Home Articles The coming reckoning: Showing Return On Investment from threat intelligence

The coming reckoning: Showing Return On Investment from threat intelligence


Threat intelligence has been a part of cyber defense processes in the private sector for nearly a decade now. Many threat intelligence teams were initially composed of classically trained intel operators from the public sector, where they focused on gathering data to thwart national security threats.

And as these teams grew and adjusted to protecting against customer data breaches and disruptions to services, growing pains associated with working in a corporate environment were to be expected.

Expectations are changing, though.

Security operations are maturing, and as threats have continued to evolve, enterprises have made significant investments in security infrastructure.

C-suites and boards are increasingly involved in security decision-making, and studies show that they are doubling down on security investments, which are expected to rise to $458.9 billion in 2025 from $262.4 billion in 2021.

But with increased investment comes rigorous competition for dollars across IT and security teams. However, for threat intelligence teams, it appears old habits die hard.

Many remain in the government intel mindset, focused on funneling data to the security operations center (SOC) and have limited experience in extending threat intelligence to other business parts, communicating the value and justifying the investment required.

After nearly a decade of threat intelligence going corporate, a reckoning is coming. It’s time for CISOs and threat intel teams to start working together and prove that threat intelligence is not a cost center, but drives value across all security operations.

As threat intel teams mature, here are three recommendations to help create a shift in mindset and demonstrate the full value it provides.

Threat intel team as the providers of a product

Security organisations consist of many different teams. The threat intel team needs to support all these stakeholders with contextualised intelligence for their specific use cases.

Yes, the SOC needs indicators of compromise that have been contextualised to show they are relevant and high priority so they can add them to the watch list for monitoring. However, other teams need intelligence curated for their purposes as well.

For example, incident response (IR) teams need context around adversaries, campaigns and the infrastructure used so they can accelerate responses.

Threat hunters need details of the campaigns being run and the adversaries’ motivations and tactics so they can look for activity that has bypassed defenses.

Patch management teams need to know which vulnerabilities are actively being targeted, if exploits are successful and if the threat is relevant so they can prioritise patching.

Contextualised threat intelligence is a force multiplier, ensuring all teams are focused on relevant, high-priority issues to make the best decisions and take the right actions.

Prioritise integration

An open integration architecture is critical for automating the dissemination of contextualised threat intelligence across teams and tools.

Bi-directional integration enables the threat intel team to access data from a wide range of internal and external sources, including systems, tools, vulnerabilities, identities and more.

Once threat intel analysts have prioritised the data, they can share it with the teams that make up the security organisation and receive data for continuous collaboration, learning and improvement. Integration with existing infrastructure also enables teams to work with the tools they already have to drive faster, more accurate action.

For enterprises looking at extended detection response (XDR) solutions, where contextualised and prioritised threat intelligence must flow through all systems easily and reliably, bi-directional integration is imperative.

An open integration architecture to support the flow of data increases the efficacy and efficiency of teams and tools across security operations.

Formalise executive reporting

As threat intel teams start working more closely with other security teams, they will be able to demonstrate additional value in terms of operational efficiencies.

CISOs will be able to formalise reporting, explaining in greater detail the unique challenges the company faced, how the threat intel team overcame them, the value delivered, lessons learned and how to continue to improve security operations.

For example:

  • What type of malicious activity was sighted, and the steps taken to remediate it.
  • Why you believe certain campaigns could be targeting the organisation.
  • How you’re proactively strengthening defenses, such as prioritising patching of vulnerabilities being leveraged by threat actors that may start to target your industry.

A reckoning is coming, so start preparing now. Delivering curated threat intelligence to more teams that need it, enabled with bi-directional integration, will allow CISOs and their teams to prove threat intelligence is far from a cost center.

In fact, threat intelligence can deliver value that permeates the organisation across multiple initiatives, empowering teams to work more thoroughly against evolving attacks.


This article was originally published on TechCrunch+ in January 2022.


Chris Jacob is the Global Vice President, Threat Intelligence Engineers at ThreatQuotient