Don’t Let Cyber-Intelligence Turn into Cyber-Ignorance

It’s an all too common scenario: Despite large investments in cybersecurity technology and discussions on how to improve enterprise protection, cracks, gaps, and real-world problems spring up.  Phrases like “endless meetings” and “silos of excellence” have become commonplace. It’s challenging for any organization, especially a large global company, to manage both strategic and tactical efforts for enterprise risk management.

One of the problems organizations face in the cybersecurity arena is a focus on outcomes rather than output. This creates a number of potential stumbling points, which can undermine a security program and weaken a company’s defenses. Here are 7 common pitfalls to avoid in managing your organization’s cyber risk:

1. Readiness. It’s critical to understand how mature a cybersecurity program is and where key gaps exist. This revolves heavily around people, processes and technology. Ken Dunham, MSS Technical Director at Optiv, says that it’s particularly important to avoid shiny objects. A misguided approach and the wrong tools can “create a lot of noise and lead to a lot of wasted resources.” He says it’s important to shore up an organization’s weaknesses, streamline integration of teams, workflow, people and technology before adding on other components, including an intelligence program.

2. Ambiguity. It’s certainly no news bulletin that successful leaders align specific goals, processes and people with specific outcomes to guide a business to success. But the devil is in the details. If you are going to focus on cyber intelligence  it’s vital to be specific in regard to plans and processes. For example, it’s advisable to focus on intelligence outcomes such as your organization’s information incident responders receiving related indicators of compromise (IOCs) within 30 minutes of an incident. “The most important thing to understand is that threat intelligence is not a part time job or something to take casually. It requires an ongoing commitment and resources,” Dunham says. As a rule, organizations benefit from checking off goals before moving onto other objectives.

3. A lack of direction. Today’s cybersecurity environment is complex–and getting more complex by the day. It would have been unimaginable to embark on the Oregon Trail without an experienced guide. It would be implausible to fly a jet without a seasoned pilot. Similarly, organizations require outside expertise–and an outside perspective. But not any expert can address the challenge of building a cyber threat intelligence framework. There are essentially two main types of intel experts in the industry today:  those that fall into the geopolitical/actor/military group and those that are more technically savvy. An organization requires counsel from both areas, but it’s wise to start with a technical orientation. That’s where enterprises typically get the most wins immediately for an emergent intel program.

4. A reliance on IT to solve security problems. Adding outside perspectives and expertise is a good start; however, it’s also wise to tap different groups of stakeholders for a broader perspective. “It’s very easy to misinterpret data and wind up wasting time and money,” Dunham says. Yet, simply assigning the brightest and best IT specialists to the task isn’t wise. “They’re not going to know what to do. Likewise, security people don’t always understand the nuances of IT. So, both groups must work together in the common pursuit of protecting the enterprise,” Dunham says. The takeaway? IT is wired to make things work.  Security is wired to defend things. The goal should be to hire accordingly and ensure that staff has experienced security leaders involved in decisions.

5. Creating silos of excellence. Whether by accident or design, silos introduce risks in the cybersecurity arena. In fact, in organizations where siloed cyber threat intelligence teams operate, success is often elusive. Not only is there a lack of crucial communication, but it’s also next to impossible to push critical information to key stakeholders in the executive suite. A security program–and cybersecurity intelligence–must ultimately apply to larger business goals, objectives and mission. Executives should understand the value of cyber threat intelligence and how to best to approach the challenges related to it in order to lower risk for the company. This requires key constituents to involve stakeholders in updates and in operations–typically on a monthly basis (at a minimum). Yet, it’s also important to ensure that the organization has a high level of operational coordination in place, particularly when a crisis occurs. According to Dunham, an organization should consider establishing a war room where teams have pre-defined people, roles, policies and processes for handling a crisis.

6. A lack of focus. It’s understandable that organizations have trouble prioritizing cybersecurity and cyber intelligence, but it is possible to build a strategic framework that directs resources where they are needed, as they are needed. Once an organization conducts a thorough inventory and analysis–including classifying the value of data and other resources–it’s possible to take a smarter and more cost-efficient approach to processes, people and actions. An enterprise can address needs and requirements realistically–and without becoming overwhelmed or getting bogged down by a single threat or security event.

7. Viewing AI as the magic elixir. Artificial intelligence (AI) plays an increasingly valuable role in cyber intelligence. “The concept of understanding risks and anticipating attacks is entirely valid,” Dunham says. However, artificial intelligence won’t solve all of an organization’s security problems. “In reality, it’s not particularly easy to use. It can create a lot of noise and lead to a lot of wasted resources.” When threat intelligence is used effectively, it can help an enterprise focus on actual and immediate risks and channel resources more efficiently.” It can give you a much better idea of where threats originate, what methods attackers use, and what risks are associated with these attempted breaches,” he says. The bottom line is that AI must be woven into the fabric of security practices, if it is used at all. It’s often better to channel resources to more immediate issues such as patch management, authentication methods and third-party risks.

In the end, a cyber intelligence initiative may also require the purchase or development of additional tools, technologies and solutions. It might also force an organization to pivot and rethink the way it approaches security in general. The constant among all of this is a need for unwavering commitment. Taking intelligence to a smarter level often takes two or three years–along with continual adjustments. Developing a plan and putting the right strategic and tactical elements in place can prove to be transformative. “Cyber intelligence is not a part-time job or something to take casually. It requires an ongoing commitment and resources,” Dunham says.