In episode 42 of The Cyber5, we are joined by A.J. Nash, Senior Director of Cyber Intelligence Strategy at Anomali. A.J. discusses the steps and key components of building an enterprise intelligence program. Among the topics covered are frameworks, roles and responsibilities, critical skill sets, and metrics.

5 Topics Covered in this Episode:

1. Defining the Requirements with Key Stakeholders:

Defining the intelligence requirements necessary to ensure the success of business stakeholders should always be step one. Sales, marketing, engineering, customer success, information technology, legal, and human resources will have different requirements. The security or intelligence team must prioritize the requirements in the context of what is best for the business and what meets the needs of the stakeholders.

2. Security and Intelligence Should Be Viewed as a Business Enabler:

Regardless of industry or company size, the second key to success is committing that the security and intelligence team will be an enabler of business and not a cost center. As a result of the nature of their business, the many regulations they face, and the assets they hold, the finance industry has led the way in building intelligence programs. Other industries are following their lead as criminals are branching out to target a wider range of digital assets and PII.

3. An Inquisitive Mindset is Critical When Building Intelligence Programs:

The ability to view disparate pieces of information with an inquisitive mind, and then communicate business risk is a critical skill set. Businesses often look for a combination of public sector and private sector intelligence experience when building an intelligence program. While enterprises often start by hiring a technical leader, a key to success is building a team of individuals with inquisitive minds. For example, former journalists have been known to become fantastic enterprise intelligence experts.

4. Risk Must Be Prioritized:

An intelligence program is no different than any other enterprise program. Profit and risk must always be considered, and intelligence should be driving security requirements to enable the business. An intelligence program should identify adversarial intentions and capabilities, estimate the risk and cost of a successful attack, and consider the costs of controls that need to be implemented to defend against such adversaries. This must be properly communicated to the CEO, who ultimately owns key decisions. Intelligence programs span fraud, information security, physical security, executive protection, trust and safety, third party risk, and mergers and acquisitions.

5. Important Metrics for Intelligence Program: Mature programs build and provide key metrics based upon intelligence requirements. Metrics should focus on actions that were taken, intelligence that was analyzed, the subsequent controls that were put in place, and the decisions that were made by key stakeholders. There are currently no well-defined and accepted frameworks for intelligence programs. Most programs combine several existing frameworks, including MITRE ATT&CK, which is specific to information security. Intelligence programs need to proactively alert on threats and risk and quantify the success and failure of actions taken.