A compliance-led security programme — one built to satisfy ISO 27001, Cyber Essentials, or PCI DSS — provides a set of controls that represent good baseline security hygiene. It addresses a broad range of threats without deep consideration of which threats are most likely to affect your specific organisation, in your specific industry, with your specific technology environment and threat profile.
For many organisations, this is a reasonable starting point. Baseline security hygiene addresses a large proportion of the attack vectors that opportunistic attackers use. But organisations with a specific and well-understood threat profile — financial institutions targeted by organised financial crime, healthcare organisations targeted for data theft, critical infrastructure operators targeted by state actors — cannot rely on generic baselines to address their most significant risks.
Threat-led security strategy builds the programme around the threats that are actually targeting organisations like yours.
Understanding Your Threat Profile
Threat intelligence is not just for large enterprises with dedicated threat intelligence teams. Even small and mid-sized organisations can build a useful threat profile from available information: sector-specific threat reports from bodies like the NCSC, CISA, and industry ISACs; incident data from peer organisations (often shared through sector information sharing forums); and the known tactics, techniques, and procedures (TTPs) of threat actors known to target your sector.
A threat profile for a financial services firm might highlight: business email compromise targeting payment processes; credential theft campaigns targeting internet-facing authentication systems; insider threat; and regulatory-motivated DDoS attacks. A threat profile for a healthcare organisation might highlight: ransomware targeting patient records systems for extortion; medical device vulnerabilities; and data theft for insurance fraud. These profiles are different, and they drive different prioritisation decisions.
Mapping Threats to Controls
Once you have a threat profile, you can map your threat actors’ known techniques to the controls that detect or prevent them. The MITRE ATT&CK framework provides a structured catalogue of attacker techniques with associated detection and mitigation guidance. Mapping your threat profile to ATT&CK and then assessing your controls coverage against that mapped technique set gives you a gap analysis driven by your actual threats — not by a generic control list.
This is a different kind of gap analysis from a compliance framework assessment. A compliance gap tells you which required controls you are missing. A threat-led gap analysis tells you which of your most relevant attack paths are inadequately covered — which may or may not correlate with compliance gaps.
Strategy That Follows from Threat Reality
A threat-led security strategy prioritises investment in the controls and capabilities that address the highest-probability, highest-impact threats facing the organisation — not the broadest set of generic threats. This may mean investing more heavily in identity security and email security for a financial services firm targeted by BEC campaigns, while deprioritising certain perimeter security investments that do not materially affect the relevant threat vectors.
This prioritisation is only possible when the strategy is built on an honest threat assessment. Without it, all controls look equally important — because there is no framework for distinguishing what matters most for your specific context.
At Bitsecura, we develop cyber security strategies that are grounded in threat reality — assessing the specific threat actors and techniques relevant to your industry and profile, and building a programme that prioritises the controls that matter most for your context. If you want a strategy that addresses your actual threats, talk to us here.
Bitsecura provides cyber security strategy development and advisory services. Learn more about our cyber strategy services.