Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists?
In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs in their framework, but they’re not always sure how to get their arms around it. The digital threat landscape moves faster than traditional risk assessment cycles, and the technical details can feel impenetrable.
That’s where cyber threat intelligence (CTI) comes in. It’s the bridge between what’s happening in the threat landscape and what business leaders need to know to make informed risk decisions. With that in mind, let me show you why CTI should be a core part of your ERM toolkit—and how to actually use it.
What is cyber threat intelligence, really?
Strip away the jargon, and cyber threat intelligence is simply evidence-based knowledge about cyber threats that helps you prevent, prepare for, and respond to attacks. It answers the questions that matter most for risk management:
- Who is targeting us?
- What do they want?
- What methods are they using?
- And most importantly, what can we do to stop them?
CTI isn’t just a feed of technical indicators or a list of vulnerabilities. Done right, it’s decision-ready insight that clarifies which threats truly matter to your organization, why they matter, and what actions you should take to reduce risk.
Why ERM professionals should care
Here’s a scenario planning question I like to pose: If one of your critical vendors was breached tomorrow, who would alert you first? Would it be the vendor themselves, your IT or security teams, or would you learn about it from the news?
The answer to that question tells you a lot about your organization’s cyber security maturity.
Let me make the business case for why cyber threat intelligence deserves a seat at the ERM table:
1. It improves risk assessments
CTI helps you identify threats before they materialize into incidents. Risk scores and surface-level risk assessments offer a snapshot, but attackers are evolving in real time. With cyber threat intelligence, you can quantify the likelihood and potential impact of specific threat scenarios based on real-world intelligence about who’s targeting organizations like yours and how successful they’ve been. True risk insight doesn’t come from a score; it comes from knowing your adversary.
2. It supports board and regulator reporting
Your board doesn’t need to understand the technical details of a zero-day exploit. But they do need to understand emerging threat trends and how the organization is responding. CTI provides the non-technical summaries that make cyber risk intelligible to business leaders and enhance your cyber risk disclosures.
3. It strengthens scenario planning
Want to build realistic tabletop exercises or stress-test your incident response plans? CTI gives you the real-world attack scenarios to make those exercises meaningful. You can test your controls against the actual tactics being used by threat actors targeting your industry, technologies, and vendors.
4. It enables faster response and coordination
When an incident occurs, CTI provides clarity on threat actor motives and likely next steps. This intelligence helps bridge the gap between your IT and security teams, who are focused on technical containment, and your business leaders who need to understand business impact and make strategic decisions.
Case study: The Oracle cloud breach
Let me give you a real example. In March 2025, attackers exploited an unpatched vulnerability to compromise Oracle’s legacy cloud infrastructure. The breach created immediate risk across multiple dimensions: credential compromise and unauthorized access, business continuity and service disruptions, regulatory and compliance exposure due to the sensitive data exfiltration, reputational damage, and widespread uncertainty among customers.
For organizations with strong threat intelligence capabilities, the response looked very different than for those without. Organizations that leveraged CTI were generally able to:
- Identify indicators of what data was stolen, weeks before receiving official notification from Oracle
- Map which of their accounts had elevated access exposure and prioritized containment efforts
- Enable rapid risk communication to leadership with clear, evidence-based assessments
- Provide board-level reporting with specific impact analysis
Organizations without CTI were left waiting for official statements and scrambling to understand their exposure. That time gap matters when you’re trying to manage cascading risk across your organization.
Integrating CTI into your ERM framework
The good news is that threat intelligence fits naturally into the ERM frameworks you’re already using. Here’s how to make it operational:
Step 1: Align CTI with risk identification
Strategic threat intelligence should feed directly into your risk identification process. When you’re cataloging enterprise risks, CTI tells you which cyber threats are actually relevant to your organization based on your industry, geography, technology stack, and threat actor interest.
Step 2: Operationalize intelligence through mapping
Connect the dots between threats and assets. Start by identifying your critical assets: the systems, data, and processes that would create a significant business impact if compromised. Then map the threats to those assets based on intelligence about what attackers are targeting and how. This creates specific, actionable risk statements rather than generic cyber risk categories.
Step 3: Enable risk assessment
Use CTI to inform your impact analysis, likelihood assessments, and risk quantification. Intelligence about threat actor capabilities, historical attack success rates, and industry-specific targeting patterns gives you the data to move beyond guesswork in your risk assessments.
Step 4: Support risk response and mitigation
Threat intelligence helps you prioritize which controls and mitigations will be most effective against the threats you actually face. It’s the difference between implementing generic security controls and building defenses tailored to the adversaries targeting your organization.
Step 5: Enable strategic reporting and governance
Finally, CTI provides the foundation for meaningful C-suite and board reporting on cyber risk. It informs your risk appetite discussions with current intelligence about the threat landscape and supports continuous monitoring of how that landscape is evolving.
One question to ask as you get started
If you’re an ERM professional reading this and wondering where to start, here’s my recommendation: Ask your security or IT team this question:
“What threat actors are targeting our industry right now, and how are we preparing?”
The quality of the answer you get will tell you a lot about your organization’s threat intelligence maturity. If you get a detailed, evidence-based response that connects threat actor activity to specific business risks and mitigation strategies, you’re in good shape. If you get vague generalities or blank stares, you’ve identified a gap.
Threat intelligence reduces uncertainty in a rapidly changing digital world. It helps you see around corners before risks become losses. And here’s the most important thing I want ERM professionals to understand: You don’t need to be technical to use it. You just need to connect it to business risk.
The digital threat landscape isn’t slowing down. The question is whether your risk management approach can keep pace. Integrating cyber threat intelligence into your ERM framework isn’t just about better cybersecurity, it’s about better risk management, period.
