Welcome
How Mature Is Your Threat Intelligence Program?
An effective threat intelligence program requires threat intelligence leaders to collaborate with the stakeholders throughout the organization and develop a roadmap for improvements. However, leaders cannot determine a path forward without first measuring their organizations’ current threat intelligence maturity.
How mature is your organization’s threat intelligence practice? Take our short self-assessment to find out.
The assessment will yield customized results and recommendations based on your responses and should take no more than 10 minutes to complete.
Questions
Describe the skills and knowledge of the people in your organization who are responsible for:
Hover over column headings to view definitions.
Questions
Describe your organization’s use of tools and technologies for:
Hover over column headings to view definitions.
Questions
Describe your organization’s processes and procedures used for:
Hover over column headings to view definitions.
Questions
Describe your organization’s policies and standards for:
Hover over column headings to view definitions.
Questions
How would you describe your organization’s ability to measure the following?
Hover over column headings to view definitions.
Your Results Overview
Your organization’s threat intelligence maturity is: Leader
IT security must coordinate their four competencies — oversight, people, technology, and process — to create an effective threat intelligence program that drives cyber risk management.
Register below to see your custom recommendations on how to advance your organization’s threat intelligence capabilities and grow your practice.
Your organization’s threat intelligence maturity is: Intermediate — strategic
IT security must coordinate their four competencies — oversight, people, technology, and process — to create an effective threat intelligence program that drives cyber risk management.
Register below to see your custom recommendations on how to advance your organization’s threat intelligence capabilities and grow your practice.
Your organization’s threat intelligence maturity is: Intermediate — technical
IT security must coordinate their four competencies — oversight, people, technology, and process — to create an effective threat intelligence program that drives cyber risk management.
Register below to see your custom recommendations on how to advance your organization’s threat intelligence capabilities and grow your practice.
Your organization’s threat intelligence maturity is: Novice
IT security must coordinate their four competencies — oversight, people, technology, and process — to create an effective threat intelligence program that drives cyber risk management.
Register below to see your custom recommendations on how to advance your organization’s threat intelligence capabilities and grow your practice.
Recommendations
Novice
Your score means your organization’s threat intelligence maturity is only at the beginning stage. You have a long way to go in your threat intelligence journey but can get some quick wins to reduce cyber risk. Now is the time to prioritize threat intelligence in your organization — all global security decision-makers we surveyed have plans to expand their threat intelligence capabilities over the next two years. Here are some recommendations on how to plan and get the most out of your threat intelligence program:
Oversight
- Identify a threat intelligence program manager and executive sponsor.
- Identify initial threat intelligence stakeholders in the security organization.
- Create a threat intelligence program charter.
- Get a predictable, sustainable budget for threat intelligence.
- Set specific metrics like performance measures such as number of IOCs ingested.
People
- Designate or hire individuals to focus solely on threat intelligence rather than as an extra or part-time duty. Consider hiring a team leader or manager for the nascent threat intelligence capability.
- Send dedicated threat intelligence analysts to specialized threat intelligence training as necessary.
Technology
- Begin designing a threat intelligence architecture that incorporates internal and external data sources and disseminating finished intelligence.
- Consider a threat intelligence platform (TIP) to aggregate and retain threat intelligence information.
- Automate the enrichment of new security operations center (SOC) events with the latest threat intelligence from the TIP or directly from threat intelligence sources.
- Integrate other security tools (e.g., security analytics, next-generation firewalls, vulnerability assessment) with the TIP.
- Use threat hunting and detection tools to find and classify unknown threats.
Process
- Elicit intelligence requirements from security stakeholders by determining what critical business processes the company has to protect.
- Create an intelligence collection plan. Exploit internal telemetry first. Be deliberate about which external intelligence sources you acquire as you fill in gaps in your collection plan.
- Disseminate intelligence in multiple formats.
- Produce tactical intelligence (for the SOC and the incident response team) and begin producing operational intelligence for chief information security officers (CISOs) and other security leaders.
- Collect stakeholder feedback and refine intelligence requirements and collection plans.
Intermediate – technical
Your score means your organization’s threat intelligence maturity has advanced to the intermediate stage, and your organization specifically performs stronger in the technical (technology and process) aspects of threat intelligence. Congratulations, but your value to your company can be even greater. To continue to grow the threat intelligence program and improve your organization’s resilience to cyberthreats, follow these key recommendations:
Oversight
- Identify a threat intelligence program manager and executive sponsor.
- Identify initial threat intelligence stakeholders in the security organization.
- Create a threat intelligence program charter.
- Get a predictable, sustainable budget for threat intelligence.
- Set specific metrics like performance measures such as number of IOCs ingested.
People
- Designate or hire individuals to focus solely on threat intelligence rather than as an extra or part-time duty. Consider hiring a team leader or manager for the nascent threat intelligence capability.
- Send dedicated threat intelligence analysts to specialized threat intelligence training as necessary.
Technology
- Continually revise and update the threat intelligence architecture, fully incorporating all internal sources of threat indicators, all external sources (paid, open, and sharing communities), security tools, and steps of the intelligence cycle.
- Consider procuring only raw intelligence from commercial intelligence providers rather than external finished intelligence as part of the team’s maturing ability to cluster and track activity based primarily on internal security telemetry.
- Add specific analytical tools on top of the threat intelligence platform (TIP) to allow for more robust intelligence analysis by the team.
- Use threat hunting and detection tools to find and classify unknown threats and build new detections.
Process
- Expand the collection plan to answer more stakeholder intelligence requirements.
- Focus on producing your own complete, accurate, relevant, and timely threat intelligence products rather than paying for vendor-finished intelligence.
- Design a robust, repeatable quality assurance process, ensuring finished intelligence is complete, accurate, relevant, timely, and consistent.
- Collect quantitative and qualitative feedback from internal (team and security) and external (within and outside the company) stakeholders automatically and ad hoc. Incorporate feedback into updates to requirements, collection plans, architectures, budget, and intelligence production.
- Intelligence products should be in any format the stakeholders desire.
- Produce intelligence at the tactical (e.g., SOC, IR), operational (e.g., CISO, IT stakeholders), and strategic (e.g., business leaders, board of directors) level.
- Stakeholders should request intelligence briefings directly from the company’s own intelligence analysts.
Intermediate – strategic
Your score means your organization’s threat intelligence maturity has advanced to the intermediate stage, and your organization specifically performs stronger in the strategy (oversight and people) aspects of threat intelligence. Congratulations, but your value to your company can be even greater. To continue to grow the threat intelligence program and improve your organization’s resilience to cyberthreats, follow these key recommendations:
Oversight
- Identify a threat intelligence program manager and executive sponsor.
- Have the threat intelligence team report directly to a chief information security officer (CISO) or chief security officer (CSO).
- Identify threat intelligence stakeholders beyond security (e.g., business unit leaders, C-suite).
- Refine and update the threat intelligence program charter incorporating the growing mission of the threat intelligence team.
- Report on measures of effectiveness, but don’t forget to keep tracking measures of performance to ensure processes are performing as expected. At this point, you should be reporting on adversary dwell time and mean cost of a breach in addition to other performance and effectiveness metrics.
People
- Hire a director of threat intelligence.
- Build a team of diverse threat intelligence analysts that bring business, cultural, and technology skills to the mission.
- Use critical thinking to control cognitive biases to develop better, more valuable threat intelligence for stakeholders.
- Secure budget for training and regularly send analysts to classes to improve their technology and analytical skills.
Technology
- Begin designing a threat intelligence architecture that incorporates internal and external data sources and disseminating finished intelligence.
- Consider a threat intelligence platform (TIP) to aggregate and retain threat intelligence information.
- Automate the enrichment of new security operations center (SOC) events with the latest threat intelligence from the TIP or directly from threat intelligence sources.
- Integrate other security tools (e.g., security analytics, next-generation firewalls, vulnerability assessment) with the TIP.
- Use threat hunting and detection tools to find and classify unknown threats.
Process
- Elicit intelligence requirements from security stakeholders by determining what critical business processes the company has to protect.
- Create an intelligence collection plan. Exploit internal telemetry first. Be deliberate about which external intelligence sources you acquire as you fill in gaps in your collection plan.
- Disseminate intelligence in multiple formats.
- Produce tactical intelligence (for the SOC and the incidence response team) and begin producing operational intelligence for CISOs and other security leaders.
- Collect stakeholder feedback and refine intelligence requirements and collection plans.
Leader
Congratulations, your score means that your organization is a leader in threat intelligence! Your program is thriving and having real impact on your organization’s security program. This is no time to rest, however. The cyberthreat landscape is constantly evolving. To continue to grow your organization’s threat intelligence program and improve its resilience to cyberthreats, follow these key recommendations:
Oversight
- Identify a threat intelligence program manager and executive sponsor.
- Have the threat intelligence team report directly to a chief information security officer (CISO) or chief security officer (CSO).
- Identify threat intelligence stakeholders beyond security (e.g., business unit leaders, C-suite).
- Refine and update the threat intelligence program charter incorporating the growing mission of the threat intelligence team.
- Report on measures of effectiveness, but don’t forget to keep tracking measures of performance to ensure processes are performing as expected. At this point, you should be reporting on adversary dwell time and mean cost of a breach in addition to other performance and effectiveness metrics.
People
- Hire a director of threat intelligence.
- Build a team of diverse threat intelligence analysts that bring business, cultural, and technology skills to the mission.
- Use critical thinking to control cognitive biases to develop better, more valuable threat intelligence for stakeholders.
- Secure budget for training and regularly send analysts to classes to improve their technology and analytical skills.
Technology
- Continually revise and update the threat intelligence architecture, fully incorporating all internal sources of threat indicators, all external sources (paid, open, and sharing communities), security tools, and steps of the intelligence cycle.
- Consider procuring only raw intelligence from commercial intelligence providers rather than external finished intelligence as part of the team’s maturing ability to cluster and track activity based primarily on internal security telemetry.
- Add specific analytical tools on top of the threat intelligence platform (TIP) to allow for more robust intelligence analysis by the team.
- Use threat hunting and detection tools to find and classify unknown threats.
Process
- Expand the collection plan to answer more stakeholder intelligence requirements.
- Focus on producing your own complete, accurate, relevant, and timely threat intelligence products rather than paying for vendor-finished intelligence.
- Design a robust, repeatable quality assurance process, ensuring finished intelligence is complete, accurate, relevant, timely, and consistent.
- Collect quantitative and qualitative feedback from internal (team and security) and external (within and outside the company) stakeholders automatically and ad hoc. Incorporate feedback into updates to requirements, collection plans, architectures, budget, and intelligence production.
- Intelligence products should be in any format desired by the stakeholders.
- Produce intelligence at the tactical (e.g., SOC, IR), operational (e.g., CISO, IT stakeholders), and strategic (e.g., business leaders, board of directors) level.
- Stakeholders should request intelligence briefings directly from the company’s own intelligence analysts.
Next Steps
Read the research
Thank you for taking the time to complete this assessment! Click here to read the full Forrester report commissioned by Kaspersky.
Visit the Kaspersky website
Learn more about Kaspersky Threat Intelligence here.
Ready to get started?
Contact intelligence@kaspersky.com to find out how Kaspersky can help your organization grow its threat intelligence practice.
View your detailed results
Methodology And Disclaimer
Methodology And Disclaimers
Methodology
Methodology
In this study, Forrester conducted an online survey of 678 IT security decision-makers at firms with mature IT security teams (i.e., firms that have a dedicated IT security department or a security operations center) to evaluate their threat intelligence practices. Questions provided to the participants asked their current threat intelligence activities, plans for investment, challenges they encounter as they improve their threat intelligence program, and how they are overcoming those obstacles. The study began in July 2021 and was completed in August 2021.
Disclaimers
Although great care has been taken to ensure the accuracy and completeness of this assessment, Kaspersky and Forrester are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein.