The use of threat intelligence has been standard for CISOs for years, with security chiefs recognizing that the additional data about the threat landscape helps them better prepare for and defend against bad actors.
However, a significant percentage of CISOs say they’re still falling short in their use of threat intelligence.
According to a 2025 report titled The Mind of the CISO: Closing the gap between reaction and readiness from cybersecurity software maker Trellix, 95% of surveyed CISOs agreed that being part of a threat intelligence sharing community or network improves their ability to prepare for threats, yet an even greater percentage (98%) said their organization faces barriers when acting on threat intelligence.
Those figures provide just a glimpse at what’s going on, according to security leaders, who say the real challenge isn’t whether CISOs have access to or receive intelligence, as nearly all security teams have some threat intel built into their security tools.
Rather, the question is whether CISOs are effective in using that threat intel and to what degree they can operationalize the intelligence.
Here are five challenges CISOs commonly face in using threat intel effectively — and strategies for overcoming them.
1. Zeroing in on the threat intel most relevant to their business
Threat intel, also known as cyber threat intelligence (CTI), comes to CISOs through various channels; some is free, and much of it is fee-based. Although some CISOs have the resources to gather their own threat intel, most obtain it from government agencies, researchers, and ISACs (information sharing and analysis centers).
CISOs also buy threat intelligence from commercial cybersecurity companies and from vendors that provide intel through feeds and reports and/or through automated updates to the technologies and services they sell to security teams.
But CISOs may find that some threat intelligence feeds aren’t useful for their organizations, says Theresa Lanowitz, chief evangelist at managed security services provider LevelBlue.
The issue isn’t the quality of the feed but rather its applicability to a specific organization.
“There is so much out there, but CISOs need to determine the threat intelligence that is relevant to their own industry and organization,” Lanowitz says.
Some threats, such as ransomware, phishing, and business email compromise attacks, are nearly universal, she explains, while other hacker tactics, techniques, and procedures (TTPs) are more prevalent in some industries than others — or more likely to be used against specific assets versus others.
Lanowitz says CISOs who are most effective in using threat intel know what threats they’re most likely to encounter so they can focus on getting the data that’s tied to those threats.
The approach taken by Chuck Kelser, CISO at tech company Pendo, is case in point. He joined professional networks of peers in his industry so that he can more accurately identify the most likely threats while also keeping up with emerging threats and getting news on zero-day vulnerabilities.
“This gives us information that we find useful,” he says.
2. Operationalizing threat intel in line with the IT environment’s security posture
Another significant challenge CISOs face is operationalizing threat intelligence once it’s been gathered and analyzed, says Chris Simpson, director of National University’s Center for Cybersecurity.
Simpson says it’s crucial for CISOs to integrate CTI data into the organization’s vulnerability management program, its security information and event management (SIEM) system, its threat hunting efforts, and the like.
While Simpson acknowledges that’s a tough task for many security chiefs, John Denning, CISO at the Financial Services ISAC, says it’s a challenge that can and should be overcome.
“No matter the size of an organization, there should be a seamless process to feed threat intelligence into the defensive technology stack,” Denning says. “This requires the system to be architected, configured, and designed to consume intelligence. Equally important is the ability of the system to generate reporting and metrics to determine the quality and efficacy of the ingested intelligence.”
Additionally, the security team needs enough insights into the organization’s IT environment, business operations, strategy, and sector to effectively operationalize threat intel. Having those insights allows analysts to, first, identify what threat intelligence feeds and reports matter most to the organization and, second, home in on the data within those intelligence reports that’s most meaningful for the organization and its unique security posture so they can put it to use.
3. Filtering out the noise to reduce security workloads
Even when CISOs have relevant intel integrated into their security program, they often still struggle to filter out the noise to focus on the data that actually indicates a potential threat, Simpson says.
Noise is considered irrelevant or low-value information that doesn’t need immediate — or possibly any — attention or action. Noise could be false positives or benign traffic that is mistakenly flagged as malicious.
If there’s too much noise, security teams — who are already stretched thin — waste valuable time and energy chasing down those nonissues rather than real ones.
There are ways around that. One strategy, according to the 2025 State of Cybersecurity Report from Wipro, is “adopting the ‘Security Data Fabric’ approach that aggregates data from all enterprise security tools to gain enhanced context and insights. This helps security teams reduce false positives and lower [mean time to repair], while optimizing their security stack.”
4. Prioritizing investigation in alignment with organizational objectives and risk appetite
All that work to home in on the most relevant threat intelligence for one’s organization still leaves lots of information for security teams to sort through. While automating responses to threat intel can help reduce the workload further, Allison Wikoff, director and Americas lead for global threat intelligence at PwC, says security teams must still learn to effectively prioritize intel that needs further review.
To do this, security teams need to know organizational objectives and the organization’s assets, in addition to understanding the threat landscape, she says. That allows them to devise and implement a risk-based approach to prioritizing items that their threat intel indicates need further investigation.
“Threat intelligence enables teams to assess relevant threats to their organization and, to the points above, make informed decisions on what needs to be done,” adds David Sandell, CEO of CI-ISAC Australia, which serves the country’s critical infrastructure sector. “Context is key to usable threat intelligence: What’s the threat? How does it eventuate? How complex is it to enact? Who is responsible? Am I likely to be targeted? Am I vulnerable?”
5. Using threat intel to shape strategy
Security teams typically start using threat intelligence tactically, a use that’s often around automating low-level security tasks. For example, security tools that block dangerous IP addresses are automatically updated as the tool makers get intel about new addresses deemed problematic.
As security teams mature their use of threat intel, they operationalize CTI. Here, security teams use intel to inform their incident response plans. For example, intel can inform a team about what next steps to expect if they see a certain type of threat within their environment.
The next level on the maturity curve is strategic — the most sophisticated use of threat intel. This is where CISOs integrate intel with the threat landscape, their IT environment, their organization, and their industry to shape strategic decisions within the security function and for the organization overall.
Most CISOs aren’t there yet: The Trellix survey found 60% of surveyed CISOs said their organizations have not fully integrated threat intelligence into their wider cybersecurity strategy.
“Often CISOs only leverage threat intelligence for indicators of compromise, while there are many ways threat intelligence can be integrated into multiple areas of cyber defense and risk management,” Financial Services ISAC’s Denning says. “CISOs who leverage threat intelligence outside of indicators can build an integrated intel-driven defense network for their companies.”
To use threat intel to inform strategy, PwC’s Wikoff says CISOs must effectively communicate the organization’s threat profile upwards so that the board can not only understand it but use that insight to make decisions.
Additionally, CISOs must understand what’s driving the threats coming at them, she says. In other words, they need to know what’s motivating the threat actors. CISOs should be asking questions such as: Are the threat actors most likely to attack me opportunists looking for a quick financial payout? Are they targeting my intellectual property? Or are they hoping to use my systems as a conduit to other targets?
Wikoff says CISOs can use the insights that threat intel gives them, along with the C-suite and board’s organizational risk assessments, to create a security strategy that more accurately and effectively addresses the risks and threats coming at the org.
See also:
Threat intelligence platform buyer’s guide: Top vendors, selection advice
Top tips for successful threat intelligence usage
5 challenges CISOs face in using threat intel effectively
Stop wasting money on ineffective threat intelligence: 5 mistakes to avoid
How generative AI can help organizations overcome threat intelligence program challenges
5 best practices for running a successful threat-informed defense in cybersecurity
No Responses