Connect with us

Hi, what are you looking for?


Threat Intelligence

Four Things to Consider as You Mature Your Threat Intel Program

If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process.

Threat intelligence

When ESG recently asked security professionals to identify the attributes of a mature threat intelligence program, the top response was “information dissemination with reports customized for consumption by specific individuals and groups”. However, many organizations don’t have mature threat intelligence programs and have yet to achieve this. ESG’s Jon Oltsik cites the 80/20 rule, where “80% of organizations have basic threat intelligence programs while only 20% are more advanced.”

Sharing customized threat intelligence with key users is not just a sign that your threat intel program is maturing, it’s a great way to build deeper understanding, demonstrate value, and garner broader support for the program. If you want to begin, or improve, sharing customized intelligence with key users, consider these four aspects as you develop your process.

1. Function. The threat intelligence team’s role is to provide products or services to many different internal customers, and each has different threat intel requirements to support their specific use cases. For example:

  • The security operations center (SOC) needs indicators of compromise that have been contextualized to show they are relevant and high priority so they can add them to their SIEM watchlist for monitoring.
  • Threat hunters need details of campaigns being run and adversaries’ motivations, targets and tactics, techniques and procedures (TTP), so they can look for activity that has bypassed defenses.
  • The incident response (IR) team needs threat intel around adversaries, campaigns and the infrastructure used so they can accelerate comprehensive response.
  • Vulnerability management teams need threat intel to help them understand their threat landscape and the likelihood of a vulnerability being exploited by adversaries that target the organization so they can prioritize patching.
  • Executive leadership at the business unit, C-suite and board levels need metrics that matter to them and that instills confidence that the organization is taking the right steps to maintain a strong security posture and is able to mitigate damage when an attack happens.

2. Form. There is no “one way” to communicate. Different teams speak different languages and will apply threat intelligence in different ways, so it’s important to take the time to learn what type of communication will be most effective. For many technical teams actual feeds and dashboards work well, directly delivering the threat intel they need to do their specific jobs. Meanwhile, for executives and boards, a customized dashboard may work well for some and a PDF may be better for others. Either way, the content itself could be easily digestible and relevant to business leaders. Sticking with the typical metrics generated around number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack, or whether or not they should be concerned about a recent attack that made the headlines.

3. Frequency. Each team also has very different expectations and requirements when it comes to how often they need to receive threat intelligence. In security, the more time that passes, the more damage can be done. Additionally, many security teams are focused on being proactive, so speed is of the essence. But sharing data that hasn’t been vetted and contextualized for relevance to the organization ends up wasting valuable time. Threat intel teams can use automation to augment and enrich data with context, so teams get the right data faster and can easily prioritize it for analysis and action. 

Executives and board members have different requirements. Establishing a regular schedule for more formal communications, at a minimum quarterly, is a good start. However, threat intel teams should also be prepared to field ad hoc questions when a new vulnerability or threat is in the news and the CEO asks: “What is it?”, “Does it pertain to us?”, “How are we impacted?” or “What are we doing to defend ourselves?”

4. Feedback. Finally, it’s important to ask your different customers for feedback to make sure they are getting what they need, how and when they need it. Advancing your threat intelligence program is a two-way street. You need to hear how your service is being used and if it isn’t you need to understand why and adjust accordingly. Tweak the format, further customize the threat intel, change the frequency – do whatever it takes to ensure the program is delivering value and considered a crucial tool for each of your organization’s security teams and leadership.

We’re halfway through 2023 and for many teams this is a good time to step back and measure progress against goals set at the beginning of the year. If one of your goals was to mature your threat intelligence program, conduct an honest assessment of how well you are doing at sharing threat intelligence with your different internal customers. There’s time to make relatively easy but high impact adjustments to showcase the value the threat intelligence program provides and turn it into a go-to resource that will strengthen your case for additional investment when budgeting season rolls around.

Advertisement. Scroll to continue reading.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Threat Intelligence

Enhancing cybersecurity and compliance programs with actionable intelligence that adds insight can easily justify the investment and growth of threat intelligence programs.