By Michael DeBolt, VP of Intelligence of Intel 471.
Our industry talks a lot about intelligence requirements. Yet I’ve noticed over the years a lack of practical advice being shared about how to actually work with or implement intelligence requirements as a fundamental component of a cyber threat intelligence (CTI) program. In a future blog, I’ll share how we do things at Intel 471, hopefully to help address this gap.
But for now, let’s tackle the disconnect between the concept and practice of intelligence requirements by looking at a few key benefits and challenges.
I’ll go on a limb and predict that most of the CTI industry is totally on board with the concept of intelligence requirements. There is a ton of really great material out there that covers it extremely well (such as this, this, and, of course, that). Thanks to these resources and others, in the last five years our CTI industry has evolved to appreciate the need for intelligence requirements as fundamental to what we do. This is an exciting and positive step that should be celebrated. Now more than ever before, we understand our overall success as intelligence professionals is measured on our ability to satisfy the requirements of our stakeholders consistently and ultimately to inform their decisions and actions that protect our organization.
We know intelligence requirements are important. Here are three key reasons why:
Benefit 1: Maximized resources
Most of us operate in an environment where resources and funding are scarce. A requirements-driven program maximizes our limited time, money and effort by trimming the fat. When done correctly, our human capital and data sources are synchronized, focused and aligned to meet the requirements of our stakeholders. We know exactly what we need to collect, produce, and deliver, and who needs it.
A simplified collection plan showing synchronization between deliverables, sources, stakeholders and intelligence requirements.
Benefit 2: Measured success criteria
There is no ambiguity in what we collect or produce. Each data source, report and deliverable is aimed at satisfying Priority Intelligence Requirements (PIRs) agreed upon by you and your stakeholders. Requirements are frequently revisited with stakeholders to ensure alignment, and any deliverable that regularly falls outside the scope of those requirements requires heavy scrutiny, gap analysis, and justification.
Benefit 3: Demonstrated CTI return on investment
An intelligence program grounded in stakeholder requirements enables objective measurement of intelligence production and impact over time. This helps confidently answer the inevitable question from senior management, “how does our CTI capability provide value to the organization?”
So the concept and justification for requirements is crystal clear and firm — intelligence requirements are the lifeblood of any CTI program.
Which brings us to the question at hand: “How to build a requirements-driven intelligence program?” We appreciate intelligence requirements, but historically, migrating from concept to practice has been challenging due to a number of reasons, namely:
Challenge 1: Prioritization nightmare
Requirements and expectations differ greatly across the various stakeholders supported by our intelligence teams. Many have vastly different and sometimes overlapping requirements and expectations. Others are opaque, confusing or too broad to align specific resources. These factors often create daunting scenarios for intelligence teams to prioritize effort aligned to stakeholder needs, resulting in confusion or a lack of focus with what an intelligence function ultimately collects and produces. A proper requirements-driven program aligns stakeholder priorities to intelligence production.
Challenge 2: “Whack-a-mole” game
Intelligence teams often are inundated with ad-hoc, “block and tackle” requests from stakeholders, leaving them out of position not only to respond and react in a timely and accurate manner to unfolding events, but also to paint situational awareness to key decision makers in advance of ever-evolving methods of those that seek to harm the organization. Without a requirements-driven program, intelligence teams are destined to be reactive and short sighted and continuously will struggle to provide intelligence that informs proactive decision-making, such as threat assessments across industry, supply chain and geographic areas of interest.
Challenge 3: Same goal, multiple languages
While the concept and benefits of a requirements-driven intelligence program are clear, putting it into practice can be very difficult. Fundamentally, achieving this is a team sport that requires synchronization across at least four components — the CTI team, executive leadership, stakeholders and vendors. Yet, each operates differently, speaks their own language and uses various definitions to achieve their end goals. To help bridge this gap, our CTI industry needs a commonly understood and accepted intelligence requirements framework for defining, managing, processing, tracking and producing intelligence aligned to our stakeholders’ needs.
In the next blog, I will detail our practical approach to meet these challenges using our “General Intelligence Requirements” (or “GIR”) framework.