Many organizations use threat intelligence from industry peers to prioritize vulnerability management and assign criticality when there is not enough existing information directly about their organization or their organization’s critical assets. While this is a natural political response to frame the narrative to allow budgetary approval to build certain aspects of the security program, organizations need to defend specific to their own technology stack and assets, incorporate the proper tooling around this stack, and be able to log events at scale. 

If a security program indicates that their industry peers are being targeted by a variety of different threats broken down by industry, the narrative around this argument will likely be a more persuasive argument for non-technical business executives approving budgets.