Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: CISO Insights
Topic: Cybersecurity

Threat intelligence has become one of the most overused terms in cybersecurity — but what really matters is how organizations use it. In a recent discussion, Steve Winterfeld, Advisory CISO at Akamai, broke down how to turn data and reports into concrete, proactive security actions that reduce real-world risk.

Winterfeld, who has been part of Akamai’s ongoing collaboration with FS-ISAC, stressed that intelligence without execution is wasted effort. “Any threat intelligence that isn’t actionable, I have no use for,” he said. The key, he explained, lies in understanding attacker behavior at the destination level and aligning countermeasures with both organizational posture and the DDoS maturity framework.

He began by recommending that organizations start with governance — ensuring continuous vendor assessments and regular health checks for their DDoS providers. “Most companies rely on third-party vendors,” Winterfeld noted. “You need to know what capabilities they really have and whether they’re keeping up with evolving threats.”

Beyond governance, he emphasized revisiting technical controls such as GeoIP filtering, dynamic traffic shaping, and whitelisting. These should be reviewed annually against new attack patterns. He also urged security teams to engage in information-sharing communities like FS-ISAC, learning from peers’ successes and failures. “Understanding what’s working for others — and what isn’t — helps you stay ahead of attackers,” he said.

A critical yet often overlooked step, Winterfeld argued, is operational validation. Regular tabletop exercises, simulated attack drills, and post-incident reviews all play a role in building resilience. But just as important, he said, is communication. “If you successfully blocked five DDoS attacks this year with no customer impact, tell your leadership that,” he explained. “That’s ROI — a tangible return on their security investment.”

The conversation also explored a broader challenge for CISOs: visibility into their own success. Security often gets noticed only when something goes wrong, and quiet periods can create the false impression that nothing needs attention. Winterfeld warns against that mindset. “It’s dangerous not to take credit for what you’ve done,” he said. “You need to show how your team reduced risk, not just completed tasks.”

He also addressed the evolving technology landscape, pointing out that new systems like APIs and large language models bring their own unique vulnerabilities. “The top 10 OWASP risks for web applications aren’t the same for APIs or LLMs,” he explained. “As organizations transform, their security programs need parallel investment to stay aligned.”

Ultimately, Winterfeld’s advice underscores the ongoing journey of cybersecurity maturity — one that balances governance, communication, and adaptability. The path forward isn’t about buying more tools but about turning intelligence into measurable outcomes and making sure leadership sees the value of those outcomes.