The First Two Steps – Operationalizing Enterprise Threat Intelligence, Really

Threat intelligence, about three years after it became the talk of RSA Conference, is still a hot topic for the enterprise. Rightfully so, as it’s a powerful tool when deployed with purpose and goals in mind. The trouble is that’s not typically the case. I’m not suggesting the old “no one is doing it right” – far from me to make that claim. What I’m claiming is that the experience of a significant number of my clients starts with looking at threat intelligence products. But that isn’t the right place to start; there is front-end work that needs to be done to get the most out of your investment.  Let me explain.

The analogy that feels right here is rust proofing on a new car. Every dealer used to sell it – but why? If you’re on the brink of making a significant investment in a threat intelligence “thing,” I want you to do two things first. It’s simple, and while it doesn’t seem like it’s particularly cool, it’s the two most important things you can do.

First, go find your stakeholders. Who is going to care about your threat intelligence product? Who will consume the intelligence you will produce, and what will they do with it? Someone needs to be your champion, and find value in what you’re about to spend money on. It’s preferable that the someone is a business leader rather than an IT employee, but sometimes beggars can’t be choosers. Go identify those stakeholders. Go have an in-person conversation about what the whole threat intelligence thing is all about, and what value you see for them. You’ll find lots of me-too supporters, but as you dig in and start asking for money commitments, many of those will fall away. Find your core group of stakeholders, your champions. They’re the base you’ll build this thing on.

Next, get your stakeholders’ requirements. Requirements drive collection plans, analysis and distribution models, execution strategies and so much more. Keep in mind what your stakeholders want and what you’re able to deliver can often be miles apart. So, make sure you do careful analysis of requirements and set expectations grounded in reality, not hype. 

Seems easy, right? It’s not. I promise you this is not a trivial exercise. I do these in workshops fairly regularly, and what should be an hour or two exercise can easily take up half a day. That’s quite alright though these two things are the core and foundation on which you’re going to build an enterprise threat intelligence program. Business-aligned requirements that are realistic and pulled from the right stakeholders will make or break your threat intelligence program.

On that note, I thought I’d invite you all (if you happen to live in the Los Angeles area) to come out to a workshop I’m giving on the topic at The Eighth Annual Information Security Summit. I’m essentially cramming four days of hard-core program building into a half-day session that will give you the fundamental skills to start off right. Think of it as a self-help course in how to make yourself a healthy breakfast so you can have a great rest of your day. Except that we’re talking about potentially hundreds of thousands of dollars in budgetary spend, headcount and products and services spun up over the course of months and years. An effort for sure…and you’re going to want to set that effort off on the best possible footing.

Check out the threat intelligence workshop I’m leading and the talk I’m delivering and absolutely stop by and say hello. I’ve enjoyed being the guest of the Los Angeles ISSA chapter the last few years and always enjoy the warm reception, so this year I’m giving back to you members. If threat intelligence is on your enterprise security roadmap, or if you’re curious whether this is something you should even be thinking about, come out, register and let’s spend a few hours together. We’ll talk honestly, from a perspective that is backed by more than 800 hours and dozens of peer contributors across a wide array of market verticals, company sizes and maturities.

See you in the City of Angels in a few weeks!