3 Tenets of Intelligence

Cyber Threat Intelligence (CTI) might be the most misconstrued buzzword in cybersecurity. With myriad definitions and manifestations, it has come to mean whatever the purveyor of a given solution wants it to mean. It could be a data feed, a report, or a service; it doesn't matter. The assumption is that associating an offering with "intelligence" helps it sell. The unfortunate side effect is skewed consumer expectations that hurt all parties in the market.

While we’ll avoid committing YADI (Yet Another Definition of Intelligence), we will state that  intelligence is a specific thing: the production of which has means, methods, and definitional elements that differentiate the output from other types of information.  Though CTI has unique characteristics from other types of intelligence (competitive, political, economic, etc.), the foundational principles are the same. 

This article is not intended to determine what does or does not qualify as intelligence, but instead to offer a simple framework that may help properly conceptualize it.

Our 3 Tenets of Intelligence are…

1. Intelligence is a support function.

2. You can’t support what you don’t understand.

3. If it isn’t relevant to the consumer, it isn’t intelligence to that consumer.

Intelligence is a support function

Recognizing that an intelligence function is a support function is critical to properly conceptualizing its role within an organization. It doesn’t solve the problem; it informs the solution to the problem. This mindset must be held by the intelligence team to ensure a service-centric mindset. It also must be held by stakeholders (i.e. the intended consumer of intelligence products), to ensure they establish a demand for relevant, timely, and actionable inputs. When the intelligence team loses sight of its purpose, team members can become disillusioned and seek more “interesting” or personally-rewarding work instead of delivering what stakeholders need. When stakeholders lose sight of their responsibility to provide guidance and feedback to the intelligence team, they often become frustrated with outcomes and drift away from collaboration; stifling the intelligence function and reducing stakeholder benefit from it. Good communication can alleviate these problems by enabling stakeholders to clearly express their requirements (feeling heard) and providing intelligence  teams feedback on how their contributions enhance security (job satisfaction).

You can’t support what you don’t understand

Understanding the stakeholder is paramount for consistently delivering relevant and actionable intelligence. In order for an intelligence function to provide effective support, it must understand the stakeholder’s mission, operational realities, and technical constraints. These requirements allow an intelligence function to focus collection and analytic efforts; and through a structured process, to deliver tailored products that inform decision making and drive operations. Intelligence teams that lack this depth of understanding are forced to make assumptions about what’s valuable to any given stakeholder—often based solely on that stakeholder’s functional role—and almost always at the expense of accuracy and relevance. The hallmark of a failed intelligence function is its practical and operational isolation from its stakeholders.

If it isn’t relevant to the consumer, it isn’t intelligence to that consumer

The surest way for an intelligence function to relegate itself to obscurity is to provide stakeholders with irrelevant inputs. Part of the problem is that the term “intelligence” is often treated as a mere synonym for contextualized information. In reality, intelligence is the output of a deliberate process that endeavors to identify a stakeholder’s information gaps and then fill those gaps with tailored inputs. One of the key differences then, between intelligence and contextualized information, is that intelligence is based on validated requirements while contextualized information is based on informed assumptions (about what is relevant to the stakeholder). In short, intelligence to one stakeholder may simply be information to another.

Summary

To reiterate, the intent of this article is not to define what intelligence is or is not, but to provide a framework for testing your conceptualization of intelligence. While this explanation of  “tenets” may seem overly simplistic—not addressing many aspects of intelligence operations and CTI in particular—we’re confident that if you test the premises, you’ll find them each essential to properly conceptualizing the role and value of intelligence.

Our opinion certainly isn’t the only one though; so, please challenge our position if you think it’s off. It really is the best way for all of us to learn.