Article22 Apr 2021

Fundamentals of an Intelligence-led Approach to Cyber Security

The risk of cyber attacks is growing and having an intelligence-led approach is critical to anticipate new threats.


As cyber security risks continue to evolve, so too must a firm’s approach to cyber defense. Adopting a more proactive intelligence-led approach to cyber security can help firms get ahead of emerging risks. It is estimated that cyber breaches cost the global economy $1.5 trillion per year, and this is expected to increase, with some sources believing it could cost the global economy a staggering $6 trillion by 2021 , according to Marsh & McLennen. The increasing scale of cyber breaches means it has now become necessary for organizations to mature beyond a basic reactive defensive approach on cyber, to a proactive, intelligence-led one.

Getting on the Front Foot

The complexity of the cyber threat environment is compounded by a number of drivers, which have influenced the need for organizations to mature beyond a reactive defensive approach to a proactive, intelligence led one. To be intelligence led is to know yourself and to know your enemy, and to be able to fully define your crown jewels and understand both the motivation and capability of potential adversaries to attack what is core to your operations. Organizations cannot apply a traditional risk-management approach to cyber and expect the same level of success as seen in the way credit and liquidity risks have previously been managed. Rather, organizations need to change their approach to match the dynamic threat environment. Just as banks and clients have moved away from brick and mortar branches to online banking, so too have bank robbers moved from away from bank heists to cyber attacks to steal money from victims.

Understanding key drivers and how they might impact an organization helps proactively build a cyber security program that can quickly scale to meet demands over a one- to two-year period. Forecasting out 24 months also helps firms plan investment budgets for cyber defensive tools. A strategy can even be laid out over a five-year period; however it’s important to recognize the need for annual updates to take into account the rapidly changing threat environment. Building an effective strategy requires a strong partnership between an organization’s business lines and risk management teams to customize a cyber security program that instils trust and confidence both within the organization as well as externally to the Board of Directors, advisors, investors, and clients. A strong network defense capability is necessary to map adversarial attack activity to the Cyber Kill Chain® —a concept developed by Lockheed Martin that helps analysts identify where attackers might be located on the network. At the same time, second line risk management infrastructure must be structured to handle cyber-risk activity separate and apart from technology risk.

Three Types of Risk
Operational Risk


The risk of loss resulting from inadequate or failed internal processes, systems, human factors, or from external events.


Technological Risk


The risk associated with the delivery and operation of technology solutions in support of business requirements. Threats to technology may be from the failure of people, processes, systems, or other operational issues; including events relating to the design, development, and execution of technology solutions.


Cyber Risk


The risk to a business associated with the threat posed by a cyber attack, cyber breach, or the failure of an organization to protect the most vital business information assets. Threat activity can be conducted by a variety of malicious actors, including insiders, organized criminals, nation state actors, hacktivists or cyber terrorists, each with different motives and the use of a myriad of attack methods.


Collaboration is Key

For years cyber has been treated by organizations as a natural subcomponent of technology risk; however today, cyber risk must be pulled apart from technology risk as the drivers and causes for cyber attacks differ from the causes of technology failures. Firms cannot build an effective risk management program to address both types of risk without first understanding this fundamental difference. A blend of both technology and cyber risk programs under operational risk within an organization is optimal because of the synergies.

Collaboration between information security, businesses, and cyber risk silos will support a credible challenge to current cyber risk assessments. This review will produce actionable recommendations along with management oversight to harden the perimeter around an organization’s critical assets.

The cyber threat environment continues to be daunting considering the increase in speed and the effectiveness of attacks. In addition, cyber attacks have complex anatomies to defend against. Most say it is an impossible job to defend against a cyber actor who only needs to be successful once, whereas the defenders have to be successful 100% of the time; but if defenses are built at each stage of the Kill Chain fully covering the anatomy of an attack as part of an active defense plan, defenders actually have the opportunity to stop attacks at multiple stages of the attack cycle, increasing success of deterrence more times than the attacker suspects. Integrating a risk management approach with the firm’s business strategy to anticipate cyber risk early on is an example of successfully employing an intelligence-led mindset. In this case, cyber security is an enabler, enhancing the business’ resiliency by being built into operations’ metrics, with a commitment to creating a learning organization as the foundation for decision making and strategy development.

Key Elements of An Intelligence-led Strategy

An intelligence-led strategy can have a variation of elements; however a few are considered foundational:

  • Understand the Threat: Gain knowledge of the adversary and their tradecraft; know yourself, identify valuable assets, and recognize challenges early in the cyber threat lifecycle.


  • Integrate Threat Intelligence & Analytics into Decision-Making: Deliver tactical and strategic intelligence analysis that delivers knowledge and insight into the threats of greatest importance to your organization and potentially your industry.


  • Establish a Learning Culture: Ensure there are management processes and tools that enable lessons learned and other key learnings to be raised in a collaborative environment and integrated into how you do business.


  • Build a Foundation of Information Sharing: Increase internal and external information sharing in a trusted environment. One detected event, shared, can serve as defense for a sector.


  • Execute Strong Program Management: Support an enterprise approach to integrated processes while conducting incident response in a learning environment.


  • Maximize Collaboration: Promote collaboration and partnership both internal and external; sharing best practices and benchmarking against peers and competitors. Operate your cyber security program in a non-competitive environment.

Information Security is no Longer a Competitive Advantage

Employing an intelligence-led strategy means actively keeping up on threat activity. The analysis of this activity should then be integrated into decision making. For example, threat information may be used to drive risk management challenge activity to assess if controls that were implemented 12 months ago to mitigate the tactics and techniques used by threat actors are still adequate in today’s threat environment. Being intelligence-led also means embracing a learning culture to critically self-evaluate actions taken, such as in response to a cyber event.

Incorporating these learnings makes an organization stronger, but should also be shared out to industry partners. This is because information security is no longer considered a competitive advantage among organizations. Given the size and impact of an event, it is generally accepted that when one organization within and even across sectors is attacked, the security of national interests is potentially at stake.

Executing strong program management therefore ensures the consistent application of standards within an organization to govern its cyber security program. Additionally, there must be an emphasis on collaboration across all three lines of defense, ensuring that departments within an organization work day-to-day in unison by recognizing that being constantly challenged serves to strengthen the organization as a whole. Furthermore, within an industry, when firms act as partners, they come together to fulfil a common mission to prevent attack activity. By doing so, they are not only defending themselves, but by extension, their clients, investors, and other key stakeholders through the application of sound cyber security practices.

This is article is an excerpt from Managing Cyber Risk with Human Intelligence, a report from Citi GPS.



Sign up to receive our newsletter providing a roundup of recent content and updates on new reports.

Sign up to receive the latest news from Citi.