Organizations are spending on threat intelligence, but ESG research reveals CTI may not be getting a good return on investment. Credit: ioat/Shutterstock When I asked CISOs about their cyber threat intelligence (CTI) programs about five years ago, I got two distinct responses. Large, well-resourced enterprises were investing their threat intelligence programs with the goal of better operationalizing it for tactical, operational, and strategic purposes. Smaller, resource-constrained and SMB organizations often recognized the value of threat intelligence, but didn’t have the staff, skills, or budgets for investment. For these organizations, threat intelligence programs were nothing more than blocking indicators of compromise (IoCs) with firewalls, endpoint security software, email gateways, or web proxies.Fast forward to 2023 and almost every organization I speak with is consuming threat intelligence feeds, implementing tools, and building a threat intelligence program. New ESG research indicates that 95% of enterprise organizations (those with more than 1,000 employees) have a threat intelligence budget, and 98% plan to increase spending on threat intelligence over the next 12 to 18 months.Why CISOs struggle with cyber threat intelligenceYup, CISOs are embracing CTI, learning what they can and trying to use CTI to improve security defenses. This seems like progress, but are these investments translating to CTI program improvement? Not really. Despite budget increases and a proactive strategy, many CTI programs continue to struggle. ESG research indicates that: Eighty-five percent of security professionals believe their CTI program requires too many manual processes. This manual slog can include cutting and pasting threat indicators into tools, correlating threat intelligence from different sources, or creating threat intelligence reports. As in any other area, manual processes don’t scale, so they can’t keep up with the pace of today’s threat landscape.Eighty-two percent of security professionals believe agree that CTI programs are often treated as academic exercises. When interviewing security pros as background for this research project, I found this to be a common issue. Threat intelligence analysts who don’t receive proper direction or management oversight do what they want to do: threat intelligence research. This may lead to breakthrough insights about threat actors or the tactics, techniques, and procedures (TTPs) they use to conduct attacks, but still have nothing to do with the intelligence needs of their organizations. This mismatch is way more widespread than most people realize.Seventy-two percent of security professionals believe that it is hard to sort through CTI noise to find what’s relevant for their organizations. There’s no shortage of CTI available – open source, industry information sharing and analysis centers (ISACs), commercial feeds, community groups, etc. Finding the needles in this haystack can be a bear. Some organizations simply don’t know what to look for while others suffer from a “more is better” CTI mindset and are buried by an overwhelming volume of information. Either way, they are wasting time on false positive and negative information.Seventy-one percent of security professionals say it is difficult for their organizations to measure ROI on its CTI program. Given that many organizations don’t know what to look for, are overwhelmed by CTI volume, or treat threat intelligence programs like graduate school, this one comes as no surprise. CISOs suffering from one or several of these problems will find it difficult to pinpoint measurable benefits from CTI dollars.Sixty-three percent of security professionals say that their organization doesn’t have the right staff or skills to manage an appropriate CTI program. There’s that pesky global cybersecurity skill shortage again, but it goes beyond too many jobs and not enough people. Threat intelligence analysis requires training, experience, and personal attributes like problem solving and strong communications. The research revealed that even large and well-funded companies don’t have the right skills or staff to keep up with intelligence needs.How can CISOs overcome these issues? I’ll later write about what the research revealed about organizations with mature CTI programs – what they do, how they structure their programs, what they’ve learned over the years, etc. Before I get into nitty-gritty details, here’s a hint: It’s not the CTI as much as it the CTI program. To achieve success, a CTI program must begin with defined objectives (in this case, tactical, operational, and strategic objectives), strong management, achievable workloads, and a feedback loop for continuous improvement. Additionally, CISOs must be realistic about their capabilities. If it is realistically impossible to build a homegrown CTI program (for short- and long-term intelligence needs), CISOs must seek outside help from service providers, clearly define what then need, and then integrate service provider output into security, IT, and business processes. Related content interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks news Palo Alto launches AI-powered solutions to fight AI-generated cyberthreats The suite is powered by Palo Alto’s proprietary solution, Precision AI, which integrates machine learning, deep learning, and generative AI technologies. By Prasanth Aby Thomas May 09, 2024 3 mins Generative AI Security Software news F5 patches BIG-IP Next Central Manager flaws that could lead to device takeover Two high-risk vulnerabilities could allow attackers to gain full administrative control on devices via leaked password hashes. By Lucian Constantin May 08, 2024 5 mins Threat and Vulnerability Management Cloud Security Vulnerabilities PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe