When I asked CISOs about their cyber threat intelligence (CTI) programs about five years ago, I got two distinct responses. Large, well-resourced enterprises were investing their threat intelligence programs with the goal of better operationalizing it for tactical, operational, and strategic purposes. Smaller, resource-constrained and SMB organizations often recognized the value of threat intelligence, but didn\u2019t have the staff, skills, or budgets for investment. For these organizations, threat intelligence programs were nothing more than blocking indicators of compromise (IoCs) with firewalls, endpoint security software, email gateways, or web proxies.Fast forward to 2023 and almost every organization I speak with is consuming threat intelligence feeds, implementing tools, and building a threat intelligence program. New ESG research indicates that 95% of enterprise organizations (those with more than 1,000 employees) have a threat intelligence budget, and 98% plan to increase spending on threat intelligence over the next 12 to 18 months.Why CISOs struggle with cyber threat intelligenceYup, CISOs are embracing CTI, learning what they can and trying to use CTI to improve security defenses. This seems like progress, but are these investments translating to CTI program improvement? Not really. Despite budget increases and a proactive strategy, many CTI programs continue to struggle. ESG research indicates that:Eighty-five percent of security professionals believe their CTI program requires too many manual processes. This manual slog can include cutting and pasting threat indicators into tools, correlating threat intelligence from different sources, or creating threat intelligence reports. As in any other area, manual processes don\u2019t scale, so they can\u2019t keep up with the pace of today\u2019s threat landscape.Eighty-two percent of security professionals believe agree that CTI programs are often treated as academic exercises. When interviewing security pros as background for this research project, I found this to be a common issue. Threat intelligence analysts who don\u2019t receive proper direction or management oversight do what they want to do: threat intelligence research. This may lead to breakthrough insights about threat actors or the tactics, techniques, and procedures (TTPs) they use to conduct attacks, but still have nothing to do with the intelligence needs of their organizations. This mismatch is way more widespread than most people realize.Seventy-two percent of security professionals believe that it is hard to sort through CTI noise to find what\u2019s relevant for their organizations. There\u2019s no shortage of CTI available \u2013 open source, industry information sharing and analysis centers (ISACs), commercial feeds, community groups, etc. Finding the needles in this haystack can be a bear. Some organizations simply don\u2019t know what to look for while others suffer from a \u201cmore is better\u201d CTI mindset and are buried by an overwhelming volume of information. Either way, they are wasting time on false positive and negative information.Seventy-one percent of security professionals say it is difficult for their organizations to measure ROI on its CTI program. Given that many organizations don\u2019t know what to look for, are overwhelmed by CTI volume, or treat threat intelligence programs like graduate school, this one comes as no surprise. CISOs suffering from one or several of these problems will find it difficult to pinpoint measurable benefits from CTI dollars.Sixty-three percent of security professionals say that their organization doesn\u2019t have the right staff or skills to manage an appropriate CTI program. There\u2019s that pesky global cybersecurity skill shortage again, but it goes beyond too many jobs and not enough people. Threat intelligence analysis requires training, experience, and personal attributes like problem solving and strong communications. The research revealed that even large and well-funded companies don\u2019t have the right skills or staff to keep up with intelligence needs.How can CISOs overcome these issues? I\u2019ll later write about what the research revealed about organizations with mature CTI programs \u2013 what they do, how they structure their programs, what they\u2019ve learned over the years, etc. Before I get into nitty-gritty details, here\u2019s a hint: It\u2019s not the CTI as much as it the CTI program.To achieve success, a CTI program must begin with defined objectives (in this case, tactical, operational, and strategic objectives), strong management, achievable workloads, and a feedback loop for continuous improvement. Additionally, CISOs must be realistic about their capabilities. If it is realistically impossible to build a homegrown CTI program (for short- and long-term intelligence needs), CISOs must seek outside help from service providers, clearly define what then need, and then integrate service provider output into security, IT, and business processes.