Devising a Suitable End State of Your CTI Program

The shift to an intelligence-led security program can seem daunting. When implementing Cyber Threat Intelligence (CTI) capabilities, there may be a degree of uncertainty across the organization. We’ve seen this happen many times with client teams who initially were not cyber security savvy; however, after the adjustment period, when CTI is fully integrated into their technology and business processes, we continuously see that customers are satisfied with the results.

While managing this shift is challenging, it is not insurmountable. To be successful, it’s important to have a vision for the end state of your program. This vision will help to plot the planned shift, define its true value, and identify opportunities afforded by those who carry out implementation.

When defining a program’s vision, it is important to cover the following four high-level areas:

  • Mission & Strategy: Define a clear mission that enables communications and justifies go-forward action items. Ultimately, focusing on the enhanced ability to manage risk within the organization using a requirements-based intelligence approach is crucial. Establishing the expected resulting capabilities ensures the end-state business objectives, goals, and outcomes are clearly identified and agreed upon.  
  • Implementation Roadmap: Employ a clear game plan that addresses the changes in people, processes, and technologies. A smart roadmap provides guidance on order of events and scale of effort required to execute properly. This roadmap will also enable communication of budgetary requirements to senior leadership over the course of the program’s buildout.
  • Conceptual Organizational Design: Construct an end-state organizational design aligned with the mission, approved by executives, and agreed to by peers. This will ease the creation and integration of new teams and transition of any existing ones. While the actual end state may play out differently, the buy-in achieved at the onset of your program evolution will keep your major players moving in the right direction.
  • Metrics: Decipher a key set of metrics that will be used to evaluate the success of your program. This will be critical when determining whether or not the end state is a success, and will also enable you to easily identify wins as the program begins to take shape. Metrics should evaluate the individuals responsible for carrying out the mission, the intelligence sources, the technology supporting the program, and the program’s overall health. The true value of intelligence can be complex to assess; however, the proper level of granularity can help point out if the value is being delivered, and where any breakdowns may transpire and are occurring.

All said, the success of an operational transformation is truly grounded in the strategic legwork done before execution begins. Proper planning ensures that key stakeholders and senior leaders are in agreement with respect to the direction of the overall security operations, as well as the expected value provided. This in turn will motivate executives and other key stakeholders to help shepherd the program through its pending shifts, and into a position where everyone in the organization will see its true potential.

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.