Starting a business risk intelligence (BRI) program often requires overcoming challenges that involve resource allocation, operational bandwidth, or stakeholder support, to name a few. And occasionally, these challenges can be exacerbated by myths and misconceptions about what BRI is and can accomplish. As someone who has long been an avid supporter and practitioner of BRI, I feel it’s my duty to share—and debunk—some of the most persistent and misleading BRI fallacies I’ve heard over the years.
Myth: BRI is derived solely from Deep & Dark Web (DDW) data
Fact: The most effective BRI programs rely on data sources that provide visibility into the myriad threats, adversaries, and related activities that contribute to business risk. These sources tend to vary depending on a program’s intelligence requirements (IRs), but they typically include illicit online communities such as DDW forums and marketplaces, card shops, chat services and/or messaging platforms, paste sites, and various other DDW and open-web sites frequented by threat actors. Keep in mind that relevance, accuracy, and timeliness of data are far more important than—and not necessarily indicated by—the source from which it is collected.
Myth: BRI has nothing in common with cyber threat intelligence (CTI)
Fact: The use cases CTI programs typically deal with are among the many that BRI supports. Both types of intelligence can enable cyber defenders to more effectively detect and react to threats stemming from cybercrime, hacktivism, vulnerabilities and exploits, and DDoS activity, to name a few. BRI and CTI are also both suitable for malware analysis, threat hunting, breach investigations, and identifying and triaging indicators of compromise (IOCs).
In other words, BRI encompasses CTI—but that doesn’t mean both types of intelligence are identical. The most notable difference is that BRI provides a higher caliber of context and visibility that enables it to not only support CTI use cases but also address the business risks posed by a broad spectrum of cyber, physical, fraud, and insider threats. And although both BRI and CTI are often leveraged by cybersecurity-related business functions, only BRI can also provide tangible value to functions related to fraud, insider threat, physical security, and corporate security, among many others.
Myth: BRI is not suitable for public-sector organizations
Fact: It’s true that business risk is generally not a consideration for public-sector organizations because they are not businesses. However, many of the core principles of BRI can still benefit the public sector—just in different ways than they tend to benefit businesses.
For example, let’s consider the visibility BRI provides into illicit online communities. This visibility helps businesses more effectively safeguard business assets from the threats and adversaries that originate and operate within these communities. And because many of the same types of threats and adversaries also target or otherwise impact the public sector and its constituents, this visibility can also:
– Guide law enforcement investigations, arrests, and prosecutions;
– Inform policies and regulatory responsibilities for civilian agencies;
– Help defense and intelligence agencies identify and address intelligence gaps and conduct further analysis in support of mission objectives.
This concept also applies to BRI’s focus on integrative use cases and cross-functional collaboration, among other core principles that can help optimize private- and public-sector intelligence programs alike.
Myth: BRI does not address digital risks
Fact: The easiest way to debunk this myth is to look at how business risk compares to digital risk. As I’ve written previously, business risk is commonly defined as the possibility that a business will incur a loss due to uncertainty in one or more of the following five categories of risk: financial, compliance, strategic, reputational, and operational. Digital risk, meanwhile, refers solely to uncertainties and consequential losses related to digital business transformation, which according to Gartner is the process of “exploiting digital technologies and supporting capabilities to create a robust new digital business model.”
So why isn’t digital risk considered a category of business risk? The answer is that the five categories of business risk already encompass digital risk. For example, a business’s launch of a mobile application for its customers would likely be a digital risk because it pertains to digital business transformation and creates a new vector through which potential cyber threats could target and possibly compromise customers’ data. Cyber threats and compromises tend to also be factors for operational, strategic, reputational and compliance risk, all of which are areas of business risk that the mobile application could impact as a result.
But although the usage of new technologies and other digital risk factors can impact business risk, so can a business’s location, industry, market share, assets, stakeholders, partners, investors, political climate, physical infrastructure, and the nearly countless other factors that fall beyond the scope of digital risk. Indeed, this distinction reinforces a crucial point: all digital risks are business risks, but not all business risks are digital risks. And similar to how BRI encompasses CTI, business risk—and thus BRI—also encompass digital risk.
Keep in mind that myths and misconceptions are easy to find in all areas of security, not just BRI. Most of these fallacies are relatively harmless and easy to sniff out, but some—including the examples I described above—can cause us to overlook or misinterpret resources or strategies that would otherwise benefit us and the assets we’ve been entrusted to protect. And as security practitioners, it’s our responsibility to not only identify and debunk the fallacies we come across, but also to educate those around us on what effective security truly looks like.