Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Best Practices for Building a Successful BRI Program

Business Risk Intelligence (BRI), as I’ve written previously, is becoming a new industry standard. As someone who’s faced the limitations of cyber threat intelligence (CTI) — BRI’s predecessor — firsthand, I can attest to the immense value to be gleaned from abandoning CTI’s indicator-centric approach in favor of a comprehensive BRI program.

Business Risk Intelligence (BRI), as I’ve written previously, is becoming a new industry standard. As someone who’s faced the limitations of cyber threat intelligence (CTI) — BRI’s predecessor — firsthand, I can attest to the immense value to be gleaned from abandoning CTI’s indicator-centric approach in favor of a comprehensive BRI program. But since BRI’s enterprise-wide focus is a relatively new and less-familiar concept, I realize that some organizations might be unsure of how to initiate and maintain a BRI program effectively.

As such, I’d like to share the following tips and best practices to provide insight into some of the key components and processes of a successful BRI program:

Understand the Definition and Purpose of Intelligence

Regardless of an organization’s size, industry, or capability, attaining a clear understanding of the purpose and definition of intelligence is the first step in establishing a successful BRI program. Indeed, it’s crucial to recognize that much of what the industry has long as categorized as intelligence is actually just data or information.

By definition, all intelligence begins as raw data collected from any source deemed relevant. When we apply meaning and context to the data, it matures into information. The information becomes intelligence only once we have we have established the questions we would like the intelligence to answer and the specific purpose we would like the answer to serve.

The general purpose of intelligence, meanwhile, is to equip its consumer with the timely, accurate knowledge necessary to make decisions. This means that while keyword alerts, for example, are often depicted as intelligence within the scope of CTI programs, they aren’t really intelligence at all. Since these types of automated alerts are typically not enhanced with the additional context and analysis required to decipher what decision or action the organization should take in response, they are not intelligence and, more importantly, not something to strive for with BRI.

Establish Meaningful Intelligence Requirements

Before we begin gathering the data that will eventually become BRI, we first must determine what questions we will need our intelligence to answer. These needs are known as intelligence requirements (IRs). Not only do IRs enable us to prioritize our BRI needs, determine our data sources, and establish the type of analysis required to process that data, they help us identify which dissemination methods are most appropriate for the BRI we’ll ultimately produce.

Typically, the most effective IRs are highly specific, timely, tailored, and actionable. For example, executive protection teams seeking to integrate BRI into their strategy might be tempted to establish an IR like “are there physical threat actors we should be worried about?” However, this is far too broad. Instead, questions such as: “Will there be any physical threat actors in the vicinity of our CEO’s upcoming public appearance?” and “What are the capabilities and motivations of these threat actors?” are more specific, timely, and will therefore help produce BRI that is far more relevant and actionable.

While establishing IRs that align with the above guidance may seem obvious, the step is a common oversight among intelligence teams that may be blinded by vast amounts of data. These teams often lack direction and are driven by an approach that is far too broad to be effective. They may try to capture the data of all existing threats to all organizations, only to determine later which threats pose any risk whatsoever to their organization. Not only does too much data present a timely and tedious task for even the most capable of teams, it can impede the progress of those tasked with supporting critical decisions and upholding the operational continuity of their organization.

Foster Open Communication across Teams and Functions

Since BRI aims to address enterprise-wide risk, it naturally benefits from open collaboration and information sharing among teams and functions across the entire enterprise. After all, when intelligence operations are contained within certain teams or functions, others who might also benefit from or enhance such intelligence are unable to do so. But by integrating BRI and collaborating across business units, you can learn to apply intelligence more broadly to address a wider array of use cases.

For example, let’s say an intelligence analyst at your organization is monitoring a Deep & Dark Web forum and observes an adversary who appears to be seeking to physically harm your CEO. Given that your role is cybersecurity, however, you’re unsure how to respond. Who is the adversary? Where are they located? Are their claims credible? How can you protect your CEO? In such a scenario, working with the physical security and executive protection teams at your organization can provide greater insight into the physical threat landscape, help you to better assess the adversary’s claims, and enable all parties involved to mitigate the CEO’s physical security risk.

Ultimately, BRI has not become the new industry standard because it helps detect the existence of threats or collect technical indicators. BRI has become the new industry standard because it can provide organizations across all sectors with an ongoing decision advantage over threats and adversaries. While some organizations may face uncertainties and implementation challenges during the early stages of a BRI program, as intelligence professionals we know that effective decision-making and mitigation tactics require strategic planning, continual adjustments, and ongoing collaboration — all of which are foundational to BRI.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem