CTI: From Empty Promises to Informed Decisions

The cyber threat intelligence (CTI) industry is in a pivotal stage. Despite its proven potential, as a practice, it has not consistently lived up to its promises since its strategic rise as a practice in 2014. It's certainly not dead; in fact, it will become your (cyber) security program's most important prioritization mechanism. A shift in thinking is required to strategically reposition this practice within organizations. I've broken down my thinking below. Comment your thoughts!

Addressing the consequences of over-promise

From a vibe perspective, teams increasingly took fundamentally different approaches to CTI within their organizations, often leading to varied results. Many organizations have overinvested in standalone CTI roles based on external advice or internal incidents, resulting in disappointment and a perceived lack of value. Both of these applications result in unhappy stakeholders, subsequently leading to a lack of support for 'more tools or people.' This highlights the need for a shift in how CTI is perceived, implemented, and used within organizations.

From a market data perspective vibe, you can clearly see the same picture. Below are some figures on Cyber Threat Intelligence market size. This is based on publicly available information, and I used an LLM to help with some historic and comparison analysis.

The conclusion: Market dynamics have resulted in slower growth and overestimation in growth expectations needs to be corrected. Future estimates need to be much more conservative. Regardless if it's not 100% accurate, it's telling.

As a CEO and business leader with a keen interest in data, I want to have a strong handle on these kinds of data points. There's much more to unpack here, I know that. However, this clearly tells me that both as an industry and a practice, something is going to change.

Here's the same data, but presented in a table:

Key components of 'next generation' Cyber Threat Intelligence

This vibe check is not lost on practitioners either. Business teams, vendors, service providers, consultancies, innovators, and teams are all approaching the same problem but from their perspective. You could argue that this actually complicates things, rather than creating more clarity. Historically, in these situations, we usually saw vendors, service providers, and consultancies acquire startups, slap a 'next generation' sticker on the products or services, and see a correction in longer-term market adoption. I'm curious if we will witness a similar trend over the next 6 years.

Another historical reference: the CTI industry has mostly been focused on intrusion-based research and attribution, emphasizing Indicators of Compromise (IOCs). There has been a strong shift towards understanding tactics, techniques, and procedures (TTPs) that produce IOCs. This evolution provides deeper insights into adversary behavior and enhances the ability to anticipate and mitigate threats. I believe this transition is positive. I also believe that it took us too long and we need to be more aggressive in continuously improving this practice.

Fundamentally, I believe there's three key elements that need attention:

• Integration
• Mindset
• Decision support

Improve integration using Systems Thinking

Integration with various organizational processes remains a current challenge we see teams struggle with often. Most of the time, I see teams become so successful (for example, based on value delivery, skillset, interpersonal abilities) that their success actually becomes the limiting factor in delivery, subsequently impacting their value, despite doing a great job. Having to deal with more stakeholders and processes while lacking adequate resourcing is a balancing act.

I've come to believe that we need to rethink how CTI integrates with organizational processes. More fundamentally, I think we need to rethink how (cyber) security integrates with organizational processes. I encourage leaders to explore systems thinking in this perspective. There is a significant lack of systems thinking within CTI and broader cybersecurity. For example, adopting a holistic view improves the effectiveness of CTI initiatives by ensuring (sometimes forcing) strategic alignment and operational effectiveness.

Once this integrated approach is sound, you can build more substantiated elements on top of this. For example, applying continuous improvement concepts like Kaizen. Kaizen principles require continuous improvement of the CTI practices through small, incremental changes that lead to significant long-term improvements in the effectiveness and efficiency of your efforts.

A systems thinking approach helps organizations understand the interconnected nature of threats and defenses, fixing not just the CTI integration problem but also those for threat hunting, detection engineering, vulnerability management, log management, security monitoring, red teaming, purple teaming, and more.

Establishing the proper mission & mindset

The second aspect we need to do better is appropriately defining mission and mindset. Sometimes integrating a CTI mindset into existing organizational processes or people might be more effective than creating isolated CTI roles. If the mission is clear, then you could argue that you sometimes won't need a dedicated person. I noticed organizations, particularly smaller ones, often overinvest in CTI functions based on external advice, compliance, or internal incidents. Why hire a malware reverse engineer if you can't leverage the output of both analysis and attribution research? This overinvestment dilemma can lead to disappointment and subsequently a perceived lack of value. A more pragmatic approach could be to integrate a CTI mindset across existing roles rather than establishing standalone departments, ensuring a more efficient use of resources.

Every team I worked with, and work for, deals with resource constraints. Any form of wastage needs to be prevented to ensure we can increase the perceived value of CTI efforts. Organizations, especially smaller ones, benefit from adopting CTI-informed processes across various roles, which improves decision-making and resource allocation. Yes, CTI is not just for big companies; small to medium companies need to make every risk management decision count.

Your decision support system

The primary value of CTI lies in its role as a decision support system. For those paying attention, I'm talking about doubling down on the intelligence aspect in CTI. Globally, we are observing increased legislation that will demand your prioritization choices to be threat- or intelligence-led. Your CTI team is uniquely positioned for that use case. For example, to inform various components of digital operational resilience. Intelligence analysis has supported decision-makers since the dawn of mankind, formalized into the modern variant in 1947 by Sherman Kent, and I reckon we will continue to make use of it indefinitely.

Key issues in the domain of decision-making include making decisions based on fundamentally flawed data, operating against a threat environment that is much more dynamic than your defenses, and the lack of accountability and responsibility around explicit decision-making. For those reading this and thinking this is not a problem, think back to all the projects started and after a while people asking themselves, why are we doing this?

Leveraging your CTI more effectively into decision-making processes first allows you to prioritize your CTI efforts (creating demonstrable value) and second, results in the organization making more informed, effective, strategic digital risk management decisions. It's that simple. Unfortunately, most of the teams have not been positioned or utilized as such.

Things missing? Well, I can tell you there's one obvious thing not listed here. That is technology.

Why? My reasoning is quite simple. In this decade, it has never been easier to create a product. In fact, within this 'age of AI' you can probably reduce your go-to-market from months to mere days if you wanted to. This is also the challenge the wider cybersecurity industry is facing: we are creating solutions quicker than we fundamentally solve problems. Clearly defining, integrating, and creating brand fans is a lot of work. I won't dive deeper for now.

The path forward

So, is the practice dead? Oh, no. On the contrary. In fact, I believe it is your security programs most important element for the years to come due to its ability to drive decision support. Helping in prioritizing actions from board to basement. Intelligence driven decision, threat hunts, threat led risk scenarios, security awareness training prioritization, you name it. Especially in this age of AI.

However, the cyber threat intelligence industry must evolve to fulfill this potential. So in the spirit of being practical, here's 5 steps I believe everyone should explore starting today:

1. Adopt a Decision Support Focus: Prioritize using CTI as a decision support system in your organization. Understand how it is currently integrated into various components of your digital operational resilience efforts. Pursue active improvement. Demand CTI insights that are not just actionable but directly beneficial to strategic and operational decisions.
2. Integrate CTI Mindset Across Roles: Rather than creating standalone CTI roles, always consider if you should integrate CTI insights into existing roles across the organization. In some cases you are better of having dedicated teams, in some cases you might just need a few teams preaching the mindset. The mindset approach enhances decision-making processes and ensures CTI adds value without unnecessary resource expenditure.
3. Embrace Systems Thinking: Adopting systems thinking help your organizations understand the interconnected nature of cybersecurity threats and defenses. When this becomes threat or intelligence led, you basically exponentially increase the effectiveness. The holistic view improve strategic alignment and operational efficiency.
4. Apply Continuous Improvement: Explore Kaizen principles to continuously improve your CTI practices. Small, incremental changes lead to significant long-term improvements in the effectiveness and efficiency of CTI efforts.
5. Leverage Traditional Intelligence Practices: Continue adopting, and adapting, traditional intelligence practices within CTI - and cyber security. The integration of these practices over the last decade has proven valuable and should be further refined and applied. I strongly believe this is needed to allow the practice to transition to something more than just a purely technical capability.

By following these steps, organizations can continue enhancing the value and effectiveness of their cyber threat intelligence efforts. I'd love to hear what you make of this. Where would you start? Let me know.

?

Cheers,

?GJ

Relevant reading materials:

• Fortune Business Insights estimates the market size to grow from $5.80 billion in 2024 to $24.85 billion by 2032, exhibiting a CAGR of 20% during this period (Fortune Business Insights).
• Expert Market Research projects the market size at $12.35 billion in 2024, growing to $39.19 billion by 2032, with a CAGR of 13.7% (Expert Market Research).
• Mordor Intelligence forecasts the market size at $8.15 billion in 2024, reaching $14.96 billion by 2029 with a CAGR of 12.9% (Mordor Intel).
• Adroit Market Research expects the market to grow to $14.6 billion by 2030, at a CAGR of 15.7% (Adroit Market Research).
• HTF Market Intelligence estimates the market size at $4.42 billion in 2024, increasing by $11.65 billion to reach a total of approximately $16.07 billion by 2030, with a CAGR of 17.5% (EIN News).

PS. If you like this article, then you’ll love the work we do at Venation. Together with my Venation team, we curate and customize threat scenarios for teams to use for scenario planning, intelligence led testing, digital risk management & decision-making.

Check out more information via www.venation.digital.

#systemsthinking #cybersecurity #cyberthreatintelligence #venation #narratives #scenarios #threatscenarios #kaizen #leadership #decisionmaking