With the evolution of technology in recent times, cyber threat intelligence (CTI) has become the fastest-growing element in cybersecurity. In the years to come, spending on it is expected to rise at a rapid pace.
Industries across the globe have moved on to understanding the benefits of becoming proactive through intelligence-driven cybersecurity from possessing partial or complete lack of knowledge on the difference between data, information, and intelligence. The trend towards increased understanding and maturity in Cyber threat intelligence is undeniable even though some industries are outpacing others. However, there is still a lot of progress yet to happen.
In order to give it a larger mandate and a better value proposition, industries should move from the concept of CTI to using intelligence as a function. With this proposition in mind, the next leap in this space to be considered is where intelligence teams would be placed to serve specific needs and purposes.
The CTI teams of most organizations are housed in the Security Operations Center (SOC). Primarily, driven to support the needs of defensive cyber operations, the CTI is usually buried beneath the defensive side of an organization’s security team. This however is not where the intelligence team belongs even though it may be the most logical place to put the CTI.
The CTI was seen as a means to become more proactive defensively by understanding the threats outside the client environment through the application of intelligence practices and standards. And that is where the challenge lies, in the advent of CTI. Considered as a giant leap in cybersecurity, a CTI based approach greatly underestimates the impact that intelligence teams can have on enterprises. This impact can offer greater value for the same budget expenditure while going beyond defensive cyber operations.
A larger mandate can be envisioned with a broader internal corporate customer base and the possibility to provide value externally to customers, partners, and industry counterparts when CTI is perceived in the terms of intelligence. An intelligence team can serve enterprise-wide concerns while the CTI team is limited to SOC operations. It could include physical security, insider threat, mergers and acquisitions, procurement, and corporate strategy to name a few. Intelligence analysts and researchers should be employed and empowered with incredible tools and external resources to enable them with success within the environment. The value of investments should not be limited to serving the needs of the Security operations center only.
So where should the new intelligence team be placed?
If intelligence is placed in the SOC since they also have CTI, the team will be focusing primarily on SOC priorities. The success of the SOC personnel is judged on how they put their assets to work against their objectives. In such a scenario, the SOC would want to focus everyone in the organization on its mission of cyber defensive operations. With broader mandates to support intelligence needs beyond the SOC, intelligence teams do not belong in the SOC.
Only when the intelligence reports directly to the CEO or a proxy in the C-suite, enterprises are served the best. The benefits of moving the intelligence team to such a higher level are –
- The intelligence team is unaffected by any political pressure that would unduly influence the prioritization of the intelligence report
- In conjunction with the corporate needs, intelligence reports can be gathered, validated, and codified rather than working in alliance with any individual business unit.
- The budget for intelligence can be spread across all supported business units even when it can be several million dollars to build and operate for a large enterprise.
- Just as companies do for their physical security, intelligence can be implemented as a service with a charge-back model or can be included as a line item in the corporation’s annual overhead budget.
Organizations that would move from the CTI team concept (with the only intelligence-like function of a corporation buried in a SOC and focused on tactical and operational needs) to the intelligence team concept (where Intelligence leverages considerable talents and accesses to protect the larger enterprise and customer base) will lead their industries both philosophically and operationally in terms of proactive security.
To read more, please check eScan Blog
