CSO Threat Intelligence Survival Guide

By George Hulme

If enterprises want to understand how they can better invest in security defenses, build the necessary processes to respond to attacks, and mitigate the risks of a breach they need to get threat intelligence right.

Enterprises are trying to learn as much as they can about the threats their organizations face and how well (or not) they may be defended against them. This is one of the reasons why the threat intelligence security services spending market is set, according to market research firm IDC, to reach $1.4 billion in 2018, up from $905 million in 2014.

As colleague Tony Bradley wrote in his post Cyber threat intelligence is crucial for effective defense, not all threats are created equally, and not all threats would have the same impact on an organization if they were successful. “It’s important for companies to be aware of all potential threats, but threat intelligence goes a step further and allows those companies to dedicate security resources to strengthen defenses where necessary to strengthen the security posture against the attacks that are most likely to actually occur,” Bradley wrote.

Good threat intelligence is comprehensible and actionable. Having good situational awareness on your enterprise controls, as well as comprehending the past actions, abilities, and motives of likely attackers. This kind of awareness will help you to know what data to protect and how and it can also help your organization to best guide its security investments. This will help security analysts’ response teams more effectively prioritize to security alerts and security event notifications.

As Grayson Milbourne, security intelligence director at Webroot said in the story Threat Intelligence Needs to Grow Up, what is most important for enterprises to be aware of when it comes to threats are those that matter to their own environments. “We need to be looking at how often these threats are encountered in the world. Eighty percent of threats aren’t even prevalent anymore,” Melbourne said.

Good threat intelligence is also based on evidence about potential threats to the data, interests, and ability to conduct business. In reading this data, the noise and superfluous information are plenty and it’s hard to focus on what matters. There is so much data about threats, vulnerabilities, and security event alerts pouring in it’s easy to just stop paying attention. As colleague Steve Ragan wrote in his post Information Overload Finding Signals in the Noise, “Signal-to-noise ratios are hard to manage. As a security professional, you want the threat data, you want the attack notifications and alerts, and you need intelligence. But, when there’s too much coming in, those alerts and notifications fall to the wayside. They’re easily dismissed and ignored.”

That’s why it’s important that threat intelligence gets done right. Getting it wrong sets up enterprises to fail in their security efforts by making bad decisions. This is especially true as enterprise technology is moving so swiftly with cloud, mobile, and IoT. Threat intelligence is how enterprise security teams can not only understand how they can better invest in security defenses, build the necessary processes, and mitigate the risks of attack.


Security teams are overwhelmed with a massive amount of threat data. While a decade ago no one was talking about threat intelligence except government agencies, organizations are now bombarded with threat data leaving them challenged with identifying what is relevant.