BLUF – Private-sector organisations have different response options available for utilising CTI than governments or militaries. Learning what is important to the organisation affects what to look for when distilling and analysing intelligence. This post will help understand how to create CTI relevance for business.
Having transitioned from public to private sector, I found that several aspects of the corporate intelligence world needed interpretation.
Programmes in private-sector cyber threat intelligence (CTI) spaces are often built by former public-sector intelligence professionals or their trainees. Trouble with public-sector intelligence crossing the chasm to private-sector and businesses is because they have very different response options available to them. Military intelligence was given to commanders who could (in theory) cause a great deal of harm to adversaries. Businesses have limitations imposed on causing harm to others (comments withheld), but more importantly have to account for the return on investments for their actions – giving businesses different priorities and different response options, and requiring shifts in focus for CTI to remain effective.
In looking at the organisation and determining effective focal areas, I’ve found CTI teams in discussion with business audiences should examine the following areas:
- Resources: Businesses often work with limited resources that are dynamically allocated to various strategic and tactical programmes. This means the response options to act on CTI are limited by what you have to work with or can acquire. Understanding resources a business has at their disposal makes a difference in what intel will be most relevant for them. Telling a business user details about a threat actor group may spark interest, but without response options it is likely most in the business will relegate the report – and future offerings – into a dreaded Outlook inbox folder.
- Direct intended impact (Dii): Examining what the organisation has direct control over – understanding risk/ controls or incident response processes, for example – can help shape a minimal CTI framework addressing what the business users need to know. Whilst it may not be an exclusive intelligence focus, it should provide better understanding of data to look for, leading to actionable intelligence. Consideration of Dii helps CTI highlight relevant intel found in larger context data. That relevant intel then informs relevant actions to be taken by the business user. Understanding and delivering intel that supports Diis will help CTI build relevance and relationships with the business users, meaning they are more likely to listen when CTI has something for them at a later time.
- Indirect intended impact: There may be other business-related effects potentially useful to report on, although often the business can or will not take action on related intelligence. This information needs to be delivered in addition to Diis, not in place of. The business users may be interested in passing, but otherwise it doesn’t relate to their work.
- Acceptable casualties: These are losses potentially incurred during the efforts. Knowing what the business finds acceptable to lose helps reduce CTI teams focus on what will be deemed irrelevant intel. In practice this means you don’t waste time on things business users don’t really care about.
There are many other aspects to uncover in building meaningful CTI or cyber/ info security for private-sector organisations, this is only a start. Understanding the audience helps CTI stay relevant in organisations that are still learning CTI’s value.