Infosec 2014: People vital to security intelligence, say experts

Actionable security threat intelligence is mainly about having the right people with the right skills, say experts

Actionable security threat intelligence is mainly about having the right people with the right skills, a panel of information security professional has told attendees of Infosecurity Europe 2014 in London.

“Invest in people who clearly understand the business, the objectives of intelligence gathering, and what can be achieved,” said Michael Paisley, head of Santander’s operational risk unit.

Barry Coatesworth, chief information security at retailer New Look, said that people are key but many organisations are failing to focus on people as much as they should.

“There is still too much focus on technology,” he said.

But technology itself can be a problem without the right people, said Joerg Weber, global head of attack monitoring at Barclays.

“It is no use having the technology to deliver threat intelligence if no one is able to do anything with it,” he said, so organisations should ensure they have a commitment to the staff and funding required.

There is a need for technology and people, and the value is in the right combination of the two, said Paisley.

It is also important to have people who understand the stakeholders, who do not get hooked up on the technology, said Weber.

“These are the kind of people who can translate threat intelligence into something that can be understood by everyone,” he said.

Retailer, Marks and Spencer, has invested a lot in the people that make up its security intelligence team, said Matt Denny, head of information security and compliance at M&S.

“The company has also invested a lot in training those people to ensure they are able to make the most of all the threat intelligence they receive,” he said.

The essential thing about “actionable intelligence” is that it is information that the security team can do something with, said Marco Thorbreugge, operational security head at EU cybersecurity agency Enisa.

“This has to be information that can be used to adapt or change and organisation’s defence strategy in a way that adds value,” he said.

Weber said security intelligence must enable security teams to do their job better by focusing on the right things and putting the right resources in the right places.

But, if threat intelligence is to be truly useful, said Paisley, it not only has to be “actionable”, but it also has to be relevant, timely, and contextual.

And, said Weber, organisations need to ensure they have the necessary infrastructure in place to do something with the information.  

“Organisations should ask themselves what would be the impact if they were to stop their threat intelligence operations to get a measure of its value,” he said.

“If there would be little or no impact, then it is a waste of time and money,” said Weber.

Denny said another way of evaluating the value or effectiveness of threat intelligence operations is to ask if it has saved time and money, and reduced exposure.

Panelists agreed that threat intelligence is still far from mature, and that some organisations are lagging far behind the front runners.

Overall maturity of threat intelligence would be greatly helped by the adoption of a single standard for expressing and communicate threat intelligence, said Weber.

“A lack of a standard for threat information exchange and collaboration is holding us back because the present system does not scale,” he said.

A greater degree of information sharing is vital to improve the maturity of threat intelligence, said Coatesworth, while Denny said a greater degree of correlation capability would help save time and money.

Read more about Infosec Europe 2014

Read more on IT risk management