elevenM’s Jonathan Topham and Arjun Ramachandran explain the concept of a “pacing threat” and how it can be used to guide investment and deliver the most important security and business outcomes.
When building cyber defences, most organisations consider a wide array of potential adversaries. This can span state-sponsored groups and organised cybercriminals to hacktivists, thrill-seekers, malicious insiders and even negligent staff and trusted partners.
At some level, each of these actor groups could conceivably target or harm your business. But trying to defend against all of them equally (or close to) is not only unrealistic — it’s inefficient. That’s why in client engagements we use the idea of a “pacing threat” to drive a more focused and effective cyber strategy.
What is a pacing threat?
Like many ideas in cyber security, the idea of a pacing threat originates in military and strategic planning. In short, it refers to the most capable and likely adversary that should define the focus and direction of a nation’s preparation and defensive efforts. It’s easy to see how this would apply to cyber security: your pacing threat is the cyber threat actor whose tactics, motivations and capabilities should most shape your program’s priorities, investments, and controls.
The specific pacing threat will differ from organisation to organisation, industry to industry. For a hospital or major bank, it might be financially motivated ransomware groups capable of disrupting critical systems. But for a defence contractor, it’s more likely to be state-sponsored or espionage-focused actors seeking intellectual property.
For most private sector organisations, financially motivated cybercrime groups tend to be the most prevalent and disruptive adversary. This tends to be borne out by global threat intelligence, and often by data observed by internal cyber security teams about the types and sources of malicious activity.
The reality of financially motivated cybercrime groups being the pacing threat for many organisations is also a natural outcome of the now globalised cybercrime economy. Operating at industrial scale and increasingly using AI tools, the volume of attacks that financially motivated cybercriminals can generate makes them a dominant force around which most organisations must design their defences.
Why is the pacing threat important?
Trying to defend against every possible adversary leads to diffusion of focus and inefficient spending. Cyber security budgets are finite, and cyber teams must prioritise.
By identifying your pacing threat, you are better placed to prioritise investment in the most relevant controls and detection and response capabilities. You’re also more likely to tailor your incident response planning to the most likely scenarios your organisation will face.
It’s not only about security outcomes. Cyber security leaders speak often about a desire to “enable the business”. A sharper understanding of your pacing threat supports this by helping you to better calibrate your risk appetite to the appropriate level and avoid overengineering your security control environment for rare or improbable threats.
In a hypothetical example, if a retail organisation over-indexed on defending against state-sponsored espionage (thus misunderstanding its pacing threat), it might impose excessive access restrictions and bureaucratic friction that stifles innovation and frustrates customers — without materially reducing the real-world risk of ransomware or account takeover.
A key word of warning
Understanding your pacing threat doesn’t mean ignoring other threats or risks. It simply means anchoring and baselining your cyber program around the most likely adversary. For instance, even if you are bank who is focused on cyber criminals, you still need a plan for when hacktivists who might not agree with your investments decide to target you.
Insider threat is also a prominent threat that deserves heightened focus, as laid out by recent reporting about the prevalence of North Korea government-backed individuals operating as IT contractors inside global companies.
A final world
Like most things in cyber security, understanding your pacing threat isn’t a one-time exercise. Threat landscapes evolve, business models change, and adversaries adapt.
Cyber threat intelligence obviously plays a central role. By continuously assessing which actor groups are most active against your industry, and the tactics they are using. These insights will obviously inform control design – but should also feed into your strategic risk conversations, to shape everything from strategy, policy and investment and recruitment.
If you’re interested in learning more about how to define your pacing threat, or about our cyber security services, please contact us.