As the financial services sector continues to future-proof its business models, the increasing volumes and forms of data being stored, processed, and transmitted bring new opportunities and risks. Expanding uses of data are integral to staying competitive, but they also represent a growing attack surface. In order to sustain trust in the financial system more broadly and to protect our customers’ security and privacy, that attack surface needs constant and evolving protection.
A major part of this evolution of protection is the timely processing of threat intelligence, but with that there is the problem of scale and speed. The solution isn’t just hiring more cybersecurity staff to manage the continuous flow of threat intelligence; even if we wanted to, there wouldn’t be enough of them. Rather, the entire process of threat intelligence and response needs to be industrialized, with end-to-end automation that enables the humans we do have to make better decisions by processing the data in relevant ways.
Lessons from the Business
In the last 30 years, businesses have figured out how to harness a massive stream of information to deliver value to customers. Algorithms and automation, in some cases augmented by artificial intelligence and machine learning (AI/ML), allow systems to crunch huge amounts of data at an accelerating rate. This enables people to focus on strategy and data-enabled decision making. With these technologies increasingly available at scale, this human-powered decision making is where the differentiated value is created.
We in security can leverage the same strategies to manage threat intelligence that our businesses use to consume market data. We need to keep investing in systems to speed up the “OODA Loop” (Observe, Orient, Decide, Act). Automating intelligence sharing is critical, but not sufficient. We also need to apply end-to-end automation to support humans’ ability to consume and act on that intelligence, so that our responses get orders of magnitude faster. Tools that merge threat intelligence with organizational risk context help teams prioritize their efforts. For example, if we receive millions of intelligence items per day, and 20% of those are related to a technology we don’t use, those can be automatically de-prioritized.
Framing the strategies this way to business executives and boards can help ensure that security operations can be better understood, funded, and optimized.
Structural Differences
The parallel isn’t 100%. With business information, there is significant maturity in quantification and validation; there are balance sheets, 10-K filings, stock prices, yields, and rates. Regulations and accounting practices delineate the playing field. The nature and quality of threat intelligence is far less predictable. Standardization and regulation are less mature. The value of the work is harder to quantify.
But there has been huge progress. When the financial services industry started intelligence sharing through FS-ISAC two decades ago, the sharing was informal and person-to-person, and now we have automated intelligence feeds across thousands of institutions around the world. Electronification of markets and the digitization of business has been underway for even longer. We can look to the sophistication of our business colleagues, as well as the levels of automation and data-enabled analysis we see in other industries like defense, aerospace, and energy. As executives start applying the same principles and strategies to intelligence sharing, we’ll get there even faster. We have to, because the onslaught of threats will not slow down.
For more of Phil's insights, go to philvenables.com.
Insights
