Regardless of the extent to which a business relies on third-party offerings, attaining a gold-standard intelligence program means leveraging intelligence in a manner that addresses enterprise-wide risk and provides a decision advantage over the broad spectrum of threats and adversaries.
What is the gold standard for an intelligence program? As someone who has spent several years helping companies integrate intelligence into their business strategies, I get asked this question fairly often. While no two intelligence programs are exactly alike, the most effective ones do share certain foundational components and team member skill sets. The following blueprint is designed to help guide businesses seeking to attain a gold standard intelligence program:
The right objectives
Gold-standard intelligence programs have clearly defined objectives that map to key areas of risk throughout the entire business. These objectives are essential because they set the framework for, and direction of, the program. This may seem obvious, but I’ve seen far too many companies either fail to choose objectives altogether or choose ones that are too narrow, too broad, or poorly aligned with business needs. The right objectives, meanwhile, usually:
Prioritize immediate risks to the business. Are any areas of the business experiencing material losses and/or disrupted operations? If so, start there when choosing objectives.
Focus on how individual threats impact enterprise-wide risk. For example, let’s say a business is worried about a potential physical security threat to its CEO during an upcoming business trip. Rather than concentrating solely on the specific threat to the CEO during the specific trip, the intelligence program could address enterprise-wide risk with an objective such as “strengthen executive protection capabilities and reduce physical security risks to executives during business travel.”
Are continually measured and adjusted based on key performance indicators (KPIs).
The right KPIs
Once an intelligence program establishes its objectives, it needs KPIs to track growth, uncover blind spots, and identify areas for improvement as it works toward these objectives. In addition to measuring and reporting KPIs on a weekly basis, gold-standard intelligence programs typically have KPIs that:
Map to the primary facets of each objective. For example, if the objective is to strengthen a business’s anti-fraud capabilities, KPIs for this objective could be the amount of fraud losses, the number of successful fraud attempts, and the number of fraud attempts that a business’s anti-fraud efforts were able to prevent during a specified period.
Are clearly defined and measurable. Before finalizing a KPI, the intelligence program needs to ensure it has access to the proper tools and capabilities to adequately measure it on a regular basis. If a business doesn’t track the number of thwarted fraud attempts, for example, the intelligence program should either 1) work with the anti-fraud team to implement methods for obtaining this measurement, or 2) adjust the KPI accordingly.
Measure the efficacy of intelligence-led initiatives. KPIs designed to evaluate the impact of an intelligence program should focus more on quality rather than quantity. If a business’s objective is to bolster network security, for example, it might be tempted to choose KPIs such as the number of indicators of compromise (IoCs) processed or number of intelligence reports written. KPIs like these, however, don’t necessarily reveal how useful or relevant the volume of IoCs or reports are to the business. More effective KPIs would include the number of reports written that revealed previously-unknown yet actionable information, as well as the number of thwarted network penetration attempts.
Both KPIs and objectives should always be seen as an iterative process; as a business’s risks evolve, so should its strategy for addressing and measuring these risks.
The right talent
The talent comprising an intelligence team needs to 1) align with the program’s objectives and 2) truly know the business. Having a deep understanding of the organizational structure, key assets, infrastructure, market share, competition, stakeholders, and ultimately, how these factors contribute to the business’s overall risk is crucial. The most effective intelligence teams also comprise the following:
1. Tactical experts
By focusing on tactical threat research (TTR), tactical experts strive to identify relevant and immediate threats to the organization. Fraud, insider threat, external cyber threats, and even physical security threats are just a few examples. In addition to possessing the subject matter expertise suitable for the business’s intelligence objectives, tactical experts need to be capable of reporting their findings, collaborating with stakeholders, and, when necessary, deploying countermeasures as efficiently as possible.
2. Strategic experts
These individuals focus on the big-picture threat landscape and how trending topics, research, and business decisions influence the company’s overall risk. While a tactical expert might identify and combat an incoming spear phishing attack, for example, a strategic expert would bolster enterprise-wide awareness and education of phishing to strengthen the organization’s risk posture and help it become less susceptible to phishing attacks in the long term. Strategic experts should also be prepared to interface with appropriate decision-makers throughout the organization to help shape enterprise-wide risk management and risk reduction efforts.
3. Intelligence production manager
The role of the intelligence production manager is to synthesize and distill the research findings of other members of the intelligence team and compile them into finished intelligence reports. It is imperative that this individual write clearly, succinctly, and in a manner that resonates effectively with the appropriate audiences. They should feel comfortable cutting out any jargon and non-essential information to deliver only that which provides an accurate decision advantage.
4. Vendor manager
Most intelligence programs rely on third-party offerings ranging from data and intelligence providers and technical integrations to keyword alerting and orchestration tools. It’s the vendor manager’s responsibility to liaise with vendors to ensure offerings function optimally and meet the intelligence program’s needs. As the program and/or organization grows, the vendor manager must remain aligned with the extent to which existing and potential offerings suit any evolving needs.
5. Security awareness manager
The security awareness manager (SAM) is responsible for educating all employees across the company on relevant security issues and best practices. By communicating new trends and research findings, conducting regular workshops, and shaping and implementing enterprise-wide policies, the SAM also serves as a liaison between the intelligence program and the rest of the organization.
6. Government affairs expert
Intelligence, by nature, often reveals the existence and/or details of criminal activity. The role of the government affairs expert is to collaborate and share intelligence with law enforcement to support criminal investigations and shape countermeasures. In addition to having ample experience working with law enforcement and intelligence agencies, this individual should possess security clearance and relevant certifications.
The right tools
Producing and consuming intelligence requires substantial time and effort on the part of humans, which is why the most successful Intelligence programs allocate human capital efficiently. By automating mundane tasks like data collection or IoC processing, these teams free up their humans to concentrate on what matters most: conducting thorough research, solving complex problems, and producing finished intelligence.
There are countless tools available to help intelligence programs capitalize on the expertise of their humans. Orchestration offerings, for example, can save teams time and money by managing and automating workflows; common uses include IoC processing and keyword alerting, among others. APIs and technical integrations, meanwhile, generally help teams connect, integrate, and otherwise tailor applications to specific needs. These types of tools might enable, for example, an insider threat team’s user behavior analytics program to integrate with an incident response team’s Security Information and Event Manager (SIEM), thereby providing both teams with greater visibility and detection capabilities of malicious cyber activity.
When initiating and developing an intelligence program, it’s important to remember that not all businesses have the resources and capabilities outlined in this blueprint – and that’s okay. A range of reputable third-party vendors offer suitable replacements or supplements when a business’s own intelligence, talent, and/or tools aren’t sufficient.
As I wrote previously in “How do we measure the value of intelligence?,” when evaluating prospective vendors, businesses should cautiously and thoroughly ensure that offerings truly align with their needs and objectives. Regardless of the extent to which a business relies on third-party offerings, attaining a gold-standard intelligence program means leveraging intelligence in a manner that addresses enterprise-wide risk and provides a decision advantage over the broad spectrum of threats and adversaries.