Maximising Cybersecurity ROI with Threat Informed Defence

As IT professionals and decision-makers grapple with the challenges of effective cybersecurity, the need for a proactive and cost-efficient defence strategy is more pressing than ever. That’s where maximising cybersecurity ROI with threat informed defence comes into play.

In this article, we’ll examine how implementing a threat-informed defence strategy can optimise your cybersecurity budget by focusing on what truly prevents and detects cyber attacks. We’ll dispel the notion that outdated frameworks can manage cyber-risk effectively, and showcase how enhancing your security posture can be achieved more effectively and efficiently.

The Limitations of Traditional Cybersecurity Approaches

Traditional cybersecurity methodologies fall short in today’s dynamic threat environment and put significant strain on an organisation’s budget. In the ever-evolving landscape of cybersecurity, traditional methodologies, such as the NIST Cybersecurity Framework (NIST CSF) and ISO 27001, often fall short. While these frameworks offer comprehensive guidelines and controls designed to standardise cybersecurity measures, they suffer from a “one size fits all” approach. This often results in organisations focusing on an area where they scored poorly in an audit – without considering the value they get from that area in the first place.

When you combine these compliance style frameworks with the sheer volume of new Gartner-coined acronymed cybersecurity solutions continuously flooding the market – you often end up with thirty different point solutions and an exponentially growing cybersecurity budget.

So What?” I hear some of you ask. “Cybersecurity is in our top three risks. We’ve got a nearly unlimited budget.” The truth is that these solutions may not be effective in thwarting the latest adversary tactics – and any budget is better spend in focusing on depth of protection against the techniques that are most likely to be used against your organisation.

Enter Threat Informed Defence

Threat-informed defence provides a proactive and holistic approach that leverages well-researched, actionable intelligence to anticipate and prevent cyber threats. By using this methodology, organisations can better allocate resources and invest in measures that provide the most security value, while minimising excessive reliance on tool investments that may have diminishing returns.

Understanding MITRE ATT&CK and TTPs

A cornerstone of threat-informed defence is the utilisation of the MITRE ATT&CK framework, which categorically details the tactics, techniques, and procedures (TTPs) employed by adversaries. MITRE ATT&CK serves as a comprehensive repository of common threat actor behaviours, providing a granular understanding of how attackers compromise, exploit, and persist within target systems. By focusing on TTPs, organisations can identify and prioritise the most prevalent attack vectors, creating “choke points” that disrupt the adversary’s activities. Rather than relying solely on generic defensive measures, this approach pinpoints specific and actionable areas to fortify, thereby maximising the efficacy of defensive resources. Integrating such intelligence into an organisation’s cybersecurity posture ensures a more dynamic and adaptable defence system, capable of thwarting even the most sophisticated threats.

This methodology emphasises the use of breach and attack simulation, red teaming, and penetration testing to identify genuine weak spots within an organisation’s defences. By harnessing actionable intelligence, organisations can better anticipate and neutralise emerging threats, leading to a more effective and cost-efficient cybersecurity strategy.

Benefits and Challenges of Threat Informed Defence

Embracing a threat-informed defence approach empowers IT professionals and decision-makers to be better equipped to address the ever-evolving threat landscape. This is particularly crucial for industries such as financial services, where the stakes are exceptionally high. By integrating threat intelligence, decision-makers gain invaluable insights into relevant cyber threats, thereby enhancing and fortifying existing cybersecurity infrastructures.

However, implementing a threat-informed defence also presents its share of challenges, one of which is the volume of information available. The abundance of data can make it difficult to discern which intelligence is most valuable. Ensuring that this vital information is easily accessible and actionable is critical.

To navigate these challenges effectively, organisations can adopt a continuous improvement loop involving several high-level steps:

  1. Collect Intelligence: Gather data on how peers and other organisations are being attacked. This includes analysing incident reports, threat feeds, and other intelligence sources to understand the threat landscape.
  2. Prioritise Intelligence: Identify common patterns and trends in the attacks. This helps in focusing efforts on the most prevalent and relevant threats.
  3. Self Assessment: Utilise breach and attack simulation, red teaming, and penetration testing to assess how well your organisation can prevent and detect these common attack patterns.
  4. Improve: Based on testing results, enhance your defences in areas that are likely to be targeted and where your detection or prevention mechanisms may be weak.
  5. Retest: Conduct follow-up tests to ensure the implemented improvements have effectively strengthened your cybersecurity posture.
  6. Update and Repeat: Update your intelligence by incorporating new data and insights, and repeat the process to continually refine and enhance your defences.

By following this cyclical process, organisations can maintain a dynamic and adaptive cybersecurity strategy that keeps pace with evolving threats.

Maximising Cybersecurity ROI

A vital benefit of threat-informed defence is the ability to strategically allocate resources. By concentrating efforts on identifying and fortifying the areas most susceptible to attack, organisations can make more informed decisions on where to invest their limited resources. This approach means that investments are not merely reactive or driven by unverified benchmarks but are based on data-driven insights specific to the organisation’s threat environment.

Moreover, threat informed defence helps guide investment in cybersecurity tools more effectively. Traditional methods often lead to a laundry list of security products, which can be both expensive and difficult to manage. With threat informed defence, the focus shifts to deploying tools that address the most critical attack vectors. For instance, if intelligence highlights that phishing is a prevalent threat, resources can be directed towards advanced email filtering solutions and user training programs. Similarly, if lateral movement within networks is identified as a frequent tactic used by adversaries, the investment might be better spent on network segmentation and endpoint detection and response (EDR) solutions.


Effective cybersecurity strategy isn’t all about investing in the newest and most expensive tools and resources. By strategically investing in threat informed defence, organisations can enhance their security posture while optimising their budget. A proactive, intelligence-driven approach helps to anticipate and thwart cyber threats while minimising the excessive dependence on tool investments.

I hope this article has provided some insight into maximising cybersecurity ROI with threat informed defence. For more information on operationalising threat informed defence, stay tuned for Part 2, where I will dive into more detail on the practical implementation and operationalisation.


What is threat informed defence?

Threat informed defence is a proactive cybersecurity strategy that leverages actionable intelligence on known adversary tactics, techniques, and procedures (TTPs) to anticipate and prevent cyber threats. By focusing on real-world threats, it enables organisations to prioritise and fortify areas most likely to be targeted.

What makes threat informed defence an effective approach to cybersecurity?

Threat informed defence optimises cybersecurity budgets by allocating resources to the most critical areas based on actionable intelligence. This approach minimises the reliance on numerous security tools and focuses investments on measures that directly address prevalent threats, ensuring cost-efficiency and enhanced protection.

How can threat informed defence improve cybersecurity ROI?

Threat informed defence is effective because it is data-driven and dynamic, allowing organisations to adapt to evolving threats. By using frameworks like MITRE ATT&CK to understand and anticipate attacker behaviours, it provides targeted protection and builds a more resilient cybersecurity posture, reducing the risk of successful attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *