Tactical feeds have dominated the threat intelligence narrative for many years, but there is an emerging understanding that there must be more to threat intelligence than just open source and commercial feeds. The desire to shift programs from a tactical to a strategic focus is there, but knowing the destination and knowing how to get there are vastly different.
As I have said many times over the years, your program should mirror the intelligence cycle and the planning and direction phase is paramount to your success. The questions you need to be asking to support operations and business decisions are referred to as intelligence requirements. Please notice that I didn’t use Priority Intelligence Requirements or Commander’s Critical Information Requirements. Your language should be tailored to your organization’s culture and understanding. Management teams from the intelligence community are rare; I recommend you avoid using confusing jargon.
Your management likely has no inkling of the types of questions they should be asking, so it is incumbent upon you to develop them on their behalf. By developing requirements tailored to your business, you can avoid operating in the tactical realm of indicators of exhaustion (IoEs) you will be able to tie intelligence back to business outcomes, which is what management cares about.
Establishing requirements is no small feat, which probably contributes to the fact that most organizations don’t actually have them. I want to suggest a strategy you can incorporate to develop intelligence requirements that have a business focus.
In Michael Porter’s book “Competitive Advantage,” Porter suggests analyzing specific business activities through which organizations can create value and competitive advantage. For our purposes, I’m suggesting that you analyze the primary and support activities of your organization to help define your intelligence requirements. Figure 1 shows the components of Porter’s Value Chain:
Primary activities: Inbound logistics, Operations, Outbound logistics, Marketing/Sales, and Service
Support activities: Firm infrastructure, Human Resource Management, Technology and Procurement
For each of these functional areas you should:
- Work with the enterprise risk and operations teams to identify key business processes
- Avoid boiling the ocean, focus on the key business processes and start small
- Identify the information technology assets that are a part of these key business processes
- Identify the primary personas that leverage these systems (e.g.: key staff members, administrators with elevated privileges)
- Gain an understanding of how adversaries will target these processes, assets, and staff
- Identify any gaps in situational awareness that would limit visibility into adversary activities both internally and beyond your perimeter
I also suggest that you complement your value chain analysis with Form 10-K review. A 10-K provides a comprehensive overview of a public company’s business and financial condition and includes audited financial statements. Each 10-K has a “Risks” section that can be used to add context to your company’s value chain. I included an example from World Wrestling Entertainment, Inc.’s 2015 Annual Report. You can see several instances of business risk that falls into the cyber security domain.
The 10-K is a great way to get high-level perspective on how your business operates. It can be used to inform your conversations with lines of business as well as risk management and operations. If you are a private or non U.S. company, check with your risk management team, it is likely that they have an internal facing risk management document you can review.
Creating intelligence requirements that are business focused ensures that you are answering questions that are relevant and mean something to non-information security stakeholders. In a future blog posting, I will dig deeper into the creation of specific requirements.