The strategic importance of threat intelligence
While it is widely accepted that security incidents are inevitable and demand swift, precise responses, the real challenge lies in preventing threats before they occur. That is where data comes in. With data flowing from countless sources, the key lies in transforming it into actionable intelligence. To explore how this can be achieved, moderator Filip De Cock kicked off the debate by asking the panel why anybody should care about threat intelligence in the first place.
Jason Steer started by underlining the strategic importance of threat intelligence to protect organisations: “Threat intelligence ‘removes the blindfold’ by helping cybersecurity teams focus on real threats amidst the noise, especially when resources are limited. It offers a ‘decision advantage’. Fundamentally, it shifts us from being reactive to proactive. For business leaders, it answers existential questions like what the most likely cyber risks are they must prepare for.”
Fadwa Rachi agreed that threat intelligence helps to turn reactive into proactive, neutralising threats before they materialise and preventing damage to an organisation. She added: “Even when an incident does occur, good intelligence helps to understand threat actor behaviours, which significantly shortens response times and reduces incident response costs. This enables a more effective and efficient response to inevitable incidents as well.”
Kevin Holvoet explained how CCB/CyTRIS uses threat intelligence strategically as a first line information platform for Belgian organisations: “At a national level, we aim to understand the specific impacts on organisations within our country. We gather information to map our national cyber landscape and identify vulnerabilities. This is used to issue over 20,000 ‘spear warnings’ to Belgian IP address owners, detailing specific vulnerabilities or compromises and outlining necessary actions. We prioritise vulnerabilities based on their potential for significant impact. By understanding what attackers are targeting, we can inform companies on where to focus their efforts.”
It is all about prioritisation
Kevin Holvoet’s response shifted the discussion to the importance of prioritisation in threat intelligence. “Given the vastness of cyber threats, threat intelligence enables organisations and national bodies to identify and focus on the most impactful risks”, Jason Steer pointed out.
Kevin Holvoet continued: “Threat intelligence is essential for prioritisation, enabling organisations to move beyond simply patching every vulnerability to focusing on those vulnerabilities that can cause real harm.”
Gonçalo Ribeiro affirmed that at Europol, the EU’s law enforcement agency, threat intelligence is used to prioritise and drive intelligence collection efforts: “We focus heavily on criminal (enablers) services, understanding intrusion methods and money laundering techniques. Within the ransomware ecosystem, Europol leverages threat intelligence to be proactive and prioritise. Instead of focusing on individual malware families, in coordinated support to law enforcement partners we often target the core administrative groups and wider ransomware ecosystem behind these operations.”
Threat intelligence as a business enabler
Far from being merely a cost, threat intelligence can act as a powerful business enabler, directly supporting strategic goals, improving security posture, and even reducing costs. The moderator confronted the panel with the challenge of how to convince business stakeholders of the importance of threat intelligence.
For Kevin Holvoet, using intelligence as a business enabler is about following the intelligence life cycle: “You start with planning and direction, clearly defining what exactly is needed. These priorities guide the goals of the intelligence programme. Information is then collected, processed, analysed, and presented to business stakeholders in their own language, focusing on risk or financial impact. A crucial step, yet often overlooked, is the ‘feedback loop.’ Regularly engaging with leadership ensures intelligence stays relevant and actionable and leads to more effective results.”
“Beyond direct security improvements, compliance frameworks like DORA for cyber resilience and ISO 27002 also underscore the important role of threat intelligence as a business enabler and to obtain certifications”, added Jason Steer.
Fadwa Rachi challenged the notion that intelligence is solely a cost centre: “It demonstrably helps reduce costs, especially during actual incidents, which can be incredibly expensive.” Moderator Filip De Cock in turn concluded that in his experience, integrating intelligence into operations reduces incidents, boosts security, earns management support, all while improving products, customer satisfaction, and competitive advantage.
Actionable and coordinated intelligence
The ultimate goal of threat intelligence is to drive actionable outcomes, whether for a private organisation or a law enforcement agency. This often involves intricate collaboration and the strategic sharing of insights to unravel criminal operations. The panel explored the significance of actionable and coordinated intelligence.
For Fadwa Rachi intelligence on its own is merely information: “Instead, it is to be used to update business processes and embed specific risk insights into operations, for instance, by implementing additional checks in recruitment processes based on identified trends.”
Gonçalo Ribeiro added: “At Europol, our global centralised position along cybercrime spectrum allows us to connect the dots between cases worldwide, identify concerned law enforcement agencies with the required legal authority and support them with coordination, deconfliction, and expertise. This ability to find judicial grounds translates intelligence into concrete actions.”
Jason Steer illustrated the power of coordinated intelligence with the example of the 2022 Medibank data breach in Australia, where citizens’ healthcare details were exposed: “The coordination between Australian Signals intelligence, the NCSC in the UK, FBI, and other law enforcement groups enabled the identification and naming of the specific criminal responsible for the attack.”
The value and challenges of Public-Private Partnerships
No single entity can tackle the entirety of the cyber threat landscape alone. Public-private partnerships are no longer optional. They are essential bridges built on trust, facilitating information sharing, and enhancing collective cyber resilience. Moderator Filip De Cock asked the panellists about their views on this and possible barriers to realise successful partnerships.
Fadwa Rachi agreed that it is necessary to unite to counter cybercrime. “Partnerships with organisations like Europol, central banks, and others are crucial. It’s vital to build trust and communication channels before an incident occurs, enabling seamless information exchange during difficult times. While barriers exist, they are surmountable.”
Kevin Holvoet consented: “Public-private partnerships absolutely require a foundation of trust, alongside robust governance and frameworks, to ensure that shared information is handled securely and confidentially, encouraging willingness to share. Moreover, legislation, particularly NIS2, is driving an increase in incident notifications. The challenge lies in distilling actionable insights from vast amounts of complex data, without disclosing specific victim information.”
Gonçalo Ribeiro added: “Europol, as a data, people and case hub, requires consent from countries to share intelligence with non-law enforcement organisations. However, we have been granularly implementing a ‘delivering security in partnership’ strategy, seeking to collaborate more with non-law enforcement organisations, including the private sector. Europol has increasingly recognised the need among operational partners to provide actionable insights to the private sector and to do so at earlier stages.”
Selecting and utilising threat intelligence feeds
With an abundance of premium and open-source threat intelligence feeds available, selecting the right ones can be a challenge. The key lies in understanding an organisation’s specific needs and focusing efforts for maximum impact.
Kevin Holvoet stressed the importance of challenging suppliers: “When selecting feeds or vendors, you have to ask difficult, targeted questions. For instance, inquire about their industry and geographical focus, because their intelligence may well not be relevant to you. And finally, avoid collecting new intelligence simply to publish ‘new’ trends. Instead focus on what genuinely matters.”
The panel discussion concluded with some good advice from Jason Steer: “Many organisations establishing a threat intelligence programme try to accomplish too much too quickly. My advice is to start by identifying your biggest pain point today, focus on that and aim to achieve a clear win. When you can demonstrate how threat intelligence helped, people will buy in. But it is crucial to talk to all stakeholders – not just IT, but also HR, legal, and finance – to develop a clear roadmap.”
This expert debate clearly shows threat intelligence is essential for proactive defence and efficient incident response, reducing costs during actual incidents. Transforming data into actionable insights, tailored to specific organisational needs, empowers security teams, earns management support, and drives competitive advantage, proving threat intelligence is a powerful business enabler.
On the picture: Jason Steer & Kevin Holvoet
