Using Threat Intelligence to Communicate Risk to Executives (Part 1)

Posted: 26th July 2019
Using Threat Intelligence to Communicate Risk to Executives (Part 1)

With so much phishing, malware, ransomware, and spoofing activity, most executives and board directors realize the importance of making IT security a high priority. It’s quite difficult, however, to determine how and where to apply precious resources.

The key is to keep communications simple as they flow up and down the leadership stack, keeping the most salient points easy for non-technical decision-makers to assess the IT security situation, such that they can take action. In this blog (the first in a three-part series), we’ll explore the role of threat intelligence as a means to help security operations teams communicate IT risks to their executives and the board of directors.

Communicating IT Risks to Executives

The threat landscape continues to expand in size and complexity. Difficult-to-detect attacks keep increasing in sophistication, and any that do succeed in breaching critical systems and sensitive data can permanently harm brand reputations and destroy customer trust. This situation elevates the criticality of the security operations role.

At the same time, it’s important to realize that executives actually can handle the truth about IT security risks. They want to know exactly what’s going on and understand the controls that are deployed to protect digital assets against risks and make a plan for mitigating any breaches that may slip by.

The challenge for security operations in meeting this need lies in communications. How can the level of IT security risk be accurately and succinctly conveyed to company executives and board members who have varying levels of technical understanding?

The key is to keep communication simple and make it easy for non-technical decision-makers to assess the IT security situation. Only then will they buy in to the value of the measures that security operations teams need to implement and get behind their efforts to mitigate IT risks.

Effective Communication Starts With Threat Intelligence

The effort to clearly communicate IT risk starts with threat intelligence. By using a threat intelligence solution, data can be compiled from internal sources (system logs, firewalls, SIEMs, EDR solutions) and correlated to external intelligence, mapping them to the attributes of the real cyber threats lurking in the wild.

This combination contextualizes threats so that security operations teams know which ones represent the greatest potential danger to corporate data and digital assets. From there, security operations teams can leverage the threat intelligence solution to assign risk values to each threat based on a combination of the potential impact of the threats, along with the internal data and IT assets that are susceptible to the threats.

In other words, if 10 web servers providing services to customers could crash, security operations teams need “all hands on deck” immediately. But if 10 servers that store historical archives running on an old OS might be impacted, the need to react may not be so urgent. Any gaps in this information set and related mapping leaves an organization at risk of not effectively recognizing, categorizing, and communicating their IT security risk.

Concise Reporting Accurately Conveys Relevance

While the information generated by a threat intelligence solution enables security operations teams to assess the priority level to assign to IT security threats, the data also needs additional formatting for executives and directors to understand what’s going on. The report generation and dashboard capabilities of the solution and the process for communicating to executives thus also play a key role.

Overwhelming executives with data about all potential threats is not a good option. The reports must accurately describe the potential impact of threats and justify the countermeasures that the security operations team wants to deploy in terms that motivate business leaders; it must be relevant to the operations of the organization if it is to be relevant to the actions you want the executives to take. The factors they need to see include cost, return on investment, impact on customers, and competitive advantages.

Threat intelligence plays a major role. It provides more powerful ammunition for discussions by, for example, presenting the impact of similar attacks on companies of the same size in other industries, as well as trends and intelligence from the dark web that indicate the company is a likely target.

In order to be effective for executives, contextualized threat intelligence needs to be concise, relevant, and timely. A dashboard or other at-a-glance format can help communicate the potential impact of threats, but the key is to tie it to revenue, expenses, operations, and assets.

Here’s a rundown of the specific threat information to communicate:

  • What the threat can potentially do to the company’s digital assets
  • Consequences to the business if the threat breaches the infrastructure
  • The probability that the threat will succeed
  • Vulnerabilities on the network infrastructure that could allow the threat to happen
  • Controls already in place to fix the vulnerabilities and stop the threat from happening

Security operations should also provide a bottomline assessment of new controls that are needed to close any risk gaps based upon the threat and its associated vulnerabilities, controls, impact, and probability. All of the intelligence and expertise that the security operations team delivers to executives will help drive decision-making if it places internal data into the context of the wider threat landscape. Executives can then identify the most pressing threats and vulnerabilities, and therefore empower security operations with the necessary resources to protect the company’s digital assets.

The Value of Elite Security Intelligence

To quantify the real-world value of the Recorded Future Security Intelligence Platform, we commissioned Forrester to conduct a Total Economic Impact™ (TEI) study examining the ROI factors that an actual Recorded Future client recently realized. The report illustrates how Recorded Future improved the client’s security workflow efficiency by 50%. This alone resulted in $263,538 saved — but the savings did not end there. Download Forrester’s study now to read the full breakdown of monetary savings when using Recorded Future