How do I BRI?

Back when I began my security career, cyber threat intelligence (CTI) was considered the “standard” for intelligence in the commercial sector. It’s easy to see why: CTI’s indicator-centric approach remains integral to the success of any network defense or perimeter security initiative. However, these use cases are where the benefits of CTI begin and end. Addressing today’s volatile threat landscape requires strategic insights and enterprise-wide collaboration, which is why Business Risk Intelligence (BRI) is quickly dethroning CTI as the new intelligence standard.

Unlike its predecessor, BRI provides a decision advantage that supports not just cybersecurity teams but all business functions across the enterprise. So, how does BRI work? How does it compare to CTI? And what makes a BRI program successful? Here’s what you need to know:

Focus on risk

The simplest way to differentiate between these two types of intelligence is to recognize that while CTI helps detect individual cyber threats, BRI, as its name implies, addresses overall business risk. The following basic formula for risk illustrates this concept:

Risk = threat x likelihood x impact

As you can see, threat is only one component of risk. So, although CTI can enable us to identify cyber threats, it doesn’t provide insight into the likelihood that a threat will target our business and, if it does, what the end result might be. It’s important to remember that while countless threats exist, they’re not all relevant to all businesses. I’ve seen firsthand how easy it can be for teams that rely solely on CTI to become overwhelmed by the sheer volume of threats they detect – even when many are completely irrelevant to the business.

Rather than concentrating heavily on tactical threat detection, BRI broadens the scope of intelligence to helps us focus on how threats could impact the business on a macro level. Unlike CTI, BRI provides strategic insight into the context surrounding not just individual threats but the threat landscape as a whole. For example, while CTI might equip us with a list of indicators of compromise (IoCs), BRI can help us understand why these IoCs exist in the first place, if and how they could impact our business, and what countermeasures could enhance our security posture moving forward.

Integrate intelligence across all business functions

Since CTI was long considered the intelligence “standard” in the commercial sector, many businesses have been conditioned to appropriate all matters of intelligence to cybersecurity teams. The problem with this approach is that plenty of threats target and/or impact all business functions – not just cybersecurity.

In “How do we measure the value of intelligence,” I wrote about how the most valuable intelligence is that which supports decision-making and risk mitigation across the enterprise. Indeed, this is exactly what BRI does; it equips us with relevant context on a broad spectrum of threats posing a risk to the business as a whole. Organizations with effective BRI programs recognize that just because a threat has originated on the Internet does not mean the threat’s scope of influence will remain restricted to all things cyber. It’s crucial to remember that threats that exist beyond the jurisdiction of most cybersecurity teams often have direct or indirect ties to the Internet – many of which are detectable via BRI.

In working with various organizations to initiate and develop BRI programs over the last couple of years, I’ve seen firsthand how BRI can provide a decision advantage in situations involving malicious actors seeking to compromise an executive team’s physical safety, threats posed by malicious insiders, unknown security vulnerabilities that exist within a company’s supply chain, emerging fraud schemes targeting a company’s customers, and countless others. While these are all examples of threats that while not traditionally “cyber”, they have, in many cases, originated and/or been developed among adversaries operating on the Internet. More importantly, none of these threats would been detected or addressed effectively with CTI alone.

Strive to be proactive

In a perfect world, we would all be able to identify, understand, and combat threats long before they reached our businesses. While I realize this isn’t always possible given the threats and adversaries we face today, I must emphasize that BRI can equip us with far greater insight and preparation than is possible with CTI.

Indeed, this is another stark difference between CTI and BRI. Since CTI largely revolves around IoCs, it can only provide insight into individual threats that already exist and malicious activity that has already occurred. In other words, CTI is reactive. Teams that rely solely on CTI typically concentrate their resources on identifying and blocking existing threats – which can leave little room for actually understanding them. And given that the most effective and proactive defenses require a keen understanding of the threats to which we’re susceptible, CTI alone can’t enable us to do that.

BRI, as I mentioned, is far more proactive. Its emphasis on addressing overall risk rather than just individual threats naturally facilitates a more comprehensive understanding of the threat landscape as a whole. For example, while CTI might help teams identify IoCs related to existing phishing campaigns, BRI would help inform a team’s anti-phishing strategy, raise enterprise-wide awareness of common phishing tactics and response procedures, and reduce the business’s overall susceptibility to phishing attacks in the long term.

It’s no secret that I’m an avid supporter of BRI. As someone who spent the bulk of my career facing the limitations CTI, I can attest to the immense value to be gleaned from an effective BRI program. Regardless of the threats, risks, and security challenges a business may face, it’s crucial to recognize that having the right approach to intelligence – namely that which is risk-centric, proactive, and cross-functional like BRI – has truly become a requirement.