Using Threat Intelligence to Communicate Risk to Executives (Part 1)
July 26, 2019 • The Recorded Future Team
With so much phishing, malware, ransomware, and spoofing activity, most executives and board directors realize the importance of making IT security a high priority. It’s quite difficult, however, to determine how and where to apply precious resources.
The key is to keep communications simple as they flow up and down the leadership stack, keeping the most salient points easy for non-technical decision-makers to assess the IT security situation, such that they can take action. In this blog (the first in a three-part series), we’ll explore the role of threat intelligence as a means to help security operations teams communicate IT risks to their executives and the board of directors.
Communicating IT Risks to Executives
The threat landscape continues to expand in size and complexity. Difficult-to-detect attacks keep increasing in sophistication, and any that do succeed in breaching critical systems and sensitive data can permanently harm brand reputations and destroy customer trust. This situation elevates the criticality of the security operations role.
At the same time, it’s important to realize that executives actually can handle the truth about IT security risks. They want to know exactly what’s going on and understand the controls that are deployed to protect digital assets against risks and make a plan for mitigating any breaches that may slip by.
The challenge for security operations in meeting this need lies in communications. How can the level of IT security risk be accurately and succinctly conveyed to company executives and board members who have varying levels of technical understanding?
The key is to keep communication simple and make it easy for non-technical decision-makers to assess the IT security situation. Only then will they buy in to the value of the measures that security operations teams need to implement and get behind their efforts to mitigate IT risks.
Effective Communication Starts With Threat Intelligence
The effort to clearly communicate IT risk starts with threat intelligence. By using a threat intelligence solution, data can be compiled from internal sources (system logs, firewalls, SIEMs, EDR solutions) and correlated to external intelligence, mapping them to the attributes of the real cyber threats lurking in the wild.
This combination contextualizes threats so that security operations teams know which ones represent the greatest potential danger to corporate data and digital assets. From there, security operations teams can leverage the threat intelligence solution to assign risk values to each threat based on a combination of the potential impact of the threats, along with the internal data and IT assets that are susceptible to the threats.
In other words, if 10 web servers providing services to customers could crash, security operations teams need “all hands on deck” immediately. But if 10 servers that store historical archives running on an old OS might be impacted, the need to react may not be so urgent. Any gaps in this information set and related mapping leaves an organization at risk of not effectively recognizing, categorizing, and communicating their IT security risk.
Concise Reporting Accurately Conveys Relevance
While the information generated by a threat intelligence solution enables security operations teams to assess the priority level to assign to IT security threats, the data also needs additional formatting for executives and directors to understand what’s going on. The report generation and dashboard capabilities of the solution and the process for communicating to executives thus also play a key role.
Overwhelming executives with data about all potential threats is not a good option. The reports must accurately describe the potential impact of threats and justify the countermeasures that the security operations team wants to deploy in terms that motivate business leaders; it must be relevant to the operations of the organization if it is to be relevant to the actions you want the executives to take. The factors they need to see include cost, return on investment, impact on customers, and competitive advantages.
Threat intelligence plays a major role. It provides more powerful ammunition for discussions by, for example, presenting the impact of similar attacks on companies of the same size in other industries, as well as trends and intelligence from the dark web that indicate the company is a likely target.
In order to be effective for executives, contextualized threat intelligence needs to be concise, relevant, and timely. A dashboard or other at-a-glance format can help communicate the potential impact of threats, but the key is to tie it to revenue, expenses, operations, and assets.
Here’s a rundown of the specific threat information to communicate:
- What the threat can potentially do to the company’s digital assets
- Consequences to the business if the threat breaches the infrastructure
- The probability that the threat will succeed
- Vulnerabilities on the network infrastructure that could allow the threat to happen
- Controls already in place to fix the vulnerabilities and stop the threat from happening
Security operations should also provide a bottomline assessment of new controls that are needed to close any risk gaps based upon the threat and its associated vulnerabilities, controls, impact, and probability. All of the intelligence and expertise that the security operations team delivers to executives will help drive decision-making if it places internal data into the context of the wider threat landscape. Executives can then identify the most pressing threats and vulnerabilities, and therefore empower security operations with the necessary resources to protect the company’s digital assets.
Everyone Works Together to Protect Digital Assets
In addition to providing a communications tool to report to executives on the level of risk faced by a company’s IT assets, a threat intelligence solution delivers several key capabilities to security operations. Here are some of the key benefits as reported by IDC after interviewing clients who leveraged Recorded Future’s threat intelligence solution:
- Accelerates threat identification by 10 times
- Lowers resolution times by 63%
- Identifies 22% more security threats before impact
- Reduces unplanned downtime due to security events by 86%
As these statistics indicate, a threat intelligence solution like Recorded Future improves threat detection and response. At the same time, security operations can more clearly communicate the level of risk the company faces to executive leadership. That way, everyone can work together to protect the company’s digital assets in the context of the business.
You can read the IDC white paper, “Organizations React to Security Threats More Efficiently and Cost Effectively With Recorded Future,” to see exactly why researchers at IDC concluded that Recorded Future “provides a universal threat intelligence solution.” And to learn more about how Recorded Future helps security teams save time and money while getting a better view of the threat landscape, request a personalized demo today.