RSA released the ninth installment of the Security for Business Innovation Council report last week, and through a series of blog posts on Speaking on Security, we’re going to analyze the various areas highlighted in the findings. Today I’m going to explore the concept of Intelligence-Driven Security. In our world, intelligence-driven means that information coming in from all of our available sources will influence our actions—some of which will become automated over time.

The report makes a pretty sad claim about the global state of information security, one that has been explored here in the past and largely derivative of the old subject of my blog. Security programs tend to be compliance driven, or even worse, simply optimized for compliance. We focus on keeping the auditors off of our back instead of really thinking about the visibility we need in our environment to discover and combat cyber-threats.

Troop Inspection (Explored), by pasukaru76

First off, how sad is that?

I don’t think I’ve met a security professional who said that he was the happiest of the happy clams because his daily job was defending the network against PCI assessors and other auditors. Those guys don’t go to Shmoo, or BlackHat, or Defcon, or even BSides. They wouldn’t know what an advanced attack looked like until someone gave them theories on how their network was breached. Why just theories? Because compliance-led security will ignore key elements of intelligence that can help you spot and stop an attack.

Now, not all security programs are compliance-led; some have shifted to an incident-led approach. I imagine these folks can’t remember what the place looked like without giant fires blazing through the campus. They choose to wear shorts and crank down the A/C instead of finding the pyromaniac in their midst. Constant reaction to events creates unplanned work which derails our ability to actually make real progress in our IT-driven business.

The challenge with intelligence-led security lies in our ability to reliably and consistently collect the right intelligence from the right sources, manage and correlate that data, learn about what the bad guys are doing and take action all while using a risk-based approach to dictate how you act upon and share this information. It isn’t easy, and as an industry we’re behind. But don’t despair! The SBIC’s ninth report outlines not only many other characteristics and examples of intelligence driven security, but it also gives you an actionable, six-step roadmap to convert your team and function to be intelligence-led. There are some fantastic charts and work product that can be immediately actionable by your teams to help you shift your focus to the things that matter. Go check it out and start your journey!

This post originally appeared on

Possibly Related Posts: