What is a Good Business Case for CTI

Most business cases for Cyber Threat Intelligence often seem to fail quietly.

Not because CTI isn’t valuable, no, often people understand quite well why this practice is important. Yet, it often fails because it’s framed as intelligence, not as decision support.

<aside> ⚖️

Intelligence? You mean that huge apparatus that has a lot of people working on questions with near-unlimited resources (people, cash)? Sounds expensive!

In the private sector leaders won’t fund intelligence.

They will, however, fund being able to make better decisions.

</aside>

The mistake we keep making

When I'm getting called in about this exact situation, I often note teams arguing for CTI with comments such as:

While all these items are certainly true, none of them is directly compelling or provoking a direct response from a decision-maker or business leader.

Unless they have understanding of the trade before getting introduced to it, they often want to understand more on how this contributes to how the organization is already making cyber decisions today:

In all honesty, these are all decisions that will be made with fragmented, implicit, and inconsistent information or data; requiring some kind of mechanism that helps you understand context quicker, who you are up against, and what are your options.

These are lessons I've learned the hard way in last years developing Venation (https://venation.digital) but also far before that.

That’s the real problem CTI solves if you ask me.


The reframing that actually works

I'll dive a bit deeper into this topic in my article, but I believe a strong CTI business case asks: