Why Does This Threat Matter and What Happens Next?
Hear from threat assessment experts on how a comprehensive framework can empower security teams with a complete understanding of a threat and guide their response.
It’s one thing to identify that something is not quite right and a threat is on the horizon, but that only gets you so far. Knowing what to do once intelligence is surfaced — measuring its significance and taking appropriate action to mitigate it — is a critical, often overlooked missing ingredient to a successful security program.
In a time where corporate security teams are resolving one issue as soon as the next one arises, a framework to gather necessary information empowers teams to act with a complete view of the situation at hand. Otherwise known as a threat assessment, this process gives teams a thorough understanding of what is happening and where to focus their energy.
However, fully grasping a threat assessment’s role and value to modern-day security programs is not crystal clear to all, and this topic was discussed by a panel of clinically recognized experts and seasoned practitioners at the 2022 Ontic Summit.
Security Cannot Act Alone
Dr. Marisa Randazzo, PhD, who leads Ontic’s Center of Excellence and founded SIGMA Threat Management Associates, moderated the discussion and quickly uncovered an important lesson around a coordinated approach to security. Security teams only know a piece of a puzzle. If an employee’s behavior is off from their normal baseline of activity, it’s important to know their recent interactions with their manager, and “look for things like frequency, multiple means of contact, intensity, focus on a target, and pattern of escalation,” says panelist Dr. Stephen White, President of WTS Inc. and Co-Developer of WAVR-21.
Adam Cambridge, Manager of Enterprise Risk Intelligence at MITRE, shared his perspective on who needs to be involved in the process by stating,
“Security professionals shouldn’t make all decisions. Threat assessments incorporate other teams. Bring in stakeholders and analyze the signals and then answer questions and then decide what happens after.”
A common scenario that demands a complete understanding is the employee termination process. When security acts alone, there is tremendous potential to be unprepared for the employees’ reaction, proper communication during the final conversation, and a post-termination evaluation — determining how to watch for behavior over time.
“We treat everyone with respect and that helps us have a good security program, especially when people are terminated from the organization. It’s alright if you don’t get the last word when someone leaves. There’s a right way to say goodbye,”
shares Dan Frost, Manager of Global Security Operations Center at Netflix. He adds, “Sometimes the loudest signal isn’t the most important. If people make threats internally, we find out from HR after decisions have been made.”
Each security program has their own nuances and ways of gathering information, but every security professional is well aware that protection never rests and threat assessments are ongoing. With every hour that goes by, new information pours in and the landscape changes. This implies that programs need to be nimble — ready to anticipate the potential for violence and know how to mitigate it.
With a structure to guide this approach, teams can “use it to learn how to intervene without making things worse,” says White. By having a system in place that captures complaints, corrective actions, and policy violations, teams can watch for indicators of troubling behaviors over time — providing an accurate picture so they know when to step in.