Intelligence That Matters: Building Cyber Threat Programs That Drive Business Value
Intelligence veterans reveal how to transform technical security findings into business-relevant insights that drive meaningful action at the executive level, helping security teams demonstrate clear value in today's complex risk landscape.
Session Summary
In this strategic discussion from RSA Conference 2024, intelligence experts David Etue (Cylent Knights LLC) and Nick Selby (Evertas) join Bishop Fox's Matt Twells to examine what separates truly valuable threat intelligence from mere data collection. Drawing from decades of combined experience spanning law enforcement, corporate security, and intelligence operations, the speakers highlight a fundamental challenge in the industry: many intelligence programs deliver technically accurate information that fails to address business concerns or drive meaningful action.
The conversation reveals that elite intelligence practitioners distinguish themselves through their mastery of the intelligence process—not just technical acumen—and their ability to build partnerships across the organization to understand business context. Both experts emphasize that effective intelligence requires a clear mission, disciplined tradecraft, and the ability to translate technical findings into concise, actionable insights for different stakeholders. They critique the industry's tendency to focus on sophisticated nation-state threats while neglecting more common risks that actually impact businesses regularly, arguing that intelligence teams must demonstrate their value by addressing immediate business concerns rather than theoretical scenarios. As regulatory pressures increase, the speakers note that intelligence teams face both a challenge and an opportunity: boards now need to understand complex risks quickly, creating a prime opportunity for intelligence professionals to demonstrate value—provided they can communicate their findings in business-relevant terms that executives can act upon.
Key Takeaways
- Master the intelligence cycle, not just technical skills - Understanding how to collect requirements, analyze information, and deliver actionable insights is more important than technical proficiency alone.
- Define your mission with clarity - Effective intelligence programs have a clear understanding of what they're trying to accomplish and how it connects to business objectives.
- Build partnerships to gain business context - Great intelligence teams establish relationships across the organization to understand what matters to different stakeholders.
- Focus on relevant, realistic threats - Rather than fixating on sophisticated nation-state actors, concentrate on the threats most likely to impact your specific business.
- Deliver concise, actionable information - When communicating with executives who measure time in 30-second intervals, ensure your insights are brief, meaningful, and immediately actionable.
- Use regulatory changes as an opportunity - New requirements for boards to understand cyber risks create an opening for intelligence teams to demonstrate value through clear, business-relevant analysis.
Transcript
Matt Twells: Hi, welcome back. I'm Matthew Twells, senior solutions architect at Bishop Fox. This panel is called Mastering Cyber and Intel Threat Readiness. We've got David Etue here, principal at Cylent Knights LLC. I'd love for you to tell us a bit about yourself. How's your week been here at RSA so far? How much swag have you collected?
David Etue: Zero swag. I haven't made it to the show floor yet, but I'm glad to be here today. Thank you. I'm the former CEO of Nisos, where I helped scale the first company and manage services for threat intelligence. I've had the opportunity to work in a number of different places in the industry. I started my career as a tech practitioner and a CISO, then went to the vendor side. Disturbingly, I'm hitting 25 years in cyber, which is hard to say out loud.
Matt Twells: You've got to release a greatest hits album now, right?
David Etue: God, no. But, have a great week. The wonderful chaos of RSA.
Matt Twells: That's probably the right way to put it, right? The chaos of RSA. Beautiful chaos.
Nick Selby: It's wonderful, yeah.
Matt Twells: So let's put it on our byline next time around. And then the other guy is Nick Selby, EVP at Evertas. We've worked together before, but I'd love for people who haven't met you before to hear what Evertas does. How are you enjoying your week here in San Francisco?
Nick Selby: Loving San Francisco. I run the professional services team at Evertas, the first crypto insurance company. We do quite a bit of crypto security for the crypto industry, but also traditional cybersecurity consulting. I've been in intelligence in and out for many years. I had an intelligence startup back in 2011. I worked at the NYPD as the director of cyber intelligence and investigations. I was the chief security officer for Paxos Trust Company and also the VP at Trail of Bits.
Matt Twells: You're probably uniquely well-suited for this discussion based on the NYPD. I'm curious from both of your sides, practitioners and now leading programs and helping on a more strategic level, what would you say separates those starting out from the elite in intelligence?
Nick Selby: I'm not going to push back on whether they know what intelligence is because I think that's actually part of the big problem.
David Etue: Yeah, I think the fundamental part is, I started primarily in cybersecurity but have dabbled in intelligence. I started General Electric's open source intelligence program in 1999. I didn't grow up in the intelligence community. For me, it was at Fidel Security Systems, working with the Air Force, that someone really showed me what the intelligence process was. If you don't understand the intelligence cycle, you're not doing intelligence. A lot of people in our industry grow up in security operations. If you understand lateral movement, executables, and process trees, you're going to be at a disadvantage if you don't understand the intelligence process. Great teams build both capabilities together, with synergies and learning between the two groups.
Nick Selby: I agree. Defining the mission and making sure everyone is on board with what you're trying to do is crucial. Once you've decided what the mission is, applying the tradecraft and known methods in intelligence becomes easier. The hardest thing is figuring out what you want to know and how to make it actionable and relevant to both the geeks in the basement and the C-suite.
Matt Twells: I think the mark of an elite is knowing not just the technical side but also capturing requirements. If you don't know what you're aiming at, don't be surprised when you don't get there. The communication gap is business awareness. Why does the CFO care?
Nick Selby: What's the most important question when you're trying to get the attention of someone who measures their time in 30-second intervals? If you have something that needs to go up to the CEO or the board, it better be worth it and described in a way that is succinct, meaningful, and actionable immediately.
Matt Twells: It's like a meaningful use of political capital. You've got the CEO's attention for maybe 15 minutes. Make sure he understands.
Nick Selby: If you're lucky. You have him in the elevator half the time.
Matt Twells: Where are people falling down right now in setting up these teams and doing the work?
David Etue: It's about preparedness and collaboration. If you told me you had 20 devices encrypted by ransomware, it could be a non-issue or it could be critical systems. That context is key. It's about building partnerships within the business to understand that context. Great teams operationalize this understanding. You build that partnership with your customers to understand the context, which is everything.
Nick Selby: I agree. The biggest danger is being irrelevant. Setting expectations early and making sure your messaging is relevant to the people reading it is crucial. Every time you deliver meaningful, actionable information, you build credibility.
Matt Twells: It's the basics done well. Knowing what you're aiming at is key.
David Etue: Exactly. You need to understand what your goal is. If the goal of your cyber intelligence program is to feed the threat hunting team and create matches in the SIEM, that's one thing. But if you're dealing with fraud issues or insider threats, that's a different approach. Knowing what the goal is and aligning to it is key.
Nick Selby: You can turn morning meetings into a tabletop exercise. If there's a new exploit, ask your team if they can detect it. These basic questions are important and often overlooked.
Matt Twells: Is it true that as an industry, we hyper-focus on nation-state actors when we should be worried about more immediate threats?
Nick Selby: Yes. Focusing on the basics and real-world threats is crucial.
David Etue: I agree. Running intelligence injects into tabletop exercises is key. It brings context and value at a level the C-suite may not expect.
Nick Selby: The sources you look at for intelligence are important. It's not about espionage. It's about turning data into actionable information.
Matt Twells: There's a sea change in regulators taking cybersecurity seriously. Do you see that changing the way companies approach it?
David Etue: The new regulations are fascinating. If your board needs to understand a risk in two or three days, systems analysis isn't enough. This is a boon for intelligence teams. How many are rising to the occasion is unclear, but it's a positive development.
Nick Selby: I'm concerned about oversimplification. Complex issues like supply chain security need more than tick boxes. However, how else do you get the board to listen? It's a tough problem.
Matt Twells: It's like saying you can run a restaurant because you wrote the menu. It's more complex than that.
Nick Selby: CISA is doing a good job, but the problems are complex and nuanced. Getting the board's attention is tough.
David Etue: I think we're seeing a shift in regulation. It's not going to be perfect, but it's moving in the right direction. There's more education and capability in the regulatory environment now.
Nick Selby: Insurance can be a force for good. Rewarding proactive steps in cybersecurity is important.
Matt Twells: Cautious optimism, iterative improvement, and basics done well are key. Thank you both for your time. This was really interesting to me. Enjoy the rest of your week.