Cyber threat intelligence programs: Still crazy after all these years

When I asked CISOs about their cyber threat intelligence (CTI) programs about five years ago, I got two distinct responses. Large, well-resourced enterprises were investing their threat intelligence programs with the goal of better operationalizing it for tactical, operational, and strategic purposes. Smaller, resource-constrained and SMB organizations often recognized the value of threat intelligence, but didn’t have the staff, skills, or budgets for investment. For these organizations, threat intelligence programs were nothing more than blocking indicators of compromise (IoCs) with firewalls, endpoint security software, email gateways, or web proxies.

Fast forward to 2023 and almost every organization I speak with is consuming threat intelligence feeds, implementing tools, and building a threat intelligence program. New ESG research indicates that 95% of enterprise organizations (those with more than 1,000 employees) have a threat intelligence budget, and 98% plan to increase spending on threat intelligence over the next 12 to 18 months.

Why CISOs struggle with cyber threat intelligence

Yup, CISOs are embracing CTI, learning what they can and trying to use CTI to improve security defenses. This seems like progress, but are these investments translating to CTI program improvement? Not really. Despite budget increases and a proactive strategy, many CTI programs continue to struggle. ESG research indicates that:

• Eighty-five percent of security professionals believe their CTI program requires too many manual processes. This manual slog can include cutting and pasting threat indicators into tools, correlating threat intelligence from different sources, or creating threat intelligence reports. As in any other area, manual processes don’t scale, so they can’t keep up with the pace of today’s threat landscape.
• Eighty-two percent of security professionals believe agree that CTI programs are often treated as academic exercises. When interviewing security pros as background for this research project, I found this to be a common issue. Threat intelligence analysts who don’t receive proper direction or management oversight do what they want to do: threat intelligence research. This may lead to breakthrough insights about threat actors or the tactics, techniques, and procedures (TTPs) they use to conduct attacks, but still have nothing to do with the intelligence needs of their organizations. This mismatch is way more widespread than most people realize.
• Seventy-two percent of security professionals believe that it is hard to sort through CTI noise to find what’s relevant for their organizations. There’s no shortage of CTI available – open source, industry information sharing and analysis centers (ISACs), commercial feeds, community groups, etc. Finding the needles in this haystack can be a bear. Some organizations simply don’t know what to look for while others suffer from a “more is better” CTI mindset and are buried by an overwhelming volume of information. Either way, they are wasting time on false positive and negative information.
• Seventy-one percent of security professionals say it is difficult for their organizations to measure ROI on its CTI program. Given that many organizations don’t know what to look for, are overwhelmed by CTI volume, or treat threat intelligence programs like graduate school, this one comes as no surprise. CISOs suffering from one or several of these problems will find it difficult to pinpoint measurable benefits from CTI dollars.
• Sixty-three percent of security professionals say that their organization doesn’t have the right staff or skills to manage an appropriate CTI program. There’s that pesky global cybersecurity skill shortage again, but it goes beyond too many jobs and not enough people. Threat intelligence analysis requires training, experience, and personal attributes like problem solving and strong communications. The research revealed that even large and well-funded companies don’t have the right skills or staff to keep up with intelligence needs.

How can CISOs overcome these issues? I’ll later write about what the research revealed about organizations with mature CTI programs – what they do, how they structure their programs, what they’ve learned over the years, etc. Before I get into nitty-gritty details, here’s a hint: It’s not the CTI as much as it the CTI program.

To achieve success, a CTI program must begin with defined objectives (in this case, tactical, operational, and strategic objectives), strong management, achievable workloads, and a feedback loop for continuous improvement. Additionally, CISOs must be realistic about their capabilities. If it is realistically impossible to build a homegrown CTI program (for short- and long-term intelligence needs), CISOs must seek outside help from service providers, clearly define what then need, and then integrate service provider output into security, IT, and business processes.