Guest: Steve Winterfeld, Advisory CISO at Akamai

Security standards provide structure, but they can’t keep pace with adversaries. By the time OWASP publishes guidance on large language model vulnerabilities or NIST documents zero trust architecture best practices, threat actors have already pivoted to new attack vectors. The lag isn’t incompetence—it’s structural.

Steve Winterfeld, Advisory CISO at Akamai, breaks down why standards will always trail the threat landscape—and where security leaders should look instead. “It is hard to be agile or to move at internet or cyber speed,” he explains. In a recent conversation with TFiR, Winterfeld outlined the intelligence sources and communities that give CISOs early warning before threats become formalized standards.

The Structural Lag of Security Standards

Standards organizations face an unavoidable timeline problem. Before OWASP or NIST can publish guidance, they need enough attack data to establish patterns. “Large language models start to be used. Well, there’s a tipping point where enough of them are out there that I can start gathering data, and then I start gathering data and correlating what are the most common attacks,” Winterfeld says.

Once the data exists, committees must review it, debate mitigation strategies, draft documentation, and reach consensus. By the time the standard is published, attackers have already adapted. The standard tells you what happened six to twelve months ago—not what’s happening now.

This doesn’t make standards useless. Frameworks like OWASP Top Ten and NIST 800 series are essential for building foundational security programs and demonstrating due diligence. But for emerging threats—AI-accelerated attacks, novel supply chain compromises, or new exploitation techniques—standards are rearview mirrors, not windshields.

Where to Get Early Threat Intelligence

Winterfeld’s strategy is community-first. Instead of waiting for formal publications, he engages with the organizations and networks where threat patterns surface before they’re documented.

Local OWASP Chapters: National OWASP releases may lag, but local chapters often surface emerging threats in real time. “If you’re going to your local OWASP chapter, you’re going to find out before the final regulation is out,” Winterfeld notes. These chapters are where practitioners share attack patterns they’re seeing in production—before the data has been aggregated and formalized.

FBI InfraGard: This public-private partnership gives members early access to threat intelligence from federal law enforcement. “If you’re a member of FBI’s InfraGard, you’re going to get data earlier,” Winterfeld says. InfraGard members receive classified briefings, threat alerts, and incident response coordination that never makes it into public standards.

Industry ISACs: For sector-specific threats, Information Sharing and Analysis Centers (ISACs) offer peer-to-peer intelligence sharing. Financial services organizations should join FS-ISAC. Energy companies have E-ISAC. Healthcare has H-ISAC. “If you’re in an industry that has an ISAC, get involved there and get in early on it,” Winterfeld advises.

These communities operate faster than standards bodies because they prioritize speed over consensus. Members share indicators of compromise, attack techniques, and mitigation strategies in near real-time—often within hours of detection.

Threat Intelligence Reports as Leading Indicators

Beyond community engagement, Winterfeld relies on vendor-published threat intelligence reports to identify attack trend shifts. “I spent a lot of time reading things like Akamai’s State of the Internet cyber security reports, and I’m going to see a shift in attack trends there before I see it in a standard,” he explains.

These reports aggregate data from thousands of customers and millions of endpoints, providing visibility into emerging attack patterns before they reach the critical mass needed for standards documentation. When Akamai publishes data on DDoS attack volumes, API abuse trends, or credential stuffing campaigns, it’s reflecting threats that are active now—not threats that were common a year ago.

Other leading threat intelligence sources include CrowdStrike’s Global Threat Report, Mandiant’s M-Trends, and Verizon’s Data Breach Investigations Report. These publications offer tactical intelligence—specific techniques, common vulnerabilities, and adversary tradecraft—that won’t appear in standards for months.

Standards Tell You What Happened. Threat Intel Tells You What’s Coming.

Winterfeld’s approach balances foundation with agility. Use standards like NIST and OWASP to build baseline security programs and satisfy compliance requirements. But for emerging threats—especially those tied to new technologies like AI, quantum computing, or edge infrastructure—lean on communities and threat intelligence.

“The standards are always going to be slower,” Winterfeld says. For CISOs trying to stay ahead of attackers instead of just documenting what happened, that means investing time in the communities and intelligence sources where threats surface first—before they become yesterday’s news in a formal standard.