This document discusses how organizations can build an effective cyber risk intelligence program. It emphasizes that cyber risk should be viewed holistically and aligned with business priorities, not just as an IT issue. An effective program measures an organization's proficiency against benchmarks and assesses how well positioned it is for cyber risks compared to competitors. The document provides best practices such as aligning intelligence resources across strategic and tactical levels, mapping cyber risks to key business areas, and using intelligence to drive security decisions and focus resource allocation. It stresses that intelligence programs should have measurable outcomes, not just tool outputs, and risks should be made learnable and tied to the organization's unique attributes.

1. Are You Well Positioned?
Using Threat Information to Build Your
Cyber Risk Intelligence Program

2. 2
• The CISO mission: show how ongoing operational costs
and investments support business activities
• CISO’s need to think more about the
Boardroom and not the Server Room
• Protecting everything equally leads
to trouble as NOT ALL RISKS ARE
CREATED EQUAL
• Regulators, insurers & risk committees expect due
diligence and due care in mitigating threats that create risk
Setting the Stage

3. “We believed we were
doing things ahead of the
industry. We thought we
were well-positioned.”
- Frank Blake, Chairman of Home Depot
3

4. How Did Audit Play?
• Home Depot said they assembled an ‘incident response
team’ and went through a 5 hour audit committee review
– Audit was relied on to understand status at the time of the attack
– Measuring cyber risk was not a recurring effort from an operations
resilience view
– Was it treated as …
• an internal control?
• a benchmark review?
• a check box?
“Assessments of the nature of the threat weren’t sufficient.”
- Frank Blake
4

5. How Audit Should Play
• Audit should measure
your proficiency against
a particular benchmark:
– Business Resilience?
– Risk Intelligence?
– Defining Well Positioned?
– Assessing Digital Harm?
(How a business unit’s goals could
be impacted by a cyber event)
5

6. My Favorite Definition of
Risk Intelligence
“The organizational ability to think
holistically about risk and uncertainty,
speak a common risk language, and
effectively use forward-
looking risk concepts and tools in
making better decisions, alleviating
threats, capitalizing on opportunities,
and creating lasting value.”
- Leo Tilman
6

7. The Fabric of Cyber
• Cyber is tied to the fabric of
everything necessary to run a
business, connecting/enabling your:
– Supply chain
– Customer base
– Business support applications
– Financials
– IT Infrastructure
– Marketing and Sales
– Communications
7

8. Our Approach to Cyber
is Not Working
Too many
organizations rely on
tools alone to solve
their problems
8
Tools
Tools have outputs
Programs
Programs have
outcomes

9. The Question
“Are we well-positioned
for cyber risk in our
organization and how do
we compare to our
competitors?”
9

10. What Kind of Program
Do You Want to Create?
IT Security Program?
Cyber Security Program?
Risk Management Program?
I would propose it is none of those terms,
rather a Cyber Risk Intelligence Program…
10

11. But Why a
Cyber Risk Intelligence Program?
• Cyber risk intelligence overlays and aligns data
of who you are as a company on top of cyber
threat data and is used to focus on making
decisions and taking the right action.
– How you are positioned?
– How do you compare to others in your industry?
– What people, process and technology is needed in
order to reduce your risk exposure throughout all
levels of the organization?
11

12. Create a Mission Statement
“Be well-positioned for cyber risk
in our organization”
12

13. You Can Likely Start Now
Your organization already likely collects intelligence on:
Yet “cyber” continues to have little visibility!
13
• Sales
• Marketing
• Customers
• Financials
• Logistics
• Competitors

14. Stop Talking Techno-Dork
14
Cyber risk intelligence
IS NOT:
Cyber risk intelligence IS:
About what new threat signatures
you can pump into your SIEM
Understanding cyber risk
intelligence as it relates to your
business and supply chain
Only about what you're SOC
Analysts can see
Understanding what you are
getting out of your cyber spend and
if you are well positioned
Just an Information Technology
problem
• A brand and reputation problem
• A resilience problem
• A financial problem

15. Don’t be an Actionable
Actionating Actionator
You are an Actionable
Actionating Actionator if:
• You perform actionable actioning
on threat intelligence actions
• You’re not able to influence the
decisions of the decision makers
• You seem to be really busy
assessing information. i.e. whack
a mole
15

16. 16
Intelligence needs to
focus your organization on
Making Decisions and
Taking Action
How is Your Intelligence Used?

17. 17
1. Align tactical and strategic cyber
intelligence resources as well as high
and low level data sets
- You need a 360 degree view
- Create a capability for total situational
awareness – Tactical, Strategic, Internal
and External
2. Shape resource allocation around
measurable and observed threats
- Apply the proper resources to the
proper threat
Best Practices

18. 18
3. Map cyber risk to your organization’s
Key Business Areas
- How does the threat program affect the
decisions of the business unit?
- Is the organization “Well Positioned”
against observed threats?
4. Mind the gap – Cyber Risk Intelligence
is a program and not a tool
- Tools have outputs, programs have
outcomes
Best Practices… Continued

19. Measuring Cyber Risk Intel
• Start Simple
– Good business managers run things on a foundation of the
evaluated intelligence – it’s the thing you know.
• Make Risks Learnable
– Learnable risks are the ones we could make less uncertain if
we took the time and resources to learn more about them.
– Random risks are defined as those that had no analysis.
– Separating learnable risks from random ones in business
decisions for causes or drivers can make them less uncertain.
– Tie Learnable risks to anything that makes you “you”.
19

20. Use Cyber Risk Intelligence to
Drive Better Security Decisions
20

21. 21

22. Thank You!
www.surfwatchlabs.com