Posted August 13, 2015
Author: Eric Olson, VP of Product Strategy
In our first post in this four-part series on making a business case for threat intelligence, we defined threat intelligence and how to determine if your organization needs it. Today, we will discuss how to align your security needs and business objectives.
In a typical management structure, the two forces behind business decisions are often governing bodies or fiduciary duties. Most chief information officers (CIOs) or chief financial officers (CFOs) don’t want to spend money unless there is documented proof that something will have a real impact to the business, which often makes it difficult to quantify investments in solutions to address security threats. Although at a high level the forces behind the security team’s decisions merge with those of management, at a more detailed level, security professionals are driven by protecting the organization and its assets, causing them to speak a different language than management.
In a recent PricewaterhouseCoopers study, many senior executives and boards said they found it hard to link security technology to the related tactical risks it is supposed to help mitigate. In order to successfully argue the need for a threat intelligence capability, security professionals must map their objectives to management’s objectives.
The following overarching business objectives are always a good place to start: reducing cost or risk, generating or retaining revenue, utilizing assets, and meeting regulatory requirements.
Reducing Cost or Risk
Breaches, intellectual property loss, and service disruptions all incur costs. In some cases, those costs can be quite significant. To date, estimates of the hard-dollar cost of major breaches like Home Depot and Target have run into the tens of millions of dollars or more.
Some costs are obvious, such as direct operational fees for legal and forensic services, consultants, and customer care. There can also be costs that are harder to directly measure but are no less real, including loss of brand equity and reputation damage. If risk is viewed simplistically as the impact of an event times its likelihood, then intelligence activities that can reduce the likelihood and/or impact of those events or quantify their risk-reduction value have a clear business justification. This has been supported in research showing that using threat intelligence can save companies millions of dollars.
In addition to the potential savings through risk reduction, a well-equipped and carefully scoped threat intelligence capability can reduce the actual cost to run a security and intelligence function. For example, providing staff with collection, prioritization, and analysis tools that make them more efficient will enable them maximize the value of the tools that make up most of a typical threat intelligence budget.
Security professionals are typically focused on protecting the organization, so they may not see themselves as playing a role in retaining or increasing revenue. However, security professionals can build part of their justification for budget by leveraging the revenue side of the equation.
For instance, as noted above, data breaches incur costs. However, they also impact reputation and customer perception, and may therefore have a direct impact on both new customer acquisition and customer retention. The risk of revenue loss from customer defections or cancellations after a breach, as well as the potential loss of business not yet won, may factor into a business case for starting or expanding your threat intelligence capabilities.
Cyber events can even have a direct impact on real-world operations. If you are a physical goods manufacturer for example, a cyber attack might interrupt or impede online sales or production and distribution of inventory. This can cause revenue losses from the downtime or unmet demand for the product. Using threat intelligence to reduce the risk of cyber disruptions can safeguard against these potential losses as well.
Investing in threat intelligence can also contribute directly to revenue capture. In a real world example, two government contractors were recently bidding on a major project in a remote and dangerous area. One firm, a Cyveillance client, included in their proposal a description of their use of online monitoring and real-time threat intelligence as a major discriminator in their approach to security (and therefore risk) for the project. In this situation, the threat intelligence function gave the Cyveillance client a leg-up against its competition, allowing the company to win the proposal. Even though revenue is not typically a security team’s primary mission, a chance to contribute to revenue should never be overlooked as a way to win friends and influence budget holders.
Utilization of Assets
A third avenue to align threat intelligence (and the budget for it) to management’s interests is to view it as a way to increase utilization of assets or resources that have already been budgeted or bought. If you can tie your activities or budget request to increased employee productivity, efficiency, or effectiveness with assets already in hand, this is a “pure business” rationale that may play well with budget holders.
For example, we routinely see customers who have made significant (six- or seven-figure) investments in buying, configuring, and running a Security Incident and Event Management (SIEM) platform or other similar tool. Despite this investment, many find themselves overwhelmed with data flows and lack of clear rules for prioritization, as well as suffering from a talent shortage and “alert fatigue.” If these customers made a modest investment in additional data feeds, lookup services, or APIs, they could increase the productivity of existing staff or increase the effectiveness of assets already paid for, which can provide an avenue for business justification of specific tactical purchases.
Another common justification for a threat intelligence program is to examine how the process can address regulatory or industry compliance requirements. For example, in 2013 the Federal Financial Institutions Examination Council (FFIEC) issued clarifying guidance on financial firms’ responsibilities around both use and monitoring of social media.
In the insurance industry, agents and contractors selling Securities and Exchange Commission (SEC)-registered products, such as mutual funds or annuities, must abide by strict rules regarding marketing language and advertising. Violations of these rules do not just put the agent or salesperson at risk, but the corporate broker-dealer under whom they operate may be subject to fines of thousands of dollars per violation. In the pharmaceutical industry, producers are in some cases required to monitor for online sale of highly-controlled or so-called “restricted distribution” drugs.
Especially in tightly regulated industries such as these, there may well be a clear argument that effective online monitoring or externally-sourced intelligence can lead to increased compliance, lower risk of fines, and/or potentially less time spent dealing with regulators and audits.
The security professional’s objective or desired initiative will ultimately drive the data, tools, and activities within the security or intelligence organization. By understanding the larger organization’s business objectives, security professionals can gain insight into justifying investments in threat intelligence capabilities, and formulate a budget request that management will understand and value. In the next post in our series, we will show you what you need to make a real plan.