CISOs on how to improve cyberthreat intelligence programs

The more things change, the more they stay the same -- even when it comes to cyberthreat intelligence.

Two years ago, TechTarget's Enterprise Strategy Group conducted research into how organizations were managing their cyberthreat intelligence programs. We surveyed 380 cybersecurity professionals involved with or knowledgeable in this area.

When asked to identify their top cyberthreat intelligence challenges, survey respondents pointed to the following issues:

• Overly technical threat intelligence reports. This a problem because threat intelligence requirements should start by identifying risks to critical business assets, such as regulated data, intellectual property or key operational technologies used in areas like manufacturing, energy production or patient care. To gather and analyze the right data, threat intelligence analysts then need business input and continuous feedback. Overly technical reports that businesspeople can't understand are antithetical to building this necessary collaborative communication.
• A lot of threat intelligence noise. When it comes to cyberthreat intelligence, many cybersecurity professionals operate under a more-is-better mindset. Consequently, organizations become buried in threat intelligence data, making it difficult to find valuable insights. Threat intelligence noise translates to wasted time, false positives and inefficiencies galore.
• A focus on indicators of compromise rather than more strategic use cases. Many organizations equate threat intelligence and IOCs with the goal of blocking malicious files, web domains and IP addresses. I would refer these folks to the Pyramid of Pain -- a model that articulates that adversaries can easily change these attack tactics, so blocking today's IoCs isn't effective over time. To make cyberthreat intelligence more strategic, it must help organizations learn about the tactics, techniques and procedures (TTPs) cyberadversaries use in targeted attacks so they can assess defenses, find weaknesses and implement the right countermeasures.
• An overwhelming volume of threat intelligence. This also fits into the more-is-better mentality. Cyberthreat intelligence analysis isn't about data volume; it's about analyzing the threat intelligence data relevant to an organization's industry, location, business processes, etc.
• Few, if any, personnel with threat intelligence skills. This is true across many, if not most, organizations. According to research from Enterprise Strategy Group and the Information Systems Security Association, 65% of organizations have been impacted by the cybersecurity skills shortage, especially in specialized areas such as threat intelligence analysis. CISOs must understand that hiring experienced threat intelligence analysts could be next to impossible.

Why am I bringing up 2-year-old data? Based on several recent CISO interviews, it appears not much has changed. In fact, the CISOs I spoke with suggested that things might be getting worse. They also complained about the price of threat intelligence and the need to look beyond traditional threat intelligence sources into areas such as social media monitoring, digital risk protection -- i.e., safeguarding digital assets and brand reputation -- and aligning threat intelligence with physical security.