“How to Define and Build an Effective Cyber Threat Intelligence Capability” Notes
How to Define and Build an Effective Cyber Threat Intelligence Capability by Henry Dalziel is a very brief high-level guide to setting up a cyber threat intelligence (CTI) program.
This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.
Notes
Much of what’s called “cyber threat intelligence” is actually data; intelligence is data that’s been put through a process to evaluate the data in context and produce a useable output.
Intelligence must be relevant, actionable, valuable (have business value).
Business objectives for CTI
- Grow revenue
- Lower expenses
- Reduce risk
- Increase customer satisfaction and retention
- Increase employee retention and satisfaction
- Comply with regulations
Questions to ask before investing in CTI
- What is the driver to buy or build CTI capabilities? Compliance, risk reduction, etc.?
- Can you define a clear, bounded, mission or set of responsibilities?
- Can you quantify the problem, risk, or value of the solution?
- How will you operationalize the information to support the objective?
- How will you report and measure performance to justify expenditures?
Evaluate vendors of intelligence/data on quality, quantity, uniqueness, value, ease, vendor’s reputation and longevity.
Questions to ask when defining and building a CTI capability
- Why are you doing it? (business objective)
- What do you need to do? (activities that support business objective)
- How are you going to implement it? (architecture, operational model, etc.)
- Who will build it? Who will operate it? (skills and sourcing options)
If you start with ‘why,’ derive ‘what’ you need. On the basis of that, establish ‘how’ you will operate and then decide ‘who’ to engage, you are well positioned to create, and successfully operate an effective threat-intelligence capability.
“If you start with ‘why,’ derive ‘what’ you need. On the basis of that, establish ‘how’ you will operate and then decide ‘who’ to engage, you are well positioned to create, and successfully operate an effective threat-intelligence capability.”
