5 Reasons Why Your Threat Intelligence Strategy Will Fail and How You Can Salvage It

5 Reasons Why Your Threat Intelligence Strategy Will Fail and How You Can Salvage It

A well-established cybersecurity team is equipped with the latest tools, valuable experience of infosec professionals, a dedicated budget, and plenty of data from threat intelligence sources. Is this not enough for a team to give excellent performance and stay untouched by emerging threats? Perhaps not if you are doing it wrong.

In a study performed by PwC (Price Waterhouse Coopers), of 10,000 global CSOs and CIOs, only 51% monitor and analyze threat intelligence for detecting incidents and risks. [1]

Why Threat Intelligence Can Fail

1. Misunderstanding business value

It is significant to understand what type of threat intelligence is required for your business. Threat intelligence data is identified based on business problems. An analyst collects the data if a particular threat feed serves as a problem-solving tool and not because the data is interesting, and the chart looks cool. If the intelligence is not connected to the business problems, the purpose of having a threat intelligence team will not be met.

How to fix it:

Always analyze the data from the threat intelligence perspective and its ability to protect your business. Understand if it can help in finding direct threats to your organization and can correlate internal data with external sources. The correlation should able to create more effective security policies and prioritize vulnerabilities to reduce business risks.

2. The wrong feed

There are many feeds available on threat intelligence and if the feed that you own is not relevant to your business, it is of no value. When your business is operating from a challenging environment, then your business requirements are different than those of other companies working from a safer place. For example, if your business is healthcare and you are based in an environmentally challenging environment, then your business is exposed to threats that are different to that of other healthcare operating from developed towns and cities.

Consider the source of data, whether it is raw or processed, drawn from public or private sources. Find out what your requirement is and ensure that you minimize redundancy. The same threat on different feeds doesn’t make it important.

Getting overwhelmed with the information is equally worse to having too little. Be focused on the information relevant to your business.

How to fix it:

Simply having feeds are not enough for having a successful threat intelligence program. There should be context present in the threats that allow you to do security decisions quickly without drowning data. Understand that every threat does not address risks directly but ensure that the threat of intelligence is relevant to your business.

3. Wrong focus on the feeds

Do you focus on the feeds or the entire data as a whole? The entire collection of data includes the internal data of threat, attack, etc., feed data, and data related to event monitoring, traffic, rules, etc. Do you have enough metadata or are you missing on the valuable data about a real threat? Do you able to establish the connection? This is understandable that getting intelligence regularly is a critical task. But it is not possible to analyze the data on a weekly basis or expecting automation of the process serves no purpose.

How to fix it:

To fix the wrong focus of threat intelligence, move from collection to analyzing. But analyzing the entire data is time-consuming and the burden can be reduced by using the technologies that enable your team to concentrate on data analysis and not simply on data collection. Ultimately, threat intelligence is useful if it can prioritize threats based on the severity of the risks and enables you to focus on it.

4. Drowning the data

The Automation and Orchestration research study conducted by ESG, it was identified that despite investing heavily in information security solutions, nearly 74% of those surveyed reported that security events/alerts are simply ignored because their teams can’t keep up with the suffocating volume.[2] The causes include feeds intended for wrong industries or inappropriately sized security teams. Hence, it is important to figure out what the requirement, whether raw data on threats or actionable intelligence which can help on finetuning firewall rules.

How to fix it:

Understand that the feeds are data and not real intelligence. If the feeds are bringing fatigue efforts should be made in tying the feeds with the business needs to make a faster security decision. If the data from the feed is not used, then it is not needed.

5. Inability to operationalize the data

In a survey conducted by the Ponemon Institute on IT leaders, it was observed that 65% believe that threat intelligence could have prevented from an attack to their organization. However, 66% are not satisfied with their current approaches to threat intelligence and felt that the information is not timely. 46% analyzed that the information is not well categorized according to threat trap and it needs to be improved. [3]

Threat intelligence does not trigger a response to a breach but can help in developing tactical actions, provided the team knows how to drive the required action. For an effective threat intelligence, tools and feeds alone not enough and it should be aligned with the business requirements.

How to fix it:

Threat intelligence plays an important role with numerous teams while working to prevent, detect, respond and predict the latest known and unknown threats. it requires continuous monitoring and analysis and strategic to process the valuable feed throughout each phase.

Threat intelligence is a good start, but it will remain at the same place if not handled effectively. The team needs certified people who are trained on every changing dynamic threat intelligence platform. EC-Council’s Certified Threat Intelligence Analyst (C|TIA) is a specialized program which is essential for those who deal with security threats regularly. It is a method-driven program that addresses all the stages involved in the threat intelligence life cycle. The concepts are highly important while building effective threat intelligence and can secure organizations from future threats or attacks.


  1. https://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/assets/gsiss-report-cybersecurity-privacy-possibilities.pdf
  2. https://www.businesswire.com/news/home/20160315005555/en/Phantom-ESG-Research-Finds-Companies-Ignore-Majority
  3. https://www.infoblox.com/company/news-events/press-releases/it-security-professionals-seek-a-better-way-to-exchange-and-consume-cyber-threat-intelligence-according-to-third-annual-infoblox-report/
get certified from ec-council
Write for Us