Josh Lefkowitz, CEO, Flashpoint
Everyone remembers the social media boom of the mid-2000s. While social networks such as MySpace and Friendster already existed and had fledgling ad revenue models, it wasn't until the emergence of Twitter, Facebook's acquisition of FriendFeed, and the development of tools such as HubSpot and HootSuite that businesses began to take social media seriously as a digital channel.
Then, as is the case of all emerging technology use cases, market confusion began. Is social media really important in business? Is it digital marketing? Is it social media for business? Is it social marketing? Does it fit in lead generation or communications?
In the end it was rightly determined that social media is merely a tactical approach that is part of a bigger marketing and business strategy and wouldn't be as valuable if that strategy were not developed first. And, as with most strategic development, sometimes research and more advanced tools are required to glean the information to put the right tactics in motion.
Fast forward to the mid-2010s and we're in a similar dilemma with the crowded cyber threat intelligence (CTI) market, especially in the discussion around digital risk monitoring. According to Forrester, digital risk is assessing cyber risk, brand risk, and physical risk emanating from open web properties, social networks, and some computer and mobile applications. Much like tactical social media tools, a good intelligence-rich strategy needs to be developed in advance of any digital risk monitoring implementation in order to be most effective.
Business Risk Intelligence (BRI), on the other hand, provides strategic intelligence gleaned from the Deep & Dark Web that informs organisations what the actual threats are that are critical to their business. While many organisations do have digital risk monitoring in addition to BRI, many organisations end up adding BRI later on to address the intelligence gap that digital risk monitoring approaches leave open. Many concerns often stem from missed information around insider threats, fraud, anti-money laundering, geopolitical intelligence, supply chain, and a need for more sophisticated threat actor profiling or directed actor engagement.
For one, putting the tactical before the strategic is going to land most organisations in a corner where they are missing business critical information. Second, digital risk monitoring solutions, even if they offer data from the Deep & Dark Web, do not often have expertise beyond purely automated approaches to gain information, which can never be rich enough to be considered intelligence.
Just as strategy needs to come before tactics, BRI must come before digital risk monitoring. Digital risk solutions are good for setting and monitoring already known information, or as I've said before, "answering the questions companies already know to ask." But BRI is what helps determine what needs to change in operations, policies, and protections across an organisation.
Here's an example based on the insider threat use case. In one incident, intelligence from an underground forum revealed that a rogue employee of a multinational technology company was preparing to profit from stolen source code from unreleased, enterprise-level software. With this intelligence, the company was able to be alerted and then supported in completing an internal investigation, work with law enforcement to support the employee's arrest, prevent the illicit sale, and preserve the company's intellectual property.
Digital risk monitoring could not have been used to detect or mitigate this insider threat. BRI, on the other hand, found the threat in its relevant context, enabling the company to take the appropriate steps to minimise its risk.
According to The Forrester Wave: Digital Risk Monitoring, Q3 2016: "Generic online or social media monitoring provides a false sense of security. Many security and risk] and marketing pros remain naïve about serious risks in their organisation's digital presence, because they believe their existing social media monitoring or cyber threat intelligence (CTI) tools will detect them. That notion, however, is increasingly misguided."
It's misguided, of course, because these basic tools are tactical and do not provide the intelligence alone that is needed. The challenge of digital risk is that it rests somewhere between basic social media and brand monitoring, sprinkled with traditional cyber threat intelligence. Digital risk doesn't have the scalable technology and human power behind it to produce BRI that helps all departments in an organisation determine the best strategies for protecting their digital, human, and physical assets.
Digital risk monitoring is a helpful tool for organisations that already have rich intelligence and not just data. Failing to distinguish between the two can be problematic. It is nearly impossible to form relevant context without first considering how the data relates to the entire risk profile of an organisation not just a tactical report. Observing digital risk through the open web is not enough to develop necessary context and thus cannot enable organisations to apply and operationalise the data to address their challenges effectively. BRI must come first.