Organizations are spending on threat intelligence, but ESG research reveals CTI may not be getting a good return on investment. Credit: ioat/Shutterstock When I asked CISOs about their cyber threat intelligence (CTI) programs about five years ago, I got two distinct responses. Large, well-resourced enterprises were investing their threat intelligence programs with the goal of better operationalizing it for tactical, operational, and strategic purposes. Smaller, resource-constrained and SMB organizations often recognized the value of threat intelligence, but didn’t have the staff, skills, or budgets for investment. For these organizations, threat intelligence programs were nothing more than blocking indicators of compromise (IoCs) with firewalls, endpoint security software, email gateways, or web proxies.Fast forward to 2023 and almost every organization I speak with is consuming threat intelligence feeds, implementing tools, and building a threat intelligence program. New ESG research indicates that 95% of enterprise organizations (those with more than 1,000 employees) have a threat intelligence budget, and 98% plan to increase spending on threat intelligence over the next 12 to 18 months.Why CISOs struggle with cyber threat intelligenceYup, CISOs are embracing CTI, learning what they can and trying to use CTI to improve security defenses. This seems like progress, but are these investments translating to CTI program improvement? Not really. Despite budget increases and a proactive strategy, many CTI programs continue to struggle. ESG research indicates that:Eighty-five percent of security professionals believe their CTI program requires too many manual processes. This manual slog can include cutting and pasting threat indicators into tools, correlating threat intelligence from different sources, or creating threat intelligence reports. As in any other area, manual processes don’t scale, so they can’t keep up with the pace of today’s threat landscape.Eighty-two percent of security professionals believe agree that CTI programs are often treated as academic exercises. When interviewing security pros as background for this research project, I found this to be a common issue. Threat intelligence analysts who don’t receive proper direction or management oversight do what they want to do: threat intelligence research. This may lead to breakthrough insights about threat actors or the tactics, techniques, and procedures (TTPs) they use to conduct attacks, but still have nothing to do with the intelligence needs of their organizations. This mismatch is way more widespread than most people realize.Seventy-two percent of security professionals believe that it is hard to sort through CTI noise to find what’s relevant for their organizations. There’s no shortage of CTI available – open source, industry information sharing and analysis centers (ISACs), commercial feeds, community groups, etc. Finding the needles in this haystack can be a bear. Some organizations simply don’t know what to look for while others suffer from a “more is better” CTI mindset and are buried by an overwhelming volume of information. Either way, they are wasting time on false positive and negative information.Seventy-one percent of security professionals say it is difficult for their organizations to measure ROI on its CTI program. Given that many organizations don’t know what to look for, are overwhelmed by CTI volume, or treat threat intelligence programs like graduate school, this one comes as no surprise. CISOs suffering from one or several of these problems will find it difficult to pinpoint measurable benefits from CTI dollars.Sixty-three percent of security professionals say that their organization doesn’t have the right staff or skills to manage an appropriate CTI program. There’s that pesky global cybersecurity skill shortage again, but it goes beyond too many jobs and not enough people. Threat intelligence analysis requires training, experience, and personal attributes like problem solving and strong communications. The research revealed that even large and well-funded companies don’t have the right skills or staff to keep up with intelligence needs.How can CISOs overcome these issues? I’ll later write about what the research revealed about organizations with mature CTI programs – what they do, how they structure their programs, what they’ve learned over the years, etc. Before I get into nitty-gritty details, here’s a hint: It’s not the CTI as much as it the CTI program. To achieve success, a CTI program must begin with defined objectives (in this case, tactical, operational, and strategic objectives), strong management, achievable workloads, and a feedback loop for continuous improvement. Additionally, CISOs must be realistic about their capabilities. If it is realistically impossible to build a homegrown CTI program (for short- and long-term intelligence needs), CISOs must seek outside help from service providers, clearly define what then need, and then integrate service provider output into security, IT, and business processes. Related content feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe