By Kaustubh Medhe, Head of Research and Intelligence
A recent market survey report (Source: Fortune Business Insights, March 2023) pegged the current market size of the Cyber Threat Intelligence (CTI) Market at USD 4.24 Billion and estimated it to grow at a CAGR of 20.4 % to USD 18.11 Billion by 2030. A December 2022 Survey conducted by Cyber Risk Alliance revealed that almost 91% of the surveyed organizations were already using CTI in some form or other.
Organizations are increasingly turning to CTI for a variety of reasons; the increased risk of ransomware attacks, an expanding digital estate that increases the attack surface, onerous Data Privacy regulations that mandate data security and privacy of personal information, or simply to improve cybersecurity operations; specifically processes around vulnerability management, threat detection, incident response, and threat hunting and investigations.
While motivations (and in many cases, even compulsions) for adopting CTI vary, there is consensus that Threat Intelligence helps organizations prepare for and respond to cybersecurity incidents and even prevent an incident if the intelligence is accurate and timely.
CISOs have managed to secure budgets for their initial investments in CTI. However, many are increasingly pressured into demonstrating the value of CTI when a contract comes up for renewal. These conversations often turn into a price versus value debate, with security operations teams and their Threat Intelligence partners scrambling to devise creative justification and myriad statistical reports to rationalize the investments to the management. This can put the threat intelligence program and the team under undue stress and risk.
To avoid this rigmarole, the CISO office needs to define a value realization framework that can provide a structured approach to measuring and quantifying the benefits of CTI.
Defining a value realization framework can be time-consuming; implementing it correctly requires time, patience, and persistent execution. The following steps can be followed to define such a framework:
- Defining objectives based on a clear understanding of what the organization is looking to achieve through the implementation of Threat Intelligence.
- Identifying the key performance indicators (KPIs) that will be used to measure the success of the initiative. The KPIs should be aligned closely with the objective and must be measurable and repeatable over time.
- Establishing a baseline to help define a starting point against which, any improvement in threat detection, prevention, or efficiency attributable to Threat Intelligence, should be measured.
- Implementing the service or technology efficiently and in a timebound manner through established project management practices.
- Once the implementation is successful, it’s essential to monitor and measure the performance of the Threat Intelligence program against the established KPIs and review it against the baseline to assess the quantum of improvement.
- The next step involves analyzing the KPI data frequently to help understand if the threat intelligence program is delivering expected improvements or results and if not, then quickly identifying the root cause of the issue to initiate corrective actions.
- Conducting a Cost-Benefit analysis to understand the financial impact of the investment. In the context of Threat Intelligence, the benefit can be quantified in terms of “Actual Loss” or “Notional Loss Averted” by the organization by taking action based on the intelligence received. It is pertinent to note that putting a dollar value against each type of benefit offered by Threat Intelligence is impractical. Practitioners should also provide for non-tangible benefits or qualitative benefits (such as preservation of brand reputation) within the framework while computing the Cost-Benefit analysis.
- The final step is reporting and communicating the cost-benefit analysis results and the KPI benchmarks against the baseline to evaluate and demonstrate the total value generated by investing in the threat intelligence program. The report should also include the lessons learned during the process and any modifications or improvements required to be made to the threat intelligence program to ensure that it continues to meet the program objectives. Such a report can then be used to make future investment decisions related to the threat intelligence program.
Thus, by defining key metrics and KPIs, organizations can not only measure and demonstrate the value of their investments in CTI to stakeholders but also identify opportunities for eliminating wasteful initiatives and keeping the Threat Intelligence program honest by ensuring its effectiveness.
About the Author
Kaustubh Medhe – Head of Research and Intelligence
Kaustubh Medhe is a security and privacy leader with over 2 decades of experience in information security consulting, audit, fraud risk management and cyber defence operations.
At Cyble, he leads Research and Cyber Threat Intelligence Services for clients globally.
Kaustubh is a Fellow of Information Privacy (IAPP) and holds the CIPP/E and CIPM credentials.
Kaustubh has executed and led information risk management programs for some of the largest clients in banking, insurance, retail and oil and gas industry in India, US, APAC and the Middle East.
Prior to joining Cyble, Kaustubh was instrumental in setting up and operationalizing a threat intelligence enabled cyber defence centre at Reliance Industries, for one of the largest conglomerates globally with over 250K employees and 50K globally distributed assets (on-premises and the cloud).
Kaustubh was also associated with global managed security services providers such as Paladion (now ATOS) and Happiest Minds Technologies, where he led their Cyber Security and SOC Practice.
Cyble (YC W21) is a leading global cyber intelligence firm that helps organizations manage cyber risks by utilizing patent-pending AI-powered threat intelligence. With a focus on gathering intelligence from the deep, dark, and surface web, the company has quickly established itself as one of the pioneers in the space. Cyble has received recognition from Forbes and other esteemed organizations for its cutting-edge threat research. The company is well-known for its contributions to the cybersecurity community and has been recognized by organizations such as Facebook, Cisco, and the US Government. www.cyble.com