How to Define and Build an Effective Cyber Threat Intelligence Capability (2015)
Chapter 8. Conclusion and Recap
We review the need to start with “Why,” derive “What” you need, and on the basis of that, establish “How” you will operate and then decide “Who” to engage. Although these steps are not a guarantee of success, skipping them is almost assuredly a recipe for failure.
Throughout this book, we have covered a lot of ground, so a recap is always a good way to ensure that no idea has been left unexplored. When defining and building a cyber threat intelligence capability, it is always necessary that you ask these important questions:
• Why are you doing it? (Business objective)
• What do you need to do? (Activities in support of the Business objective)
• How are you going to implement it? (Architecture, operational model, etc.)
• Who will build it? Who will operate it? (Skills and sourcing options)
To end where we began, you must start with a clear business objective as it is the foundation stone of the whole project. It is what will bind and scope your “what” or your mission activities and the data or intelligence you need to support those activities.
In addition, you should avoid some of the predictable and known land mines where possible. However, always keep in mind that any implementation may require trade-offs in speed, fit, cost, and ease. Use some kind of matrix or rigorous model for this aspect, but remember to be rigorous about making your choices. They can have profound cost implications if you do not keep this in mind.
You must be able to turn those activities into metrics and reports that will matter to business management. If you cannot turn the data and mission activities back into operationally useful business outcomes and communicate them, you cannot succeed from a management standpoint even if you succeed from a security standpoint. Once you know what you are doing, how we are going to do it, and why you are doing it, only then should you worry about whom to go to buy something from. Before and during operations continue to define, and refine, how you will measure success, how you will communicate performance and activity, and prepare ahead of time for what to do when things go wrong.
If you start with “why,” derive “what” you need. On the basis of that, establish “how” you will operate and then decide “who” to engage, you are well positioned to create, and successfully operate an effective threat-intelligence capability. Although these steps are not a guarantee of success, skipping them is almost assuredly a recipe for failure.