires extreme focus. Being specific and tying intelligence goals back to actionable, measureable outcomes for risk management of a company is a key to success. The last thing you want to do is cling to the old-world style of IT management, where you’re seen as hitting up stakeholders for more money and tools. The clear focus of any successful manager in this space is on reducing the risk to the crown jewels of an organization, with measurable actions and ROI outcomes structured before recommendations are made to stakeholders.