There has been a lot of talk lately about putting intelligence into your security program. You hear different terms: Security Intelligence, Cyber Intelligence, Threat Intelligence, etc. Most (not all) of the products and services I see revolve around either a SIEM or some sort of blacklist. These all really do one thing: Give you more information. It is up to you to interpret that information and use it to help your company make better decisions.
The goal of any intelligence program should be to inform decision makers of the organization in hopes that they make better decisions. Rarely can your CIO or CISO look at raw information and glean enough to make much difference in the way they think. This is why your intelligence program needs to provide more than just information.
Objectives of an Effective Intelligence program:
- Information - provide useful information to people who need it
- Insight - What does the information mean?
- Warning - What is going to bite you?
This Information, Insight, and Warning must be tailored, timely, targeted, and relevant or it does not matter. People will make the decisions they have to make with or without your judgements.
When you do your analytical job well you're at that nexus of "The World as it is" (fact-based view) and "The World as we would like it to be" (vision-based view). This is where policy is created. That creates tension, but you have to put yourself in that place.
If you are not in that place, you are less relevant or valuable to decision makers. When you are in that place you're under some pressure. You want to make sure you are objective, but you can't be so pure in your abstract reasoning that your analysis is not useful. They may understand the beauty of your argument, but they ultimately still have a business to run and decisions to make.
Most decision makers got to their position because they understand their portfolio and are also pretty good analysts. So, for them to listen, you have have to add some value. The value could be confirming what they already know or challenging a view they got from somewhere else.
When your program is at it's best, you get no credit. The desired end-state is educating decision makers to the point they have internalized what you gave them and they have better judgement because of it.
Intelligence Analysis and Dissemination by Dr Thomas Fingar
Q&A with Michael Hayden on CSPAN