Scott Gelber, EMEIA Cybersecurity leader, EY, on cyber threat intelligence and the CIOs role in an effective cybersecurity strategy
Organizations frequently do not fully understand what to ask of Cyber Threat Intelligence (CTI). It can be complex and understandably it is outside the sphere of many CIO’s experience. This means that many organizations are potentially missing out on a powerful opportunity — the chance to get ahead of the cybercriminal before they commit the cybercrime.
CTI manages the collection, analysis, integration and production of previously disjointed information to identify evidence-based insights into an organization’s unique threat landscape. This intelligence can make a significant difference to the organization’s ability to anticipate breaches before they occur, and its ability to respond effectively to breaches when they occur. It helps businesses answer critical questions, to which the Board are increasingly seeking answers:
- What are the most significant threats facing our organization today?
- What assets are being targeted and by whom?
- How can our organization protect against these cyberthreats today?
- How can our organization use intelligence to augment and improve our security and business operations?
A holistic CTI program consists of processes for collecting, producing and disseminating tactical and strategic intelligence, continually topped up with timely situational awareness updates (also known as “current intelligence”). Some of this intelligence can be easy to accumulate: Open Source is available to anyone; information on attack surfaces can be generated from activity on your own network; intelligence gathered from the Deep and Dark Web can be purchased. It doesn’t have to be an impenetrable topic for anyone with an IT background, but what it is, is not optional. CTI is not something your organization can do without.
CTI is best implemented incrementally, allowing small investments to improve and mature other areas of cyber threat management in a way that maximizes return on investment. Looking into the future, CTI discussions surrounding business risk rather than just security risk will become more and more common. Understanding cyber threat risks to the business’s finances, reputation, information and operations will take the conversation to the C-suite level, and the CIO will need to have an input in that.
The six-step path to effective CTI
- Build a robust operational framework: this ensures that security operations are mature enough to absorb relevant intelligence and enable timely action. Operational frameworks should include not just technological maturity, but also processes and governance that are addressed when an organization invests in an indigenous intelligence capability, rather than only purchasing external intelligence mechanisms. Overlooking these framework considerations might not be ideal in an ever-changing threat landscape. CIOs and CISOs should examine the IT and cybersecurity frameworks they have for gaps in people, process and technology.
- Conduct CTI programs and assessments: organizations should develop CTI programs and also conduct periodic assessments of how the threat landscape might affect them. A CTI program will help enable the capability within an organization’s security operations structure to collect, analyze, produce and integrate external with its own intelligence. Tailored assessments gather the pertinent facts and organize the pros and cons of various program attributes to promote a process-oriented approach, providing immediate insights and an evaluated look at where organizations can start integrating CTI into their technology.
- Collect both internal and external intelligence: data can be sourced both internally (from network event data or vulnerability scan data) or externally data (from deep and dark web activity, social media and forum discussions, and geopolitical news). By predefining intelligence requirements, an organization can focus its efforts and determine the most relevant cross-section of collected sources.
- Use data to get the big picture: it is not enough simply to collect the data — it must be used to paint the bigger picture of the threat landscape. Data, therefore, must be monitored, analyzed, trended, quantified into metrics and then delivered to the appropriate audience for action. This takes a particular analytical capability that may or may not already exist in the IT or analytics function.
- Integrate CTI into the system: CTI must be integrated through processes designed to support both decision makers and security operations. The input processes and output products of a CTI program should be designed with the goal of improving cyber threat awareness across the entire organization at a variety of levels. CIOs and CISOs can work together to make this a reality.
- Learn to share: with your data and analysis in place it is then important to collaborate with your industry peers. Otherwise your organization’s efforts will be siloed in a world that is vastly interconnected and where the cybercriminals themselves collaborate and share information. If this represents a major cultural shift for your organization you need to work with the CISO on how you present this argument alongside the business case for investment in CTI, and how you execute on sharing this information in a structured and timely manner.
If your organization is not yet talking about CTI, then perhaps this is a conversation you can start. Your IT responsibilities would be severely impacted by a cyber breach, and if you have a seat on the Board, you along with your C-suite colleagues are increasingly being seen as liable for damage to third parties resulting from a cyber attack. It is still true that it is a matter of when, not if, a cyberattack occurs. Don’t let a lack of CTI be a major cause of regret.