Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
Tactical feeds have dominated the threat intelligence narrative for many years, but there is an emerging understanding that there must be more to threat intelligence than just open source and commercial feeds. The desire to shift programs from a tactical to a strategic focus is there, but knowing the destination and knowing how to get there are vastly different.
As I have said many times over the years, your program should mirror the intelligence cycle and the planning and direction phase is paramount to your success. The questions you need to be asking to support operations and business decisions are referred to as intelligence requirements. Please notice that I didn’t use Priority Intelligence Requirements or Commander’s Critical Information Requirements. Your language should be tailored to your organization’s culture and understanding. Management teams from the intelligence community are rare; I recommend you avoid using confusing jargon.
Your management likely has no inkling of the types of questions they should be asking, so it is incumbent upon you to develop them on their behalf. By developing requirements tailored to your business, you can avoid operating in the tactical realm of indicators of exhaustion (IoEs) you will be able to tie intelligence back to business outcomes, which is what management cares about.
Establishing requirements is no small feat, which probably contributes to the fact that most organizations don’t actually have them. I want to suggest a strategy you can incorporate to develop intelligence requirements that have a business focus.
In Michael Porter’s book “Competitive Advantage,” Porter suggests analyzing specific business activities through which organizations can create value and competitive advantage. For our purposes, I’m suggesting that you analyze the primary and support activities of your organization to help define your intelligence requirements. Figure 1 shows the components of Porter’s Value Chain:
Primary activities: Inbound logistics, Operations, Outbound logistics, Marketing/Sales, and Service
Support activities: Firm infrastructure, Human Resource Management, Technology and Procurement
For each of these functional areas you should:
I also suggest that you complement your value chain analysis with Form 10-K review. A 10-K provides a comprehensive overview of a public company’s business and financial condition and includes audited financial statements. Each 10-K has a “Risks” section that can be used to add context to your company’s value chain. I included an example from World Wrestling Entertainment, Inc.’s 2015 Annual Report. You can see several instances of business risk that falls into the cyber security domain.
The 10-K is a great way to get high-level perspective on how your business operates. It can be used to inform your conversations with lines of business as well as risk management and operations. If you are a private or non U.S. company, check with your risk management team, it is likely that they have an internal facing risk management document you can review.
Creating intelligence requirements that are business focused ensures that you are answering questions that are relevant and mean something to non-information security stakeholders. In a future blog posting, I will dig deeper into the creation of specific requirements.