A good cyberthreat analyst knows when to BLUF 

In the world of cybersecurity, how we say something matters as much as—maybe even more than—what we say. 

A thought experiment to illustrate this point:

You are the CEO of one of the largest fuel pipelines in the country. You’ve been called into a threat intelligence briefing because your analysts found a couple of significant cyberthreats that might impact your organization.

Which of these two threats do you prioritize responding to?  

• Threat 1: “A ransomware gang has been targeting other energy companies, locking up critical data until the company pays a ransom. If this ransomware were to compromise our network, we estimate it might encrypt as much as 100 gigs of our data.”

• Threat 2: “A highly disruptive malware has hit several critical infrastructure systems in the past few months, knocking core services offline. If it penetrates our network, we estimate this malware would shut down the entire pipeline for a week.”

It’s a trick question. Both threats describe the same attack: the 2021 Colonial Pipeline ransomware attack, the largest cyberattack on oil infrastructure in U.S. history. Malicious hackers shut down the pipeline that carries 45% of the East Coast’s fuel and pressured the victims into paying a ransom of USD 4.4 million. (The Department of Justice did eventually recover some of that ransom.)

Notice how, despite describing the same attack, these threat reports do not feel equally urgent. Threat 1 seems bad, but threat 2 calls for an all-hands-on-deck response right away.

Threat 2 feels so much more urgent because it emphasizes the business impact of the attack, rather than the technical details. Unfortunately, threat analysts often get this backward, which contributes to a profound communications gap between cybersecurity and the business.  

This gap is more than a mere inconvenience. It can leave the organization exposed to all manner of attacks. 

Everyone.

On the one hand, we cybersecurity professionals don’t always couch our insights in business terms. We often take a more technical approach, emphasizing the inside baseball of it all: the names of threat actors and malware strains, IOCs and CVEs and CVSS scores, a whole impenetrable wall of specialized acronyms.

These things mean a lot to us as practitioners, but they mean much less to the business leaders we want to educate. 

On the other hand, those same business leaders might have some inaccurate ideas about the role of cybersecurity and the true extent of its worth. Cybersecurity is often treated like a box-checking exercise, a matter of complying with some rule to avoid a fine or earn a certification. 

This mindset renders security little more than an additional line item in the budget, a cost center rather than a cost saver or even a competitive advantage. 

As a result, when we sit down at the conference table, we end up talking past one another. There are material consequences here. If security cannot convey threats in a language the business understands, the business might underestimate risks or deny certain security investments because they “don’t seem worth it.”

Until disaster strikes. 

But no one likes to hear “I told you so.” It certainly doesn’t win you any friends in the C-suite. 

Again, cybersecurity pros aren’t entirely to blame for the gap. But we are uniquely positioned to close it.

If we communicate in terms that matter to business leaders, we can better align the entire organization on threat management priorities and security controls.

This alignment, in turn, makes it easier for the security team to win support for its recommendations. Over time, as these security investments pay off, the business starts to see security as a true value creator. 

Here are four communications changes that cybersecurity teams can make to start bridging the divide: 

It’s easy to focus on what might happen: attacks that might materialize, systems that might be vulnerable, threat actors who might arise. 

Business leaders tend to be more interested in what did happen: attacks we prevented and vulnerabilities we patched.

This is, in some ways, a positive thing. For one, it’s a sign of trust in the security team. Business leaders don’t need to know about every possibility because they trust us to prevent most, if not all, of them. 

This also allows us to tout our wins more—to prove our value by reporting on how we’ve successfully shielded the organization from danger. 

That said, we have a needle to thread here. While we want to emphasize the actual, we can’t totally abandon the possible. After all, part of our remit is identifying new cyberthreats and putting the right security measures in place to stop them.

Here’s one approach that you can take to balancing these factors:

When a new cyberthreat appears in the wild, identify its likelihood and potential impact. Then, identify any measures you can use to address the threat without needing permission or new resources, and then implement them. Assess how these measures reduce threat likelihood and impact, and then determine the threat’s overall risk level. 

High-risk threats probably require more resources, and they should be brought to the attention of business leaders.  Low-risk threats can be compiled in a supplemental list or mentioned in passing, but they don’t need to take up valuable meeting time.  

Speaking of threat impacts: It’s best to anchor impact reports and estimates to hard numbers and concrete business consequences.

We security practitioners sometimes assume that vulnerabilities are self-evidently bad. If there’s some flaw in a system, you want to fix it because it’s a flaw. 

But outside of security, the mere existence of a vulnerability might not be motivation enough.

Partly, this is because we often discuss vulnerabilities in abstract terms: “Our system is vulnerable to newer strains of ransomware that bypass many of our existing controls. We propose implementing new ransomware protections at a cost of USD 200,000.”  

A reasonable recommendation, but USD 200,000 is a hefty price tag. Decision-makers might balk at such an investment, especially if the only justification is something as nonspecific as “stopping ransomware.”

Consider this framing instead: “Our system is vulnerable to newer strains of ransomware. We’ve analyzed incidents at similar organizations, and these ransomware attacks cost an average of USD 2 million per day due to a combination of lost business and the price of remediation. We propose implementing new ransomware protections at a cost of USD 200,000.” 

Now, we’re talking about spending USD 200,000 not to “stop ransomware,” but to stop the organization from losing USD 2 million per day. That seems like a good deal. 

We cybersecurity pros tend to err on the side of caution. But for many businesses, the optimal amount of risk is not zero. 

Think about the classic CIA triad of information security. It says that a secure information system requires confidentiality, integrity and availability. 

In other words: Sensitive data and systems must be protected, but they must also be available for employees to use. This balance is tricky to strike. Strict protections might keep systems safe, but the hit to productivity isn’t always worth it.

For example, one of us worked at a media company that preferred fairly lax restrictions on the types of tech employees used. This policy opened up opportunities for unmanaged shadow IT and risky browsing, but it also allowed employees to quickly and dynamically research developing stories. This activity was core to the company’s business model, so the organization was willing to accept the risks that came along with it.  

With a shared understanding of what risk means, cybersecurity teams can pursue tactics and tools that meet security needs without disrupting business operations. 

Note that aligning on risk tolerance doesn’t mean cybersecurity always acquiesces to the business. Cybersecurity teams can and should use their expertise to influence the business’s understanding of risk.

One of us recalls a particular threat intelligence briefing. The briefing had identified a specific attack as low risk, but an executive pushed back. He felt that the risk level should be higher because the organization had suffered this kind of breach in the past.

The threat intelligence team pointed out that the landscape had changed since then. The organization had installed protections that reduced the likelihood and severity of such an attack. Moreover, the threat had not recently targeted organizations like this company.   

The executive heard the case and agreed with the low-risk assessment. If we hadn’t taken the time to align on risk, we would have ended up spending time and resources on a threat that posed little harm.

This last point is the simplest, but perhaps the most impactful. It requires neither mindset shifts nor strategic redirections. It is, instead, a small structural change to how we write reports.

We are talking about BLUF-ing, or putting the “bottom line up front.”

Especially in threat intelligence circles, we have a habit of producing long, detailed reports stretching for 20, maybe 30 pages, encompassing deep dives into all the new information we have to share.

We might find this all interesting, but many executives look at it and think “TLDR—too long, didn’t read!” 

When you BLUF, you start with the bottom line right out of the gate: Here’s what’s happened. Here's what you need to worry about. Here's our assessment of the situation, and what we think we should do about it.

The rest of the report can still be a deep dive for those readers who want it. But a digestible summary—grounded in pertinent, concrete detail—is often enough for business leaders to make an informed decision. 

To close the cybersecurity comms gap, what we ultimately need to do is translate the technical terms of our art into a language of urgency and impact that resonates with business leaders.

By changing our approach to communication, we can also change the business’s perception of security: from another line item to a critical investment that helps the organization operate, innovate and thrive.