With the introduction of regulations like DORA and NIS2 in Europe, organisations will face increased expectations for incident response and reporting and for proactive cyber risk management. As CTI programs become critical for navigating these regulatory landscapes, adopting intelligence methodologies in CTI can help organisations build a more robust CTI program that focuses on helping increase resilience and make informed decisions for the right stakeholders. What is generally missing, though, is the I of CTI, the intelligence part.
Mostly, CTI reports are highly technical and seem to be generated by and for other CTI professionals. They usually focus on incidents and their TTPs, malware, step-by-step walk-throughs of analysis, and other technical aspects. This makes sense when you are communicating to and with other CTI professionals. But what if your intelligence could be used to influence the organisation’s strategic direction? For this, the Chief Risk Officer (CRO) and the Chief Information and Security Officer (CISO) are your new best friends! To do that, you need to understand the needs of your CRO and CISO. But how?
Intelligence Process: The Basics
The intelligence process is a dynamic approach that draws from established intelligence principles used by most NATO countries’ public and private sectors. A foundational part of creating intelligence is the intelligence cycle, and a robust CTI program should use the intelligence cycle to transform stakeholders’ requirements into actionable strategic insights that enable proactive defence and organisational resilience.
Thus, the intelligence cycle should be at the core of a successful CTI program, a structured approach to gathering, analysing, and acting on relevant data and information. The intelligence cycle begins with planning & direction, i.e. defining requirements. Intelligence requirements should be dynamic, regularly reviewed, and refined based on evolving needs from the CISO and CRO and emerging threat trends. They are the fundamental compass guiding the entire intelligence collection and analysis process. This involves close collaboration between technical security teams, strategic leadership, and operational units to create a holistic view of potential threat landscapes. In this step, the CISO and CRO should identify what intelligence they need to address their unique risks and regulatory obligations. For example, a company subject to NIS2 may prioritise intelligence on threat actors targeting critical infrastructure or supply chain vulnerabilities in their sector and countries of operation. By clearly establishing objectives, the intelligence cycle can ensure that efforts remain focused and actionable.
The next phase, collection (and processing), involves gathering data from diverse sources, such as network logs, threat feeds, open-source intelligence, and internal incident data, and then processing it to enable analysts to identify recurring patterns or gaps in defences. Rather than treating intelligence reporting as a compliance checkbox, CISOs and CROs should use it as an opportunity to refine their intelligence requirements and enrich their understanding of the threat landscape. Modern threat intelligence requires a sophisticated, multi-source approach beyond traditional security data collection. This involves integrating:
- Open-source intelligence (OSINT) from public digital sources
- Technical intelligence from network sensors and security tools
- Human intelligence from industry partnerships and threat-sharing communities
- Underground forum and messaging services monitoring
The goal is to utilise a comprehensive intelligence collection framework that prepares the collected material for the subsequent phases.
Once data is collected, it transitions into the analysis (and production) phase, where data and information are transformed into actionable insights. Analysts often determine an adversary’s capabilities, intentions, and potential impact using frameworks and models designed for CTI, such as the Diamond Model or Cyber Kill Chain framework. This is also where the intelligence process can contribute by adding structured analytical techniques (SATs). These SATs reduce bias, structure workflows and analysis, and ensure the finished intelligence has rigour. For example, A CTI program grounded in the intelligence process doesn’t just respond to incidents—it anticipates and mitigates them. For this, we use forward-looking SATs such as foresight. To use advanced analytical techniques such as SATs, CISOs and CROs should invest in human analytical expertise and artificial intelligence (AI) (automation and machine learning capabilities) to effectively process and contextualise threat data and information. CTI analysts should ensure that intelligence products are tailored to different organisational stakeholders, ranging from technical security teams to executive leadership, ensuring that insights are both technically precise and strategically relevant. These intelligence products should feed directly into decision-making processes, equipping stakeholders to respond effectively to evolving threats.
For a CTI program to achieve its full potential, the dissemination of intelligence must reach the right stakeholders in a timely manner. Transparent, concise reporting tailored to the needs of executives, incident responders, and compliance teams ensures that intelligence drives action. Whether it’s a strategic briefing to prepare leadership for regulatory changes or a tactical alert to guide response teams during an active threat, dissemination is where intelligence achieves its practical value.
Finally, feedback is essential to improving all three P’s: the intelligence program, process, and products. Regular review of intelligence collection, processing, analysis, and application allows for continuous refinement of all three P’s. The CTI team should develop a tiered dissemination approach that provides differentiated intelligence products for various stakeholder groups, ensuring that each receives information in the most consumable and actionable format.
By adopting a systematic approach, CISOs and CROs can move beyond reactive compliance and toward proactive resilience, aligning their security posture with the demands of an increasingly complex regulatory and threat environment.
Considerations
The intelligence cycle is inherently iterative. Organisations must establish continuous evaluation mechanisms that assess intelligence program effectiveness, refine collection strategies, and adapt to evolving threat landscapes. Tabletop exercises and simulation scenarios can test the program’s alignment with real-world conditions, uncovering gaps and ensuring adaptability.
Intelligence programs are not one-size-fits-all solutions. Each organisation must carefully define its unique intelligence ecosystem, considering its specific technological landscape, threat exposure, and strategic objectives. This involves a nuanced understanding of how threat intelligence will integrate with existing security infrastructure and organisational decision-making processes. Key considerations include determining the scope of intelligence collection, defining intelligence requirements, and establishing clear governance structures that facilitate intelligence dissemination and action.
