The Cyber Threat Intelligence (CTI) industry is maturing, and there has been a definite desire to flex their capabilities and move beyond the Security Operations Center (SOC). However, this push to a more “strategic” offering has proven difficult for many.
“What is it you would say you do here…?”
One of the problems with implementing the government intelligence model in the private sector space is the disconnect between what the CTI team does and what actually concerns the organization. This detachment becomes especially apparent when a CTI team is trying to grow and mature from just juggling Indicators of Compromise (IoC) to performing more strategic intelligence work. We often see when an intelligence team is trying to develop strategic intelligence requirements; they are not tying the result of collecting against and satisfying those requirements to the business’ expressed concerns. The struggle to make use of intelligence requirements is not surprising. How do you guide strategic decision-making without input from the decision-makers? How do you even start that conversation
Well, how does the government do it?
Every year the US Government Intelligence Community’s leadership pushes out a “Top 20” of sorts listing the hottest topics in which the government is interested. These ‘intelligence directives’ are intended to provide general guidance for all the subordinate IC organizations. Now, to be sure, not all day-to-day intelligence operations will necessarily align with these general directives. Still, you can bet the bean-counters handing out annual budget allocations have some way to measure how well the IC organizations, in general, align their efforts against those directives. For those private-sector CTI teams wishing they had something similar to utilize, they are in luck!
For our consulting clients, who are usually intel teams trying to “take the next step” in becoming more strategic and better support their CISO, they often struggle to understand what their organization’s higher-level “intelligence directives” are. However, there is an excellent document readily available to help them (at least for those companies that file with the SEC every year) — their organization’s 10-K. Following the forward-looking statements, the organization highlights to the SEC and the world that there are specific “Risk Factors” that may impact their ability to conduct business, and more importantly, be profitable. If there ever was a ready-made list of “stuff our organization cares about,” this is it.
(Note: Not just for intelligence teams, but any information security organization looking to develop metrics, being able to show effort and progress in ensuring none of the risks identified in the 10-K come to be is a great place to start! And, additionally, I would say any employee who wants to see the “big picture,” this document is also a great place to start.)
Here’s an example of one of the Risk Factors in a company’s 10-K filing:
“The continuous operation of our information systems is critical to our success, and a significant disruption could have a material adverse effect on our business.”
So, information systems going down would be very bad, cost lots of money, and, depending on the type of interruption, could be catastrophic to the business. You better believe the risk management team has a solid idea of what that actual cost would be! So my question is, does the information security organization, specifically the intelligence team, also know this cost?
When we work with an intelligence team on developing their strategic intelligence requirements, we will often ask them how the questions they are asking, if answered, align with their company’s identified risk factors? For example, an intelligence requirement we commonly see is this: “Identify any threat actors who are targeting Company X.” Does writing a report that answers that requirement positively impact the company’s risk mitigation effort? How so?
Now, take that requirement and align it against the Risk Factor (or, Intelligence Directive, if you will) that we have on hand — “Continuous operation of our IS is critical to our success.” What do you think? It’s almost as if our general requirement about threat actors would make you ask even more questions even to know where to get started.
Where to get started
So, now, if you are the intelligence team looking to help yourCISO answer more strategic questions, you might start by speaking to what the organization reports as their most critical risks. If your company files with the SEC, then the 10-K is an excellent place to begin. If your organization is privately held, I am confident there is still a list of higher-level risks the leadership has identified as critical to the success of the business — begin your journey of developing strategic requirements there. Remember, to demonstrate value, the questions you answer, the products you produce, should all somehow tie back to that list of critical risk factors.
Want to know more? firstname.lastname@example.org
Originally published on Medium.com https://medium.com/@brian_73610/a-word-on-strategic-intelligence-requirements-8b69d5cafde5