A word on strategic intelligence requirements

The Cyber Threat Intelligence (CTI)) industry is maturing, and there has been a definite desire to flex their capabilities and move beyond the Security Operations Center (SOC). However, this push to a more “strategic” offering has proven difficult for many.

One of the problems with implementing the government intelligence model in the private sector space is the disconnect between what the CTI team does and what actually concerns the organization. This detachment becomes especially apparent when a CTI team is trying to grow and mature from just juggling Indicators of Compromise (IoC) to performing more strategic intelligence work. We often see when an intelligence team is trying to develop strategic intelligence requirements; they are not tying the result of collecting against and satisfying those requirements to the business’ expressed concerns. The struggle to make use of intelligence requirements is not surprising. How do you guide strategic decision-making without input from the decision-makers? How do you even start that conversation?

Every year the US Government Intelligence Community’s leadership pushes out a “Top 20” of sorts listing the hottest topics in which the government is interested. These ‘intelligence directives’ are intended to provide general guidance for all the subordinate IC organizations. Now, to be sure, not all day-to-day intelligence operations will necessarily align with these general directives. Still, you can bet the bean-counters handing out annual budget allocations have some way to measure how well the IC organizations, in general, align their efforts against those directives. For those private-sector CTI teams wishing they had something similar to utilize, they are in luck!

For our consulting clients, who are usually intel teams trying to “take the next step” in becoming more strategic and better support their CISO, they often struggle to understand what their organization’s higher-level “intelligence directives” are. However, there is an excellent document readily available to help them (at least for those companies that file with the SEC every year) — their organization’s 10-K. Following the forward-looking statements, the organization highlights to the SEC and the world that there are specific “Risk Factors” that may impact their ability to conduct business, and more importantly, be profitable. If there ever was a ready-made list of “stuff our organization cares about,” this is it.

(Note: Not just for intelligence teams, but any information security organization looking to develop metrics, being able to show effort and progress in ensuring none of the risks identified in the 10-K come to be is a great place to start! And, additionally, I would say any employee who wants to see the “big picture,” this document is also a great place to start.)

Here’s an example of one of the Risk Factors in a company’s 10-K filing:

“The continuous operation of our information systems is critical to our success, and a significant disruption could have a material adverse effect on our business.”

So, information systems going down would be very bad, cost lots of money, and, depending on the type of interruption, could be catastrophic to the business. You better believe the risk management team has a solid idea of what that actual cost would be! So my question is, does the information security organization, specifically the intelligence team, also know this cost?

When we work with an intelligence team on developing their strategic intelligence requirements, we will often ask them how the questions they are asking, if answered, align with their company’s identified risk factors? For example, an intelligence requirement we commonly see is this: “Identify any threat actors who are targeting Company X.” Does writing a report that answers that requirement positively impact the company’s risk mitigation effort? How so?

Now, take that requirement and align it against the Risk Factor (or, Intelligence Directive, if you will) that we have on hand — “Continuous operation of our IS is critical to our success.” What do you think? It’s almost as if our general requirement about threat actors would make you ask even more questions even to know where to get started.

So, now, if you are the intelligence team looking to help yourCISO answer more strategic questions, you might start by speaking to what the organization reports as their most critical risks. If your company files with the SEC, then the 10-K is an excellent place to begin. If your organization is privately held, I am confident there is still a list of higher-level risks the leadership has identified as critical to the success of the business — begin your journey of developing strategic requirements there. Remember, to demonstrate value, the questions you answer, the products you produce, should all somehow tie back to that list of critical risk factors.

Cheers!

Related posts:

God asks an important rhetorical question, with whom can He be compared? We find the answer verse nine: Remember the former things of old: for I am God, and there is none else; I am God, and there is…

Are samskaras bothering you? Notice that samskaras only rise when you are not busy in mind trying to do something. When you have finished a task and then sit down to relax, have a cup of tea and 1…

You bought so much joy into my life. You made me feel so unstoppable. Like I could take on any and every plight. We were never perfect but we were worth it. We made each other feel like the golden…