In my last CSO article, I looked at a few challenges related to enterprise threat intelligence programs. Security pros pointed to issues like dealing with too many manual processes, sorting through noisy threat intelligence feeds, establishing clear ROI benefits, and managing threat intelligence programs that are little more than an academic exercise for the cyber-threat intelligence (CTI) team.6 phases of an effective threat intelligence programGiven these pervasive challenges, it\u2019s logical to ask: What does a strong threat intelligence program look like? While different organizations may answer this question with their own unique perspective, one common trait is that successful CTI programs follow an established threat intelligence lifecycle across six phases. (Note: Some threat intelligence lifecycle models are composed of five phases as they combine items 5 and 6 below):Planning and direction:\u00a0At the start of a CTI program, threat analysts meet with executives, line-of-business managers, CISOs, and security teams to define priority intelligence requirements (PIRs). Militaries define PIRs as, \u201can intelligence requirement associated with a decision that will critically affect the overall success of the command's mission.\u201d From a cybersecurity perspective, a PIR could be aligned with protecting critical business systems from adversaries targeting similar systems across an industry or region.Collection: Based on PIR priorities, threat analysts determine the intelligence they need and how to obtain it. They then proceed with data collection accordingly.Processing: Once the data is collected it needs to be collated, organized, de-duplicated, and checked for data integrity. Effectively, this is the data management phase that translates threat data into human and machine-readable threat intelligence based on risk, urgency, and priority.Analysis: This is where threat analysts earn their pay. The goal here is to comb through threat intelligence data, looking at adversary chatter, behavior, and the tactics, techniques, and procedures (TTPs) they are using for cyber-attacks. Analysis efforts should be lock-step with high priority PIRs.Dissemination: After analyzing CTI based on PIRs, threat analysts compose and distribute reports tailored to the needs of individual consumers across the business, IT, security, and other areas. These reports should be used as inputs for business (M&A, third-party risk management, etc.) and technology (security investments, controls, user entitlements, etc.) decisions.Feedback: Future threat analysts\u2019 activities should be driven by feedback from CTI consumers. Were reports accurate and timely or did they miss the mark? How could they be upgraded? The goal here is continuous improvement.Following a CTI lifecycle is a best practice, and many companies adhere to this model. According to recent ESG research, 72% of enterprise organizations (those with 1,000 employees or more) have a formal CTI lifecycle model, 24% follow an informal CTI lifecycle model, and 4% don\u2019t have a CTI lifecycle model but plan on creating one over the next 12 to 18 months.Roadblocks to threat intelligence best practicesThere is good and bad news here. The good news is that most firms recognize CTI best practices by following a threat intelligence lifecycle. The bad news is that many organizations struggle in one or many of the lifecycle phases described above. ESG asked 364 enterprise security professionals which of the six phases was most problematic at their organization. The data reveals:Twenty-one percent struggle in the analysis phase. It\u2019s likely organizations don\u2019t have the right data, are overwhelmed with too much data, or don\u2019t have the right analytics skills.Eighteen percent struggle in the feedback phase. In this case, threat intelligence consumers are getting useless reports, or they don\u2019t care enough to work with the CTI team on making the process more effective.Seventeen percent struggle in the collection phase. Typically, this means that threat analysts don\u2019t know what to collect or adopt a \u2018more is better\u2019 strategy and are buried by intelligence volume. It may also indicate that they don\u2019t have clear PIRs from intelligence consumers, so they are winging it a bit.Sixteen percent struggle in the production phase. This is likely a technology problem. My guess is that these organizations don\u2019t have the right tools to collect, organize, and manage CTI at scale.Fifteen percent struggle in the planning phase. Clearly, these firms don\u2019t have the right working relationship between CTI analysts and consumers, thus they never establish the right PIRs to begin with. These programs are doomed from the start.Twelve percent struggle in the dissemination phase. CTI consumers want timely and accurate reports for analysis and decision making. If the CTI team can\u2019t create and distribute them succinctly, they won\u2019t be very valuable.Enterprise CISOs may be proud of the fact that they\u2019ve invested in CTI lifecycles, but they shouldn\u2019t rest on their laurels. A successful program must be optimized and well-coordinated across all six phases based on upfront PIRs and a continuous feedback loop. CTI lifecycles are a prime example of the saying, \u201cThe whole is greater than the sum of its parts.\u201d To optimize CTI program benefits, CISOs must assess CTI lifecycles in detail to uncover and fix process bottlenecks through ALL six phases.