Over the past five years, Cyber threat intelligence (CTI) has become one of the fastest growing elements in the cybersecurity space. Gartner expects as much as $2.3 billion to spent on it by 2023.
Across the globe, private industry has moved from a nearly complete lack of understanding of the differences between data, information and intelligence to an understanding of the benefits of becoming proactive through intelligence-driven cybersecurity. We still have a long way to go. Some industries are outpacing others, but the trend toward increased understanding and maturity in CTI is undeniable.
I’ve previously talked about moving from the concept of CTI to “intelligence” as a function, giving it a larger mandate and better value proposition. With this in mind, let’s consider the next great leap forward in this space, where we place intelligence teams and who that the teams serve.
Most organizations’ CTI teams are housed in the Security Operations Center (SOC). CTI is usually buried beneath the defensive side, or “blue team,” of a SOC and primarily driven to support the needs of defensive cyber operations. While this may be a logical place to put CTI, it is not where an intelligence team belongs.
The challenge lies in the birth of CTI, which was originally seen as a means to become more proactive defensively by understanding threats outside of the client environment through application of intelligence standards and practices. CTI was a giant leap ahead in cybersecurity thinking, but the CTI-based approach greatly underestimates the impact intelligence teams can have on enterprises. An impact that can go far beyond defensive cyber operations to create greater value for the same budget expenditure.
When we stop thinking in terms of CTI and start to think in terms of intelligence, we can envision a larger mandate with a broader internal corporate customer base and the possibility to provide value externally to customers, partners, and industry counterparts (i.e., ISACS). While a CTI team may be limited to SOC operations, an intelligence team can serve enterprise-wide concerns. This includes physical security, insider threat, procurement, mergers and acquisitions, and corporate strategy, to name a few. We employ intelligence analysts and researchers, empower them with great access within our environment, and afford them incredible tools and external sources. We should not limit the value of all that investment to only serving the needs of the SOC. We need to think bigger!
In that vein, where do we put this “new” intelligence team? If we keep Intelligence in the SOC as we have CTI, the team will be driven to focus primarily – if not solely – on SOC priorities. SOC managers put their assets to work against their objectives because that is how their success is judged. It makes perfect sense that the SOC would want to focus everyone in the organization on its mission of defensive cyber operations. Intelligence teams given broader mandates to support intelligence needs beyond the SOC, do not belong in it.
Ultimately, enterprises are best served by intelligence reporting directly to the CEO or a proxy in the C-Suite. The benefits of moving intelligence teams to this level are:
• The Intelligence team is relieved of political pressures that unduly influence prioritization of Intelligence support
• Intelligence requirements can be gathered, validated, and codified in conjunction with corporate needs rather than those of any individual business unit
• The budget for intelligence, which can be several million dollars to build and operate annually for a large enterprise, can be spread across all supported business units
• Intelligence can be implemented as a service with a charge-back model or can be included as a line item in the corporation’s annual overhead budget, just as companies do for physical security today.
Elevating from the CTI team concept (with the only intelligence-like function of a corporation buried in a SOC and focused on tactical and operational needs) to an “intelligence team” concept (where Intelligence leverages considerable talents and accesses to protect the larger enterprise and customer base) is the next generation of intelligence practice within the private sector. Companies that move to this model first will lead their industries both philosophically and operationally in terms of proactive security.
Related: Moving From Cyber Threat Intelligence to Intelligence
