Perspectives from the Head of CISO Engagement: Mind of CISO: Closing the Gap Between Reaction and Readiness Report

By Brian Brown · June 10, 2025

Thoughts from a former CISO

As a former CISO, I eagerly await each edition of the Trellix Mind of CISO report. So much of the focus in cybersecurity is on low-level details - what threat actor is responsible for the latest attack? What data breach occurred last week that affected the reputation of an organization like mine? These are all important points to keep on top of in daily operations, but sometimes it’s good to take a step back and get some perspective. Mind of the CISO gives us an opportunity to learn from the collective - 500 C-level participants sharing their top-of-mind issues and challenges. I always learn something that helps ground me and my thinking, and for this report, the major theme is threat intelligence (TI), which is vital for your cybersecurity strategy.

Knowledge is power. Cybersecurity is fueled by this principle, centered on threat intelligence. While that is absolutely true, our survey revealed that there’s a lot more to the story than just having threat intelligence in cyber products and technologies in order to unlock the desired “power” to fight the adversary.

Key highlights from the survey

Our survey indicates that the vast majority of organizations struggle to make sense of and truly operationalize their threat intelligence assets.

• Influence by Nation States - the vast majority of respondents indicated that both budget (85%) and strategy (87%) are influenced by Nation State actors, indicating a high degree of risk, whether real or perceived. A preponderance of boards are asking CISOs about Nation States (89%).
• Intelligence is not leveraged to the extent that it could be - 60% of organizations have not fully integrated TI into their wider strategy, and more than half of CISOs currently use threat intelligence reactively (56%) vs proactively (44%).
• AI is still emerging - only 33% believe AI-driven analytics would help them, but are reluctant to lean in on automation (37%).
• Sharing is caring: information sharing via communities is highly valued, with 95% desiring more intelligence sharing amongst peers. TI tooling is the #1 ask for collaboration advice (53%).

In a recent ISACA Journal article, author Jack Freund makes the point, “cyberrisk models influence high-stakes decisions, from cybersecurity investments to regulatory compliance and incident response. Ensuring that these models are built on a foundation of trust enhances their adoption and impact.”* Given the confluence of factors highlighted above from the survey, you may be asking yourself, “how do I formulate a path forward in light of all of those challenges?”.

Like many of you, I rely on models and frameworks that have been developed to help assess and evaluate current capabilities and guide a path forward. While many of the larger cyber evaluation frameworks, such as NIST-CSF, ISO/IEC 27001, or TOGAF, may include aspects of TI, there has traditionally been a gap around deep assessment of TI capabilities in a structured manner.

Why assessing your capabilities is important

Recognizing that wrapping your arms around a threat intelligence program and making it truly effective - i.e. operationalizing your TI capability - is difficult, Trellix is leaning into methods to assist our customers. As a contributor to the Cyber Threat Intelligence Capability and Maturity Model (CTI-CMM, https://cti-cmm.org/), we’ve provided insight and wisdom on how to evaluate your TI capabilities and map them onto your own risk tolerance profile.

One of the key aspects that emerged from the Mind of the CISO, as noted above, is a strong desire to share recommendations on threat intelligence tooling. While product-related recommendations are always valuable, understanding how and where to improve aspects such as threat intelligence consumption, integration, and operationalization is the focus for the domains of the CTI-CMM. Correlating that assessment against products and technologies helps to map out the journey and provide a future state for the operationalization of threat intelligence.

Where to start

After reviewing the latest Mind of the CISO report, I’d encourage you to consider your organization’s threat intelligence maturity journey. How do you rate your capabilities in light of your risk tolerance? Do you know what areas could be rapidly addressed for quick wins versus those that would take more time and effort? Do you have a structured way to map out your risk tolerance against deployed controls to accurately assess gaps?

Answering those questions may seem like a daunting task with all of the assessment areas in the CTI-CMM. If taking on a full mapping framework exercise isn't feasible in the short term, there are still ways to utilize the framework and break it down into smaller, more manageable "bite-sized" chunks. With this in mind, Trellix has developed a set of resources to assist, including:

• Review the latest Threat Reports from the Advanced Research Center and download a whitepaper on building an Adaptive Defense Model.
• Overview of Threat Intelligence products and services
• Events and activities you and your team can participate in that help evaluate and assess your ability to operationalize threat intelligence, including webinars, workshops, and virtual summits

Each Mind of the CISO report brings new insights into a global collective of cybersecurity leaders who are on the front lines of the battle every day. Supporting the CISO is a focus for us at Trellix, and helping you operationalize threat intelligence is one of the key outcomes we’re focusing on in our events, products, and services. Take the time to review the latest report and weigh in on your maturity journey by commenting on social channels, participating in webinars and workshops, and reaching out directly to discuss your threat intelligence maturity journey.

Additional Resources:

• Download the Mind of CISO: Closing the gap between reaction and readiness report
• Discover the latest cybersecurity research from the Trellix Advanced Research Center

^*”A Multilayered Framework for Trusting Cyberrisk Models” - Jack Freund, ISACA