Although many businesses use cyber risk intelligence in their day-to-day cybersecurity practices, common misunderstandings (what cyber risk intelligence is, how to build a cyber risk intelligence practice, and what it can actually do for your business) continue to plague practitioners.
A clear understanding of cyber risk intelligence is key to building and maturing your cybersecurity program. To achieve this level understanding, you should know why:
- Cyber risk intelligence and cyber threat intelligence are not the same.
- Without good data, your cybersecurity program is useless.
- Actionable intelligence is not always actionable.
- The OODA Loop is your key to cyber risk intelligence success.
Risk Intelligence and Threat Intelligence Are NOT the Same
People tend to use “intelligence,” “risk,” and “threats” interchangeably. In reality, these terms refer to different aspects of your cyber ecosystem. Understanding the nuance between them will help your team have more sophisticated and accurate conversations when working to improve your cybersecurity strategy.
Cyber threat intelligence is the act of gathering information on threats and threat actors — with a focus on the who and what of the potential cyber attacks.
Cyber risk intelligence is the act of taking cyber threat intelligence and combining it with contextual information and data (e.g., a vendor’s location, your industry, your annual revenue, etc.) to measure the potential financial impact on your company should an attack occur.
By feeding a combination of cyber threat intelligence and contextual insights into your cyber risk intelligence, you can ensure an accurate measure of risk that will better inform your business decisions.
Turning Decisions Into Action
People often collect threat intelligence and assume it’s enough to inform their cybersecurity program. However, threat intelligence cannot provide actionable insights. Threats aren’t risks, they’re just threats — a single component of risk.
For example: In the situation of a natural disaster, threat intelligence might be the type of weather event it is (hurricane, tornado, earthquake, blizzard). While knowing the type of weather event is helpful, this information alone is not enough for you to determine whether it poses any real risk to your home.
Risk intelligence combines your threat intel (the weather event is a hurricane) with contextual information (the location of your house, the storm’s projected path of travel, your city’s weather event safety plans). This combination will help you understand the potential damage and financial impact you would sustain from the weather event to make an informed decision and action plan (e.g. My home is in the hurricane’s path, we should evacuate).
Additionally, many people think cyber risk intelligence is a magic button that will explain how to keep your business 100% safe from cyber threats. But while cyber risk intelligence can inform high-quality risk-based decisions, it’s not a Magic 8 Ball that will give you step-by-step instructions on how to take action. Like in our natural disaster scenario, the risk intelligence about the weather event can’t tell us exactly what to do – but it does provide us with helpful data to guide our decision-making and plan of action.
Where Action Plans Can Go Wrong
Many cyber rating tools present the rating itself and some next-step suggestions as actionable intelligence (actions that could provide a strategic advantage over a business’s competitors). While security ratings services (SRS) can provide threat intelligence and next steps that you could take action on, the intel isn’t truly effective until you apply the context of your company.
For example: A vendor reviewing your business suggests that you should change the language on your website to be more conversational because younger generations prefer it. However, this vendor may not have the proper context (your target demographic is an older generation) for this intel to be actionable and effective. As a result, your customers think your brand is too unprofessional to work with and they move on to other brands.
When considering recommended actions from SRS, you must ensure they consider the appropriate business context. If you don’t, you could end up taking action that will hurt your business in the long run.
The Key to Cyber Risk Intelligence – Lots of Quality Data
Practice. The more data you have, the more accurate your risk assessment will be. Without enough data, you’ll find it more difficult to assess the true risk your organization may face. And without an accurate assessment, your company could easily fall victim to threat actors.
One way companies often talk about cyber risk intelligence is through cyber ratings — a qualitative rating of a vendor’s cybersecurity posture often presented as letter grades (A – F). But, if you base a rating on a small set of controls, the rating can’t give you the insight necessary to make better business decisions.
If a vendor has an F rating, the rating provides enough evidence for you to decide if you want to keep the vendor or cut ties. Once you get above the low grades, you must expand your controls to ensure an accurate view of risk to determine the proper actions to keep your company safe.
Let’s say you base your A ratings on a small set of controls. With a small set of controls, you’ll likely miss out on data that could change it to a B or C. You need more information on the vendor (like how much access they have to your data) to make better informed decisions and action plans.
What a Proper Cyber Risk Intelligence Practice Looks Like
A strong cyber risk intelligence practice requires implementing the OODA Loop. The OODA Loop is a framework that provides cybersecurity practitioners with a four-step approach for making informed decisions on what actions will improve your organization’s and vendor’s cybersecurity practices.
Here’s what each step looks like for cybersecurity:
- Observations: Collect intel.
- Orient: Review the intel considering the context of your business.
- Decide: Decide what the next steps for your company are considering the oriented intel.
- Act: Execute your next steps.
Want to learn the ins and outs of the OODA Loop?
Check out Unleashing the Power of the OODA Loop in Cybersecurity, written by Black Kite’s CSO Bob Maley.
Black Kite’s Approach to the OODA Loop
Here’s how Black Kite’s robust data collection practice enables anyone to not only breeze through the first two phases of the OODA Loop, but also conquer the final two.
As data is a key component of accurately measuring risk, Black Kite collects almost 300 data control points through our open source intelligence solution. For context, most of our competitors collect three times less data to create their cyber risk ratings.
Black Kite’s Third Party Risk Intelligence solution orients data for you. Our solution translates vendor data into a technical cyber rating, risk quantification, compliance correlation, and ransomware susceptibility — granting you a multi-faceted view of risk.
Decide and Act
After Black Kite collects all the data available on your vendor and assigns them a technical cyber rating, you can make data-driven decisions on how to act.
- The vendor is safe and we can continue to work with them.
- The vendor is not safe and we need to cut ties with them.
- The vendor is too crucial to our operations to let go, so we will work with them to improve their cyber hygiene.
OODA Loop Your Way to Success
As the cybersecurity landscape constantly evolves, the only way to keep up is to evolve your cybersecurity practices with it. Understanding that cyber threat intelligence is a component of cyber risk intelligence, not the entire thing, will help you avoid the mistake of not including an expansive range of data when measuring vendor risk.
Knowing how to make actionable intelligence actually “actionable” will prevent you from making decisions based on data lacking business-specific context — potentially saving you from a choice that could hurt your company’s security, revenue, and brand reputation.
Continuously implementing the OODA Loop into your cybersecurity practice will ensure that you take every step when reviewing data to measure vendor risk. This will protect your business from working with a vendor that is less secure than they seem.
Ready to take your cybersecurity practice to the next level? Check out our Ultimate Guide to Building a Third-Party Risk Program and learn the five steps to build out and modernize your third-party risk management program.