The coming reckoning: Showing ROI from threat intelligence

Threat intelligence has been a part of cyber defense processes in the private sector for nearly a decade now. Many threat intelligence teams were initially composed of classically trained intel operators from the public sector, where they focused on gathering data to thwart national security threats. And as these teams grew and adjusted to protecting against customer data breaches and disruptions to services, growing pains associated with working in a corporate environment were to be expected.

Expectations are changing, though. Security operations is maturing, and as threats have continued to evolve, enterprises have made significant investments in security infrastructure. C-suites and boards are increasingly involved in security decision-making, and studies show that they are doubling down on security investments, which are expected to rise to $458.9 billion in 2025 from $262.4 billion in 2021.

But with increased investment comes scrutiny and rigorous competition for dollars across IT and security teams. However, for threat intelligence teams, it appears old habits die hard. Many remain in the government intel mindset, focused on funneling data to the security operations center (SOC) and have limited experience in extending threat intelligence to other parts of the business, communicating the resulting value and justifying the investment required.

Delivering curated threat intelligence to more teams that need it, enabled with bi-directional integration, will allow CISOs and their team to prove threat intelligence is far from a cost center.

After nearly a decade of threat intelligence going corporate, a reckoning is coming. It’s time for CISOs and threat intel teams to start working together and prove that threat intelligence is not a cost center, but drives value across all security operations.

As threat intel teams mature, here are three recommendations to help create a shift in mindset and demonstrate the full value it provides.

Think of the threat intel team as the providers of a product

Bridging the gap: What CISOs must do to get the C-suite on their side

Every CISO must face a cold, hard fact: You might not have a seat at the boardroom table or the executive leadership team meeting.

At some organizations, this relatively new role doesn’t get C-level attention yet, and at others, the organizational structure can prevent you from ever getting a permanent seat at the table. Other complexities arise if you report to a CIO or CTO and feel muted by the hierarchy. Or, perhaps your message is diluted by the time it gets up the chain of command.

While lack of access to the highest levels of your organization can be disheartening, remember that you can still have a significant influence on your organization and its security. You may just have to hustle.

Be a translator: When you engage in executive or board communication, speak like a business person and keep your messages brief and engaging.

As an executive, I’d happily meet with a team member (at any level) who wants to run ideas by me. If these ideas are interesting, I’d likely let them marinate for a few weeks before reaching back out to the employee with feedback. Now we’ve started an open dialogue and begun building a rapport. In the course of our conversations, maybe this person continues to present thought-provoking ideas. I might take their suggestions to the board or invite them to present them.

Of course, having a permanent seat at the table is ideal. But, if that’s not realistic, work to get yourself — or at least your ideas — into the boardroom. Just because you don’t have a standing invite doesn’t mean that you can’t have an impact.

Create relatable and relevant messaging

To get your message across to time-strapped executives (or just about anyone for that matter), you need to meet them where they are. You already know why cybersecurity investment is essential to your role. Now step into your leadership’s shoes to explain why it’s crucial to theirs.

Starting your journey to zero trust adoption

“Zero trust” is certainly a buzzword that gets freely thrown around in cybersecurity. But what does it actually mean?

Also, why is a zero trust security model and architecture being mandated by the government? What should organizations consider to ensure their success?

Let’s start off by agreeing on what zero trust is and is not. It’s not a product or tool — it’s a methodology and model that requires a shift in our approach to cybersecurity controls. The traditional castle and moat approach was based on an environment where users, applications and data were managed within a defined corporate network.

Let’s start off by agreeing on what zero trust is and is not. It’s not a product or tool — it’s a methodology and model that requires a shift in our approach to cybersecurity controls.

With cloud, IoT, BYOD and a mobile and remote workforce, many users, applications and data are now outside the traditional organizational boundary. As such, organizations are recognizing the need to shift their cybersecurity approach to a model that implicitly never trusts and always verifies.

Many organizations are only now beginning to look at zero trust and trying to figure out what it means to them. What’s the impact from a security and productivity perspective? How do we go about implementing this approach? What tools do we need? How will we afford this?

Shifting to a zero trust model is not about replacing the infrastructure wholesale. It’s more of an incremental journey of modernizing the IT and security environment. In a zero trust model, organizations can identify high-value assets and data within the network and ultimately protect this information beyond what traditional cybersecurity methods allowed, no matter where users, apps and data reside.

Maybe just as important is for this approach to enable the business by automating processes so that the security controls are essentially transparent to users. For example, single sign-on (SSO) allows a user to log in once to access all their authorized business applications, reducing friction and improving the user experience.

Twitter’s Rinki Sethi on why CISOs win when security is a shared responsibility

Starting a new job can be stressful at the best of times. During lockdown, it can be a real challenge.

Rinki Sethi joined Twitter as its chief information officer a year ago during the peak of the pandemic. Like most companies, Twitter had closed its offices, requiring its thousands of employees — and new hires — to work from home. For someone who thrives in the office, Sethi said going in as a new, entirely remote employee came with its own complexities.

“When you’re leading a security organization, one of the biggest things is trust, and one of the things you have to lean in on is building trust with the people that are driving security — your own team,” Sethi said during a wide-ranging virtual fireside interview at TechCrunch Disrupt 2021. Building those working relationships over video calls is much tougher, she said. “I’m used to doing that in person.”

Sethi is no stranger to cybersecurity and has previously held senior cybersecurity positions at IBM, Intuit, Palo Alto Networks, and most recently served as Rubrik’s CISO. Now as Twitter’s CISO, she oversees efforts to protect Twitter’s information and technology assets — entirely remotely for the time being. While that comes with its own challenges, there have also been upsides.

The pandemic didn’t just change how companies respond to cyber threats, it changed how we work. Remote work has broken down barriers to the global talent pool, once restricted by who could relocate to be near the office. We’re talking more about mental health in the workplace, and there’s a greater focus than ever on the people that keep companies running.

These factors don’t just make for a stronger workforce, they make for a more secure workforce. “There’s some ‘people-aspect’ to everything,” said Sethi. “Making sure your employees are feeling good; that they’re able to do their best work; that they’re mentally in a good space. I think that’s one of the most important things that tools, technology, applications and monitoring are not going to be able to solve for.”

Insider hacks to streamline your SOC 3 certification application

If you’re a tech company offering anyone a service, somewhere in your future is a security assessment giving you the seal of approval to manage clients’ data and operate on your devices. No one takes security lightly anymore. The business costs of cyberattacks have now hit an all-time high. Government bodies, companies and consumers need the assurance that the next software they download isn’t going to be an open door for hackers.

For good reason, security certifications like the SOC 3 really put you through the wringer. My company, Waydev, has just attained the SOC 3 certification, becoming one of the first development analytics tools to receive that accreditation. We learned so much from the process, we felt it was right to share our experience with others that might be daunted by the prospect.

As a non-tech founder, it was hard not only to navigate the process, but to appreciate its value. But by putting our business caps on, our team was able to optimize our approach and minimize the time and effort needed to achieve our goal. In doing so, we were granted SOC 3 compliance in two weeks, as opposed to the two months it takes some companies.

We also turned the assessment into an opportunity to better our product, align our internal teams, boost our brand and even launch partnerships.

So here’s our advice on how teams can smoothly reach an SOC 3 while simultaneously balancing workloads and minimizing disruption to users.

First, bring your teams on board

Because we can’t expect employees to stack those hours on top of their regular workdays, as a leader you have to accept — and communicate — that the speed of your output will inevitably decrease.

As a founder, you’ll be acting as captain steering a ship into that SOC 3 port, and you’ll need all members of your crew to join forces. This isn’t a job for a specially designated security team alone and will require deep involvement from your development and other teams, too. That might lead to internal resistance, as they still have a full-time job tending to your product and customers.

That’s why it’s so important to start by being crystal clear with your employees about what this process will mean to their work lives. However, they have to embrace the true benefits that will arise. SOC 3 will immediately raise your brand’s appeal and likely see new customers come in as a result.

Each employee will also come out the other end with well-honed cybersecurity skills — they’ll have a deep understanding of potential cyber threats to the company, and all security initiatives will carry a far lighter burden. There’s also the sense of pride and fulfillment that comes with having an indisputable edge over your competitors.

Early-stage benchmarks for young cybersecurity companies

We’re quick to celebrate the extraordinary victories of Israel’s multiplying cybersecurity unicorns, but every success story must start somewhere. The early days of any young startup decide how successful it can be, which is why we’ve developed a focused, value-add program to support cybersecurity founders during this most critical stage and maximize their potential in building market-leading companies.

However, the early stages of cybersecurity company-building are often shrouded in mystery, only coming into the light for fundraising and feature announcements. This leaves many entrepreneurs we speak with asking what exactly cybersecurity companies are achieving behind the curtain to earn these huge victories.

Though every company’s journey is unique, we can tease out trends and patterns to establish performance benchmarks for the cybersecurity ecosystem as a whole. To most entrepreneurs, however, the sensitive data required to understand the early success of a company is often unavailable or obscured. Moreover, the industry has yet to formally define proxies for growth and momentum beyond fundraising — leaving cybersecurity founders aiming for landmarks without guideposts.

When it comes to contracts, timing can provide important insight into the quality and performance of the sales pipeline. On average, successful companies will have closed their first paying customers in the U.S. within 12 months of their seed round.

Entrepreneurs require guideposts to aspire to when building large companies, and critical customer and revenue expectations can be best established by looking at what already successful cybersecurity companies have accomplished. Such metrics have been previously established for wider areas of technology, such as SaaS.

Leveraging our experience and resources, we collect this knowledge to keep our founders informed with the most up-to-date cybersecurity-specific metrics for long-term and large-scale growth. We hope that sharing these unique insights into early-stage cybersecurity companies — based on our own portfolio companies’ average performance — will help entrepreneurs in the wider Israeli ecosystem more confidently build their budgets and roadmaps with industry evidence.

Benchmarks for early-stage cybersecurity companies

Image Credits: YL Ventures

What should revenue look like over the first few years?

Though today’s investors are growing more aggressive, $500,000 in annual recurring revenue (ARR) is a traditional baseline requirement for a successful Series A from strong investors, and hitting that mark quickly should remain every entrepreneur’s goal. Hitting this target indicates product-market fit and customer willingness to commit to your solution.

Discounting variances in pricing, the best companies we’ve seen are able to reach the $500,000 benchmark in less than 18 months. From there, top-performing companies can expect to gain momentum and reach $1 million in ARR in 18 to 24 months. Such momentum is contingent on a number of factors for Israeli cybersecurity entrepreneurs, but growth is mainly reliant on how well founders connect with relevant customers outside the Israeli market.

True ‘shift left and extend right’ security requires empowered developers

DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.

The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace the principles of collaboration and agility.

Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent. — Neil MacDonald, Gartner

In an ideal world, all developers would be trained and experienced in secure coding practices from front end to back end and be skilled in preventing everything from SQL injection to authorization framework exploits. Developers would also have all the information they need to make security-related decisions early in the design phase.

If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue.

Once again, the reality falls short of the ideal. While CI/CD automation has given developers ownership over the deployment of their code, those developers are still hampered by a lack of visibility into relevant information that would help them make better decisions before even sitting down to write code.

The entire concept of discovering and remediating vulnerabilities earlier in the development process is already, in some ways, out of date. A better approach is to provide developers with the information and training they need to prevent potential risks from becoming vulnerabilities in the first place.

Consider a developer that is assigned to add PII fields to an internet-facing API. The authorization controls in the cloud API gateway are critical to the security of the new feature. “Shifting left and extending right” doesn’t mean that a scanning tool or security architect should detect a security risk earlier in the process — it means that a developer should have all the context to prevent the vulnerability before it even happens. Continuous feedback is key to up-leveling the security knowledge of developers by orders of magnitude.

To guard against data loss and misuse, the cybersecurity conversation must evolve

Data breaches have become a part of life. They impact hospitals, universities, government agencies, charitable organizations and commercial enterprises. In healthcare alone, 2020 saw 640 breaches, exposing 30 million personal records, a 25% increase over 2019 that equates to roughly two breaches per day, according to the U.S. Department of Health and Human Services. On a global basis, 2.3 billion records were breached in February 2021.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Conventional DLP solutions are built on a castle-and-moat framework in which data centers and cloud platforms are the castles holding sensitive data. They’re surrounded by networks, endpoint devices and human beings that serve as moats, defining the defensive security perimeters of every organization. Conventional solutions assign sensitivity ratings to individual data assets and monitor these perimeters to detect the unauthorized movement of sensitive data.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Unfortunately, these historical security boundaries are becoming increasingly ambiguous and somewhat irrelevant as bots, APIs and collaboration tools become the primary conduits for sharing and exchanging data.

In reality, data loss is only half the problem confronting a modern enterprise. Corporations are routinely exposed to financial, legal and ethical risks associated with the mishandling or misuse of sensitive information within the corporation itself. The risks associated with the misuse of personally identifiable information have been widely publicized.

However, risks of similar or greater severity can result from the mishandling of intellectual property, material nonpublic information, or any type of data that was obtained through a formal agreement that placed explicit restrictions on its use.

Conventional DLP frameworks are incapable of addressing these challenges. We believe they need to be replaced by a new data misuse protection (DMP) framework that safeguards data from unauthorized or inappropriate use within a corporate environment in addition to its outright theft or inadvertent loss. DMP solutions will provide data assets with more sophisticated self-defense mechanisms instead of relying on the surveillance of traditional security perimeters.