In 2015, I conducted some in-depth research around enterprise organizations\u2019 consumption, use and sharing of threat intelligence. Time and time again, I heard cybersecurity professionals proclaim that their organizations had to do a better job \u201coperationalizing\u201d threat intelligence.\u00a0Hmm, sounds like a worthwhile security management goal if I\u2019ve ever heard one. But what exactly does this mean? Some research may be helpful here. ESG surveyed 304 IT and cybersecurity professionals working at enterprise organizations (more than 1,000 employees) and asked them to identify their organization\u2019s top threat intelligence challenges. The data revealed:32% of organizations have inadvertently blocked legitimate traffic as a result of a misinterpreting threat intelligence analysis.\u00a032% of organizations say threat intelligence is collected and analyzed by different individuals and groups, so it is difficult to get a holistic perspective on external threats or a clear way to equate external threats with internal security telemetry.31% of organizations are challenged by the workflows associated with threat intelligence collection and analysis.28% of organizations say threat intelligence isn\u2019t as timely or accurate as it needs to be.Additionally, 26% of organizations claim many threat intelligence feeds need to be normalized before they can be used effectively.\u00a0The ESG data illustrates some common threat intelligence program problems. So before organizations \u201coperationalize\u201d threat intelligence, they must address these challenges with the following steps:1.\u00a0Rationalize threat intelligence programs.\u00a0A wide variety of IT and cybersecurity staff purchase and use an assortment of threat intelligence feeds without any type of central oversight. This leads to high costs and low value. CISOs must get their arms around who consumes which threat intelligence for what purposes. This investigation should expose redundancies and inefficiencies, allowing CISOs to rationalize what they buy and how it is used. Enterprises should also think about centralizing threat intelligence collection and processing, then offer it as a service to various security, compliance and risk constituencies.\u00a02.\u00a0Establish threat intelligence quality metrics.\u00a0A lot of threat intelligence is nothing more that redundant data on indicators of compromise (IoC) such as malicious IP addresses, URLs and domains. This information is available as open source, so there is no need to fork over precious budget dollars for commodity data. Alternatively, CISOs must decide on quality metrics for threat intelligence in terms of timeliness, relevance and alignment with their organization\u2019s industry, location, etc. It is also useful to take an \u201coutside-in\u201d perspective on threat intelligence to understand what cyber adversaries are up to in order to anticipate attacks and plan defenses. Arbor Networks ATLAS threat intelligence feeds, FireEye and LookingGlass Cyber Solutions do a good job here.3.\u00a0Evaluate threat intelligence inputs and output.\u00a0Normalizing threat intelligence data to make it useful is an elementary but still pervasive problem. This means organizations need to assess whether they can make threat intelligence actionable in an appropriate timeframe. Standards such as STIX, TAXII and OpenIoC should help.It\u2019s also important to realize that threat intelligence is a means to an end\u2014\u201chunting\u201d or incident response\u2014so CISOs have to evaluate how well threat intelligence is integrated with analytics systems such as security information and event management (SIEM) and incident response platforms. The need for threat intelligence integration is one reason why IBM bought Resilient Systems and why Splunk is committed to open source and standards in this area.4.\u00a0Build a realistic plan for threat intelligence sharing.\u00a0While the U.S. government has stressed the need for public\/private threat intelligence sharing partnerships, most enterprise organizations are way behind when it comes to real-time ad hoc threat intelligence sharing. In this case, CISOs should lead an effort that includes IT, legal and business management to establish a plan for what can be shared and when. The goal? Determine a realistic model for threat intelligence sharing and institute a technology project to make this happen.\u00a0There\u2019s a lot to do here, and many organizations don\u2019t have the skills or resources for all the necessary steps. Those that fit this description may want to look at threat intelligence platforms such as BrightPoint Security (acquired by ServiceNow), ThreatConnect or ThreatQuotient. Those systems were designed to help with all the steps described above.