According to Joshua Ray, managing director, Global Cyber Defense Lead, Accenture, “Every business is digital now and must adopt a resilient cybersecurity posture to protect their value. Cyber resiliency cannot be achieved without completely understanding the threats an organization can and will face, this requires a well-developed CTI program.” However, establishing a Cyber Threat Intelligence (CTI) practice can be daunting, particularly when it comes to identifying and organizing threat information relevant to your organization from the massive amounts of data, plentiful cybersecurity news and vendors, and multiple security platforms available. 

To help make sense of the cyber threat intelligence landscape, experts from Accenture and ThreatQuotient partnered to provide advice on aligning cyber resilience goals with your business strategy to achieve better business outcomes. 

Following are some important takeaways from the webinar, “Key Considerations to Build Your Own CTI Practice.” To hear the full discussion and get more detailed advice from our experts, watch the webinar on demand.

Guidance for structuring your CTI practice
There are a variety of ways organizations can go about creating a CTI program and it all depends on where you are in your level of maturity, so start with a maturity assessment. Vendors can help with that using various models. To simplify the discussion, our experts focused on three different levels: basic, established and optimized. At each level they offered guidance on staffing, selecting threat intelligence feeds and tools, making threat intelligence actionable, collaboration and communication processes, as well as reporting and metrics. 

They also highlighted common pitfalls to watch for as you mature your CTI practice. At the basic level this includes a lack of correlation of indicators against internal events to determine relevance and prioritization for action. While at more advanced levels they cautioned against using technical jargon and delivering information in formats that are not useable or easily understood by key business stakeholders. As the CTI practice evolves to focusing on overall threats to the business and holistic risk mitigation, it’s important to describe the value the CTI practice delivers in ways that resonate with different audiences.

Essential capabilities you need in your CTI practice
Our experts framed this part of the discussion by advising that before you even start to identify the staff, tools and data required for your CTI practice, step back and identify your organization’s threat intelligence requirements. Your organization’s maturity level, as identified in the maturity assessment, will drive your requirements. Other recommendations include:

• Understand not just technical requirements, but also business stakeholder requirements so you can define what information is critical for the business and establish repeatable reporting processes that work for your organization.
• Look at the criticality of assets for asset management and fuse that information together with information about your attack surface. This helps you understand the coverage you have and the data and sources you need to fill the gaps. 
• Research threat intelligence sources and feeds extensively and give them a run for their money to see how effectively you can operationalize the intelligence and how relevant the data is to your environment. 
• Be sure to include free/open-source intelligence feeds in your research and testing.
• Ingesting intelligence is an active exercise that requires tuning for your organization’s needs.  A lot of vendors will help with this, but make sure to assign internal management resources to work with any vendor you select.
• Measure how effective and relevant your feeds, sources and vendors are in order to defend their value during your budgeting process and to refine them over time. 

Insights into finding the right balance between business strategy and cybersecurity
In the final segment of the webinar, our experts pointed out that finding the right balance between business strategy and cybersecurity starts with empowering your CISO by giving them a seat at the table to provide valuable perspective and metrics C-suite executives and board members need. This also helps enable the CISO to be interwoven in the business and ensure business initiatives like digital transformation and merger and acquisition (M&A) activity are executed securely. 

The CISO’s team must also participate in ensuring a balance between business strategy and cybersecurity. First, they can pair threat intelligence with data science and analytics to provide the CISO a specific risk profile and key metrics so that the CISO can discuss the threat landscape at a more strategic level. Additionally, by getting ahead of the latest threats, they can keep the CISO apprised of the steps the team is taking to protect the organization, or why the organization doesn’t need to be concerned about the latest threat, so that the CISO can share this with the board. Activities like these help position the CTI practice as a trusted and consistent knowledge base and enables the CISO to build strong relationships. Finally, working together, the CISO and the team should focus on defining the ROI of what the CTI practice delivers within the context of the business, for instance mean time to detection, response time, loss prevention, and breach or operational downtime avoidance.

Is your CTI program aligned to help move your business forward securely? For additional advice from our experts on how to advance your CTI program, watch the webinar on demand.