In this Industry Perspective, Thomas Hofmann of the firm Flashpoint* writes that cyber threat intelligence professionals from the government don’t just bring their skills when they migrate to the private sector – they bring their jargon, also. Communicating effectively with the C-suite, however, demands making threat intelligence ready for executive consumption.
As businesses strive to get ahead of cyber threats amid the rapid pace of technological change and the burgeoning area of cyber warfare, the role of cyber intelligence has become a hot topic. Indeed, many companies continue to recruit intelligence professionals from the government to bring their tradecraft (and their jargon) to the commercial sector. But since much of this jargon originates from the U.S. national security space, it does not resonate as well with business leaders. As someone who has served on intel teams in the commercial, military, and national security spaces, I’ve seen firsthand how difficult it can be to make an intel program relevant for executive-level consumption.
The most effective intel programs in the commercial sector draw upon best practices from their government counterparts and tailor their operations to the language and needs of the business. Based on my own experience, the following guidance can help cyber intelligence teams align their programs better with the objectives and perspectives of the executive team.
Understand How the Business Operates
Most cyber intelligence teams are closely aligned with network defense, but many lack a detailed understanding of the core structures and functions underpinning the company. Defending the perimeter against cyber attacks is important, but it should be only the first step. Evolved cyber intel teams engage other lines of business and have a keen understanding of the business’s critical assets. They then design their operations to protect those assets.
The most effective intel programs equip stakeholders with a decision advantage that enables them to understand relevant threats and mitigate risks to the business. Providing a true decision advantage in the commercial sector requires a partnership with all lines of business and the proper alignment of security measures to risk. It is not good enough to simply identify, for example, an adversary’s capability and intent. Advanced intel teams inform and empower stakeholders to accurately assess the extent to which the adversary could impact the business as a whole.
[Read more Security Ledger coverage of threat intelligence here.]
I’ve seen all too often that cyber intel teams measure their success in numbers such as how many reports they produced or indicators of compromise (IOCs) they processed rather than by how their service is meeting the business’s needs. Processing the largest number of IOCs isn’t what makes an intel program relevant to a business. Establishing the proper context of the surrounding threat environment, determining how the business is positioned to defend against attacks, and driving smarter decisions enterprise-wide are the true hallmarks of success.
Speak the Language of Risk
The best advice I received during my career transition from government intel to commercial intel was this: if you want to be effective in a business environment, learn to speak the language of risk. Government teams are focused on understanding threats, adversaries, and their intentions and capabilities. But in the commercial sector, cyber intelligence teams also need to be able to assess the extent to which these threats and adversaries pose risks to the business.
The mature threat intelligence approach doesn’t just enhance the business’s risk posture, it also provides the executive team with greater insight into how well the organization is performing in mitigating this threat.
After all, businesses make calculated risks. This is why advanced intel programs in the commercial sector provide insight that helps stakeholders accurately weigh and understand relevant threats, how these threats could impact the business, and what mitigations are—or should be—implemented. The most effective corporate intelligence programs equip the executive team with an elevated perspective on how tactical efforts—namely, detecting and combating threats—impact the business’s risk posture.
Don’t Just Block Threats, Understand Them
Most cyber intelligence programs are hyper-focused on combating threats, yet this mindset can obscure the big picture. Focusing solely on blocking a threat means we can lose sight of whether the threat is targeting us in the first place; and if it is, how and why it is.
As an example, let’s take one of most common entryways for malware, causes of credential theft, and security challenges facing organizations today: phishing.
There are several ways cyber intel teams typically address this attack vector. Less mature teams often focus on identifying and blocking any and all IOCs that could be linked to phishing. In order to be effective, this whack-a-mole approach requires perfect intelligence and the resources to immediately deploy defenses for every potential attack vector.
A more mature team recognizes that IOCs and perimeter defense play a small role in a much larger strategic effort to mitigate the business risks posed by phishing. The team seeks strategic insight into the threat landscape to enhance context around phishing, assess the effectiveness of existing defenses, and evaluate the potential damage of a successful campaign. In most cases, the team then uses these insights to promote enterprise-wide awareness of phishing and increase employees’ knowledge of the threat and how to combat it.
In other words, the mature threat intelligence approach doesn’t just enhance the business’s risk posture, it also provides the executive team with greater insight into how well the organization is performing in mitigating this threat.
Although addressing the areas outlined above can help intel teams make their programs more relevant for executive-level consumption, these areas should serve purely as a starting point. It’s crucial to recognize that above all else, the most successful intel programs are able to reshape how intelligence is received, consumed, and integrated in a manner that effectively addresses the needs of all business functions across the enterprise.
Thomas Hofmann is the Vice President of Intelligence at the firm Flashpoint. He leads the intelligence directorate that is responsible for the collection, analysis, production, and dissemination of Deep & Dark Web data. He works closely with clients to prioritize their intelligence requirements and ensures internal Flashpoint operations are aligned to those needs. Mr. Hofmann has been at the forefront of cyber intelligence operations in the commercial, government, and military sectors, and is renowned for his ability to drive effective intelligence operations to support offensive and defensive network operations.
(*) This post is sponsored by Flashpoint, which is a supporter of The Security Ledger.