Authored by: Mr. Zakir Hussain, Founder and CEO of BD Software Distribution
In light of the rising third-party cybersecurity threats in recent years, simply defending against attacks and reacting to them is no longer sufficient. Organizations need to be proactive and ward off cyber-attacks by identifying potential threats and being constantly aware of any vulnerabilities their defenses might have. As each organization’s IT assets evolve to meet operational needs—such as expanding databases, storage capabilities, data types, usage patterns, and access permissions—the security infrastructure must also be consistently updated and fine-tuned to align with the latest protective measures.
The collaboration between threat intelligence (TI) and risk management promises to provide organizations with competitive protection from ingenious and highly adaptive threats. This process is called Threat Intelligence Informed Risk Management, and it combines the information filtered through TI techniques with the operations specific to risk management.
How Does Threat Intelligence Informed Risk Management Work?
In collaborative Threat Intelligence Informed Risk Management, two teams work together: one focuses on understanding the threat landscape and identifying an organization’s specific vulnerabilities, while the other concentrates on pinpointing critical IT assets and access points essential for smooth operations.
Despite differing training backgrounds, specialists from each team can leverage their overlapping knowledge to cross-train effectively. By collaborating, they offer the organization high-quality insights and actionable intelligence, enhancing its defense against threats.
The cyber threat landscape is continuously evolving, as threat actors seek new methods to circumvent existing security measures. Additionally, organizations face an uneven battle in cybersecurity. While they must carefully manage various access points and vulnerabilities, attackers have the freedom to be creative and are unbound by legal constraints. Multiple attackers can even target a single organization at the same time. This imbalance underscores the need for organizations to have comprehensive security coverage.
With Threat Intelligence Informed Risk Management, TI helps identify the nature of threats and the vulnerabilities of the organization. This information allows security operations center (SOC) experts to develop appropriate security solutions tailored for each organization. Risk management experts must develop a plan identifying the IT assets that need to be protected and how to do it. Risk management takes the information filtered by TI and contextualizes it with the help of its processes:
- FRAME: Sets the context for risk-based decisions and lays the basic strategy for execution coupled with TI to understand the direction and operations leading up to risk management.
- ASSESS: The process of analyzing and determining the level of risk to the organization and leveraging TI to place the existing organization vulnerabilities against the identified threats.
- RESPOND: The actions that must be taken after the identification of risks. TI would then be used to secure good communication between threat analysis and risk managers to coordinate response efforts.
- MONITOR: Helps verify whether the actions taken are effective and how they affect risk assessment. TI would then help align these efforts with existing threats and keep security decisions relevant.
When Threat Intelligence and Risk Management Teams Do Not Work Together
Faced with the unique challenges of cyber threats, many organizations found their way through the security field and set up teams of experts who have learned on the job, adapted, and trained while faced with each type of attack. The novelty of the threats has made organizations react differently, with some setting up risk management teams and others relying on Threat Intelligence and collecting information. The two have evolved as two traditionally different disciplines. However, lately, with the combined effort to automate as many security tasks as possible and innovative programs that are useful in both areas, more focus is placed on their similarities and how they can best work together.
These differences in approach resulted in different lexicons and an overall impression that their jobs are very different. Therefore, what a risk management team would call inherent risk and risk assessment, a Threat Intelligence team would include as sections in their Intelligence Requirements. They both refer to finding vulnerabilities and doing patch management, among others. An organization with both teams would notice the doubling of resources focused on yielding the same result, yet from a slightly different perspective. It would be a waste of time and personnel expertise if they’d work uncoordinated.
Communication and Coordination for the Best Security Outcome
Collaboration is always more complicated. Not only are team members tasked with trying to match one-to-one the intentions of threat actors, but they also need to coordinate a different department. But this is how it could work out for the best:
Professionals from either team must not absorb the other team members’ knowledge or identity. But by sitting down and understanding their processes and activities, they might better understand where they overlap and where they complement each other. Resulting in a more complex overall security process.
With the help of highly curated information offered by threat intelligence experts, cyber risk professionals could tailor better product delivery.
The combined knowledge of these two teams can be the most proactive security approach available to an organization, with more actionable threat modeling and developing more focused, adaptable, and comprehensive playbooks.
