A new survey has highlighted a disconnect between the importance organisations place on threat intelligence and their ability to implement it effectively.
The research, conducted by Cyware, collected responses from 100 cybersecurity executives and professionals working across enterprises, government agencies, and service providers. Nearly all respondents (92%) described operationalising threat intelligence as either "absolutely crucial" or "very important" in their organisations' efforts to combat cyber threats.
Despite this consensus, only 13% of those surveyed reported satisfaction with their automation between cyber threat intelligence (CTI) and security operations (SecOps) tools. The survey also found that nearly 40% of participants experienced difficulty coordinating data between critical security systems such as Threat Intelligence Platforms (TIPs), Security Information and Event Management (SIEM) tools, and vulnerability management platforms.
Speaking on the findings, Anuj Goel, Co-founder and Chief Executive Officer of Cyware, stated: "The RSAC survey data reveals a serious gap between that belief and the operational reality. Threat intelligence isn't just about collecting data - it's about connecting people, processes, and platforms to act on it. These findings reinforce the need for more unified, automated, and collaborative approaches to security operations."
Internal collaboration and automation maturity were flagged as key areas where organisations fall short. Although almost all those surveyed regard threat intelligence sharing as fundamental, only a small proportion felt their automation systems worked well in practice.
Artificial intelligence (AI) is seen as a promising area for improving threat intelligence processes, with 78% of respondents believing AI will enhance threat intel sharing within their organisations. However, only 43% reported that AI has already made a meaningful impact, pointing to difficulties in implementing AI solutions and integrating them into existing security processes.
The Cyware survey also drew attention to the timeliness of threat intelligence sharing. Only 17% of teams said they disseminate threat intelligence among key roles — such as SecOps, incident response, and vulnerability management - in real time, while another 25% do so on a daily basis. At the same time, 22% indicated that information is shared infrequently or not at all, raising questions about internal communication and responsiveness to emerging threats.
External collaboration with industry peers for the purpose of improving threat intelligence is another area identified for additional growth. According to the survey, while 57% of respondents claimed that their organisation collaborates with other companies in their sector, a significant 30% were unsure if this kind of peer cooperation even exists at their workplace.
Automation challenges remain evident, with more than half (56%) of survey participants reporting significant or moderate obstacles in automating workflows across CTI and SecOps teams. This suggests that technical, procedural, or organisational hurdles are hampering efforts to scale effective threat intelligence practices.
Additionally, participation in Information Sharing and Analysis Centres (ISACs) or similar organisations is relatively low. Only 18% confirmed their organisation is involved with such groups, while 45% were unaware of any such participation. The lack of engagement or awareness about ISACs could be limiting access to valuable, sector-specific threat information, potentially reinforcing the existing silos within the threat intelligence community.
The survey's findings align with a broader trend: as cyber threats evolve and become more complex, organisations face mounting pressure to bridge the gap between recognising the importance of threat intelligence and actually executing it through internal collaboration, real-time sharing, automation, and peer engagement.
