Why CISOs Should Care About Cyber Threat Intelligence with Joe Cozzupoli

Joe Cozzupoli
Joe Cozzupoli
Principal Security Advisor
Tash Postolovski
Tash Postolovski
Technical Marketing Manager
Why CISOs Should Care About Cyber Threat Intelligence with Joe Cozzupoli
January 14, 2026

Transcript

Tash: Hey, I’m Tash. I’m the marketing manager at Cosive.

Joe: Hi everyone — I’m Joe Cozzupoli, a Principal Security Advisor here at Cosive. I’ve been here just over a month. My background is across multiple vendors, working top-down with the C-suite in a consultative capacity. I’m happy to be here.

CTI and executive decision-making

Tash: Today we’re diving into why the C-suite and CISOs should care about cyber threat intelligence. Why are you passionate about this topic, and why should CISOs and boards care about CTI?

Joe: To me, CTI changes how decisions are made. It gives CISOs and the C-suite clarity on where to invest and what to prioritise. It also gives boards confidence that security spend is tied to real adversary activity. Without CTI, a lot of this becomes guesswork. With CTI, you’ve got evidence-based alignment to the threats that actually matter to your organisation.

Tash: So you see CTI as a way to focus investment and resources on the highest-impact threats — rather than “spray and pray”?

Joe: Exactly. It’s actual intelligence — as the name suggests. You can turn that intelligence into outcomes and prioritise where the board and C-suite put their money, and which projects to run. Better intelligence also trickles down into the SOC: teams aren’t chasing false positives, they’re responding to real alerts. It also helps project and architecture teams align platform choices and policy work to the real threat landscape.

CTI vs monitoring and compliance

Tash: How is CTI different from monitoring or compliance?

Joe: Monitoring tells you what happened inside your environment. Compliance tells you what you should be doing. CTI tells you what adversaries are doing — and what they’re likely to do to organisations like yours. It’s forward-looking and proactive, not just a checklist or a log review.

I think of it like behaviour analytics. If we know what “normal” behaviour looks like for a user, we can detect anomalies. CTI gives you that kind of view for adversaries — what they’re doing to similar organisations in your sector, and where you might be exposed. It helps you focus on what’s relevant. For example, if you’re in financial services, you might not need to spend time on operational technology threats if OT isn’t part of your environment.

What the board gets from CTI

Tash: What’s in it for the board? How do they benefit directly?

Joe: CTI gives boards visibility into live risks — not just theoretical ones. It’s not just a spreadsheet of high/medium/low. CTI uplifts risk reporting with real-world context about what’s happening now.

It also helps inform realistic crisis scenarios and supports compliance requirements — like APRA CPS 234 or regulations relevant to critical infrastructure. It demonstrates that security investment is protecting revenue and continuity.

Boards don’t want technical feeds or indicators. They want answers like: What threats were stopped? Which suppliers added risk? What business impact did we avoid? That’s what good CTI provides.

What good CTI looks like

Tash: What does good CTI look like in practice?

Joe: Everyone has their view, but for me, good CTI has four layers:

  1. Strategic: Sector trends that guide risk appetite and budget.
  2. Operational: Threat focus areas that guide SOC and incident response priorities.
  3. Tactical: Adversary behaviours mapped to frameworks (like MITRE ATT&CK) that shape detections and response.
  4. Technical: High-confidence indicators ready to feed SIEM or EDR platforms.

If you’re missing one of these, you’re either too abstract for decision-makers, or too tactical to influence strategy.

Measuring CTI value

Tash: How should C-suite execs measure the value of CTI?

Joe: The best way is by the decisions CTI changes. Useful metrics include:

  • Reduced detection and containment times
  • Supplier risks identified before contracts are signed
  • Percentage of detection rules tied back to CTI requirements
  • Crisis exercises shaped by intelligence reporting

If CTI isn’t influencing budget, procurement, or crisis planning, it’s not really delivering value.

The future of CTI

Tash: What do you think the future of CTI looks like?

Joe: With emerging tech like AI, CTI will be more integrated into business decision-making. I think we’ll see less “feeds of feeds” for analysts and more board-level insights tied to business outcomes.

The differentiator won’t be how much data you have — it’ll be how well you translate intelligence into executive action.

Common mistakes organisations make

Tash: What are the common mistakes you see organisations make with CTI?

Joe: The biggest mistake is treating CTI as a feed to collect — not an advantage to use. Too many teams drown in indicators without tying them back to business decisions.

Another mistake is failing to tailor CTI requirements to the organisation’s sector and risk appetite. Generic intelligence becomes noise. Tailoring and requirements-setting matter — and that’s where external support can help.

Third-party and supply chain risk

Tash: How does CTI help with third-party and supply chain risk?

Joe: Suppliers are often the softest target. CTI can highlight which vendors or partners are actively being exploited by threat groups. That means you can strengthen onboarding, adjust SLAs, or add compensating controls before you sign or renew contracts.

It becomes proactive assurance — not reactive clean-up. With the volume of supply chain attacks we’ve seen over the last five or six years, CTI is increasingly part of due diligence.

Incident response and resilience

Tash: How can CTI support incident response and resilience?

Joe: Intelligence informs playbooks and detections, so incidents are identified faster and contained earlier. It also feeds crisis simulations so leadership can rehearse decisions against realistic attack scenarios.

It’s not just faster recovery — it’s maintaining continuity when it matters. I always say “when, not if.” You want it to be like a dress rehearsal so you’re not blindsided.

“CTI is too technical for me”

Tash: What’s your message to executives who think CTI is too technical?

Joe: CTI isn’t about technical detail — it’s about business impact. Executives don’t need to know IP addresses or malware hashes. They need to know: What did we stop? Where are we exposed? What’s the plan?

Good CTI translates technical threats into board-ready language and measurable outcomes. It helps align security controls and projects to the business, and helps you stay ahead of adversaries as much as possible.

What CTI looks like for CISOs

Tash: CISOs aren’t sitting in threat intel platforms looking at feeds. What does CTI typically look like for them, and how does it help them make better decisions?

Joe: Typically through reporting dashboards, weekly reports, and monthly summaries. The content needs to be accurate and relevant — not generic. Ideally you’ve got a view tailored to your organisation, and a broader view tailored to your sector.

This influences crisis management planning, budgeting, procurement, and vendor decisions. It also improves technical operations because your SIEM/EDR detections and feeds are actually relevant — so analysts aren’t stuck chasing noise while real threats slip through.

CTI and compliance frameworks

Tash: Regulations like PCI DSS, HIPAA, and others emphasise awareness of the threat landscape. People say CTI programs can help. How do you see that playing out?

Joe: A good CTI program isn’t just a dashboard or a list of feeds. It should feed into other tools — EDR, cloud security platforms, SASE, and so on.

It also supports things like Zero Trust — not as a product, but as a framework. To deploy Zero Trust effectively, you need accurate threat intelligence tailored to your business. That helps make your environment harder to compromise.

And across frameworks like PCI, CPS 234, Essential Eight — these can’t just be tick-box exercises anymore. Businesses are realising that. CTI supports those requirements and helps deliver outcomes.

Ransomware

Tash: Ransomware is top of mind for almost every board. Does CTI have a big role to play in protecting against ransomware?

Joe: Absolutely. It comes back to having the right intelligence for your sector. Is ransomware your biggest threat — or is it something else? If ransomware is a major risk in your sector, CTI helps you understand how it’s happening: phishing, phone-based social engineering, credential abuse, and so on.

The key word is intelligence. That’s how you drive outcomes — and outcomes are what the board and C-suite understand: risk avoided, impact avoided, money saved.

Competing security priorities

Tash: CISOs are under pressure — everyone claims their area is priority one: insider threats, compliance, governance, audits. How would you argue CTI should be top of mind over those competing priorities?

Joe: CTI doesn’t replace those — it helps you prioritise them. In large organisations, you’ll have many managers hearing different priorities from vendors, partners, peers, or media. CTI gives you the intelligence to cut through that noise.

It helps you decide what’s relevant and what’s not. If adversaries in your sector are mostly using social engineering, then that should take priority over less relevant threats like certain DDoS concerns or OT-specific risks (if you don’t have OT). CTI helps CISOs make informed decisions.

Parting words

Tash: As we wrap up, any final parting words for someone who’s sceptical about CTI and wants to understand its value?

Joe: Without CTI, decisions are guesswork. With CTI, decisions are evidence-based and aligned to actual threats. It means you can go to the board or your C-suite peers with evidence: our spend prevented these attacks, and that saved the business money.

Savings can come from not buying every product under the sun — or from preventing attacks that are actually happening in your sector. It’s not trivial, as long as you have a strong CTI program optimised for your organisation and sector — and that’s where we can help.

How Cosive can help

Tash: Vendor hats on for a moment — how can Cosive help someone who’s just starting their CTI journey?

Joe: Reach out to me or the team via LinkedIn, email, or our website. We’re happy to have a conversation to understand what you’re trying to achieve and what you’re doing today. We can run a gap analysis — whether you’re building a CTI program from scratch, optimising an existing program, or looking to join a MISP program. We can help there with our CloudMISP offering.

It starts with that first conversation — understanding what’s going on, and aligning how we can help.

Related posts

Browse all articles
February 21, 2024

Episode #005: Security-focused Code Review for Software Developers with Sid Odgers

Cosive's Software Development Lead, Sid Odgers, is a cybersecurity expert who spends his days building secure software. In this podcast you'll learn how Sid approaches code review to make sure that all code shipped to production is secure as well as high-quality. The checklist and tips shared here are language agnostic and will be of use to any software developer who wants to get better at security.

February 21, 2024

Using MISP Bookmarks with Workflows for Team Coordination

Have you tried the Bookmarks feature in MISP yet? It’s much more powerful than you might think. Bookmarks are incredibly useful because within a team, we need to know what to take action on from all the new MISP events that come in over the last 24 hours. MISP bookmarks give us a way to save searches that help us isolate the signal from the noise. Paired with the Workflow features, they give us some powerful options to get our team on the same page.