The Chief Intelligence Officer

Cyber threats, capabilities and, intelligence abound and enterprises are staring down a hazy divide between their Corporate structure and those of government agencies and military agencies.

A year ago, AJ Nash laid out a compelling case for an addition to the C-Suite table, a corporate officer who would roll up intelligence responsibilities and expand corporate programs while wrestling with unfocused intel sourcing (spending) as well as underutilized Cyber Threat Intelligence teams who are largely a small subset of the SOC, or even just some of the SOC team who are tasked with creating IOC’s.

Few (or none) would argue that cybersecurity is at the top mind for organizations who wish to remain viable in today’s world. The last two decades have seen a steady evolutionary march in hacking from nuisances, to dangerous (though often unintended) infections, to targeted attacks, to the more recent rise in blanket ransomware attacks that are sent to Fortune 500 companies and small businesses alike.

Unfortunately, no organization can presume any of these threats are behind them when deciding on resource allocation. Hacktivists are just as active as in the beginning, disgruntled former or current IT staff can wreak havoc, and nation-state teams are still trying to steal trade secrets, impact defense capabilities or just plain steal money.

“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”

― Daniel J. Boorstin

Continually adding levels of management, specialists, software, and capabilities to a corporate cyber security posture is often a slog, and doesn’t approach keeping pace with evolving attack capabilities of adversaries. Corporations have grown up with the habit of taking as long as they can to bite the proverbial bullet and spend more money on assets that don’t generate revenue, whether it’s a piece of software, a new manufacturing line, or adopting a new security practice.  The reasons for this are many but can be distilled down in many cases to a reticence to spend money on an unproven need or fear of buying in too soon and wasting shareholder value.

A corporation with a full Threat Hunting or CTI team in addition to their Security Operations Center, with a CISO in place reporting up to the CIO, CSO or even CEO, is currently leading the pack with their buy-in on organizational security.  That’s not to say there aren’t organizations out there with even more resource devotion, perhaps even some who have adopted the Chief Intelligence Officer into their C-Suite.

What these vanguard organizations see is the value of pulling Intelligence out of the tactical realm and placing it squarely in the strategic, mimicking what government and military agencies have done for hundreds of years.

A CTI team within a SOC is currently tasked with finding Indicators of Compromise both within and outside the castle walls, and feeding them to the SOC so they can further batten down the hatches. That’s a very simplified take on CTI within mature organizations, but the point remains.

The difference Mr. Nash discusses when adding the Chief Intelligence Officer (CINO), is that threat intelligence becomes a part of an overarching vision of corporate security, compliance, fortitude, and viability.  Rather than retaining intelligence gathering and threat hunting squarely within the cybersecurity operations of a company, which has plenty of tasks to maintain and are the technical arm of an organization’s cyber posture, intel instead moves into a strategic role that answers directly to the CEO and advises on corporate policy, direction and vision based on gathered intelligence from all sources, within and without.

It seems inevitable that companies will adopt some version of this approach. Despite myriad vendors and countless combinations of EDR or XDR, log analysis, sandboxing, and phishing simulations, organizations are still getting breached with regularity. No matter how big a moat is built, nor how many layers the castle's walls take on, one well-configured email or phone call can still bring it all to a standstill.

CISO’s are highly competent and experienced, SOC’s and CTI teams are brilliant in their defense capabilities and their sharing practices among and across organizations are unlike most other aspects of business. Companies with a lot at stake have recognized (for the most part) the absolute necessity of investing in cybersecurity.

Corporations and gov’t/military organizations are marching toward becoming unrecognizable from each other. That’s not to say that we can expect in our lifetime to see barracks and forward posts pop up in Silicon Valley, but it stands to reason that companies who continue to absorb and thwart attacks from adversaries who leverage life and sustainability threatening cyber capabilities will continue to enhance their security posture. Doing so certainly means leveraging experience from military veterans and intelligence field civilians who move to the private sector. Likewise, special projects like the US Marine Corps Cyber Auxiliary bring civilian specialists into their fold to support their mission in the cyber realm.

With this continued blurring of the lines between the public and private sector, we can reasonably expect to see the addition of the CINO  to more and more organizations that wish to leverage practices that help keep our national security and the lives of our military members safe. 

After all, a business that succumbs to ransomware without proper mitigation capabilities or resources to pay the attackers could ‘die’. That company may be critical to the nation’s infrastructure or could provide dozens, hundreds, or thousands of jobs to citizens who rely on their employment. In either case, those companies would do well to consider enhancing their intelligence capabilities, whether that’s through the aggregation of intelligence duties into a new Chief Intelligence Officer role or some other similar appropriation of the government agency playbook.