Estimated Reading Time: 2 min
For new readers, welcome, and please take a moment to read a brief message From the Author.
1. Threat intelligence is something you should provide your customers
If threat intelligence products are not your flagship product or primary business function, then threat intelligence is not something you should provide as a product or service directly to your customers. Threat intelligence is more than just blogs about the latest malware; it is a full scope business function that serves the organization strategically, operationally, and tactically. While threat intelligence may direct/influence the actions taken at the tactical level (i.e. to protect internal assets such as networks, intellectual property, and (customer) data), the intelligence itself and methods by which it is developed should not be released to your customer base as a product. In some rare instances, corporations have full teams dedicated to developing threat intelligence, which in turn is disseminated internally; these are usually organizations with very mature security practices and processes. While they may eventually publish what they learn via a corporate blog, the team’s function is to serve the organization, not provide a product to the customer.
NOTE: This should not be interpreted to mean that intelligence should never be shared or disseminated to customers. That is a discussion that goes beyond this article’s scope.
NOTE: In short, if you have not mastered the art of developing threat intelligence in-house, you should not be offering it as a service or product.
2. Threat intelligence is nothing more than advanced information security or “googling”
Threat intelligence itself is a proactive approach to security, while an information security practice (or department) is a consumer of the details generated from threat intelligence. A true threat intelligence program consists of governance and compliance, data/intelligence collection, processing, analysis, reporting and dissemination. A Threat Intelligence team combines data from the information “cyber” security domain with data from multiple domains and disciplines such as history, economics, political science, education, religion, industry/market-specific trends, and cultural studies to define the threat. An information security department often generates data (i.e. incident post-mortem) that may be synthesized with various other sources in order to generate a holistic threat picture, because they themselves are a target. While the Information Security team may generate threat data points at a tactical/operational level, such as details about the latest denial of service attack or phishing campaign, they are not generating actual intelligence, or in other words, they are not defining the threat.
3. Threat Intelligence is a “cyber” thing
While threat intelligence has many faces and a fully-fledged Threat Intelligence Program serves multiple departments, its primary mission is to support C-suite decision making by educating decision makers so they can make well-informed decisions with as much available information as possible. Supporting other departments is a secondary role, albeit still important. The Marketing department benefits from information about threats to the corporate brand and works with the Legal department to thwart it. The Legal department benefits from information about threats posed to copyrights or trademarks, by specific individuals or business partners, and anything exposing the company to potential litigation. The Human Resources department benefits from information about threats posed by personnel, especially for mission-essential roles. Pretty much any department that works with sensitive strategic information, plans, projections, forecasts, or highly sensitive data such as intellectual property, customer data, or security-related information can benefit from threat intelligence.