Author: Eric Olson, VP of Product Strategy
In our previous posts in this series on making the business case for threat intelligence, we’ve explained the importance of using threat intelligence and how to justify your security needs by equating them with a business objective. In this post, it’s time to get to the nitty gritty: creating an actual plan.
Let’s take the principles we’ve discussed the past few weeks and use them to formulate a plan and a budget request.
Step 1: Envision the End State
Picture the finished product of your threat intelligence plan – the security operations center, the analysts, the tools, and the activities that will be required. Then work backwards and list out the actual needs to fulfill that vision.
Step 2: T.E.S.T. for Readiness – Gap analysis
A dollar figure will be associated with your vision. Before coming up with actual numbers, put together a gap analysis to find out what must be procured to fulfill the Tools, Expertise, Skills, and Time (T.E.S.T.) framework.
Tools: These hardware, software, physical space, workstations, and platforms that are required to complete the vision. It’s a catch-all for the physical “stuff” needed to bring the envisioned future state into reality.
Expertise and Skills: Both expertise and skills are knowledge-based needs, but they have subtle differences. In our definition, expertise is based on knowledge, experience, and wisdom. It is often the purview of specialists, consultants, and experts, and procured on a limited or short term basis. Skills are the learned abilities required for on-going operations. These can often be developed with existing staff through learning programs such as certifications or trainings. Take inventory of what skills need to be procured, learned, hired, or deployed to determine specific costs to obtain those things as needed to complete the vision.
Time: Secondly, independent of the available bandwidth, there is sometimes a concrete business benefit derived from speed. Revisiting the scenario from the last post, having an already established intelligence capability in place can differentiate one bid from another, providing a huge potential revenue upside to accelerating the project. This is what ultimately allowed the company using Cyveillance’s feeds to win the major contract. Other drivers that could justify acceleration include the availability of expiring funding such as a grant, or the timing of a major event such as the World Cup or Olympics, which greatly increase the importance or value of standing up a capability faster.
This comprises two related, but subtly distinct elements. The first and more obvious element is the time available from existing resources; does your organization have the human bandwidth available on staff to build the desired capability? If not, then additional short-term or permanent headcount may be required.
Step 3: Speak Business
In most organizations, the budget holders are not security people, they are business people. The links between the threat intelligence capability and clear business objectives, activities, and results, provide a clear direction for how to couch budget requests in the business language and outcomes that appeal to management.
For example, we have seen several clients struggle with budget justifications because they appear to incur very large first year costs. However, upon review, once they differentiated long-term start-up costs for their threat centers from smaller operational costs, they were able to capitalize much of the up-front expenditure. This dramatically reduced the first-year hit to the department’s operating budget.
While this might seem like accounting administrivia (or even incomprehensible gibberish) to many security professionals, accounting for a six- or seven-figure project correctly can make a critical difference in the project’s acceptance. Knowing how to properly treat the costs and work with finance can be the difference between a proposal that is dead-on-arrival and one that is given serious consideration.
Step 4: Reporting
Finally, it is important to create reporting that will be useful for management, not just the security team. Nominal metrics are operational – lists of alerts, documents tagged, or items investigated. While these numbers are interesting to you, they do not tell management how the organization’s business objectives are, or are not, being met. Meaningful reporting will tie into the drivers for the threat intelligence initiative. Meaningful reporting will tie into a business outcome, such as policies that are changed, employee actions taken, or legal processes initiated as a result of the activities reflected in those nominal activity metrics.
To make the case for procuring threat intelligence, align security needs with the organization’s business objections by envisioning the desired security outcome, using the T.E.S.T. method to determine readiness, translating security objectives into business objectives and language.
In our next post, the last in this series, we will provide two example scenarios that show you exactly how to create a threat intelligence business case.