In this post I want to address a problem that many CTI (Cyber Threat Intelligence) teams encounter on a fairly regular basis. CTI teams rarely deliver good news. After all, they are delivering information about cyber threats. The news is rarely great and in less enlightened cultures, it really isn’t what leadership wants to hear. At Rendition Infosec, we are regularly asked to sugar coat reports to make them more palatable to leaders. Now I’m not one for FUD (fear, uncertainty, and doubt), but I’m also not one for ignoring the truth. And often, unfortunately that truth is “we need help.” So in this post I’d like to address the question of whether it’s better to tell them what they want to hear or sugar coat the truth. To help illustrate the point, I’ll use a CIA review of the book “What Stalin Knew” that I came across recently. If you haven’t read this review already, you should.
Tell them what they want to hear
Telling leaders what they want to hear is usually the easiest solution in the short term, but it can cause real problems in the long term. “We’re doing great on security and don”t have anything to worry about” is all fine and good until you have a security incident and have to explain why you were wrong (or deceitful). However, this approach can increase liability if you are a contractor. For internal employees, bear in mind that there are often sacrificial lambs brought to slaughter for every major security incident. If your message is consistently “we’re fine, don’t worry” you may be that lamb.
Tell them what they need to hear
As pointed out in the book, this can get you killed while those who sugar coat the truth (or simply omit annoying facts) may prosper in your place. Now you aren’t likely to be killed for telling the truth, but you may not be promoted and might be marginalized in your existing position. If you are a contractor, you might not be invited to return. But the good news is that this approach reduces liability and you’ll probably sleep better at night doing it this way.
Take a blended approach
I personally think this is the best approach. Executives and information technology professionals suffer under intelligence fatigue. They need actionable intelligence to make decisions and operate effectively, but too much non-actionable information isn’t a good thing. At Rendition, we’ll happily provide full details of all intelligence available as well as all recommendations for fix actions. But we really prefer to focus on the top three to five threats and the top five to ten remediation actions. We find that in numbers above these, we’re really over saturating executives and exceeding the ability of IT organizations to take action on the remediation actions that are presented. We carefully work with the organizations to see their progressing in actioning the intelligence provided and then present the next most pressing threats and remediations.
What’s the best approach?
What are your thoughts on the approach that CTI teams should take? Hit us up on Twitter or contact us to talk about your CTI needs.