Security Experts:

Finding the ROI in Threat Intelligence

Threat intelligence can play an important role in improving an organization’s overall cybersecurity posture, provided the right case is made and the right processes are put in place. In the past, I’ve addressed the topic of whether an organization should invest in a dedicated threat intelligence team or subscribe to a threat intelligence service. But once that decision is made, the work isn’t over, as whatever choice is made (in-house threat intel team or subscription service) still needs budgetary support from management. While the costs associated with these two approaches vary significantly, no matter if a cybersecurity budget is thousands or hundreds of thousands of dollars, ultimately, IT departments will need to prove to management that the cost associated with threat intelligence is worth the benefit it provides.

First, I’d like to address the idea that threat intelligence is a cost center (albeit one vital to protecting the organization’s reputation and viability) rather than an investment that could lead to a competitive advantage and improved bottom line. It’s an important distinction that needs to be understood by budget decision-makers, who may need some education as to the important role threat intelligence can play in increasing an organization’s productivity. Threat intelligence can greatly accelerate the number of cyberthreats a security team can identify, assess, contain and mitigate in a given period. 

For example, if IT can show that the security team is able to prevent three times as many cyberthreats in the same time frame with the benefit of additional intelligence, the argument can be made that organizations are getting better leverage from their existing security staff and improving their productivity, versus simply spending more money. Viewed as an investment that could free up funds – and more importantly staff time – for future growth, management may look more favorably on authorizing budget for threat intelligence services.

Now, let us take this investment methodology another step forward. A recent survey from the Bureau of Labor Statistics by Peninsula Press found that there are over 209,000 unfilled cybersecurity jobs, with postings up 74 percent over the last five years. When considering how to deploy resources, you must focus on the cost and ability to actually fill your open roles, with the demand far outstripping the supply. Given this, I would guide organizations to find ways to automate workflows and augment their existing staff, versus looking to hire in order to fill gaps.

With the right threat intelligence in place, organizations can automate much of their cybersecurity response (provided the intelligence is properly integrated into an organization’s existing infrastructure). The reality is that many of today’s cyberthreats are a problem not because of their sophistication but rather because of their sheer numbers. Thanks to the ready availability of easy-to-use cyberattack tools on the dark web, the number of cyberattacks attempted each day has increased exponentially. And while most threats are relatively easy to resolve once identified, they still require attention from the security team that could be better spent looking for the attacks that an automated cybersecurity process might not spot as quickly as a human security analyst. Offloading less sophisticated attacks, and letting them be handled by a combination of a threat intelligence service and automated cybersecurity controls, frees up the security team to focus more of their time on more advanced – and potentially more destructive – cyberattacks. 

Another factor IT teams should consider as they work to justify the ROI in a threat intelligence team or subscription is how well it can be integrated into an existing security infrastructure. The ability for a network to automate the bulk of its cybersecurity measures is no small feat and will require significant work to ensure incoming threats don’t slip through cracks in an improperly configured network security platform. Nothing does more to undermine the perceived value of a threat intelligence resource than to have it perform improperly; management will become frustrated paying for an expensive resource that isn’t delivering all the benefits that the security team promised it would.

Threat intelligence is quickly becoming a must-have for any cybersecurity strategy. By ensuring they can explain the benefits a threat intelligence team or subscription can provide in terms that management can understand (productivity gains and ROI), IT departments can better position themselves to obtain the budget support they need to leverage this important tool to better protect their organization’s online presence.

view counter
Scott Simkin is a Senior Manager in the Cybersecurity group at Palo Alto Networks. He has broad experience across threat research, cloud-based security solutions, and advanced anti-malware products. He is a seasoned speaker on an extensive range of topics, including Advanced Persistent Threats (APTs), presenting at the RSA conference, among others. Prior to joining Palo Alto Networks, Scott spent 5 years at Cisco where he led the creation of the 2013 Annual Security Report amongst other activities in network security and enterprise mobility. Scott is a graduate of the Leavey School of Business at Santa Clara University.