Stop wasting money on ineffective threat intelligence: 5 mistakes to avoid

Strong capabilities in cyber threat intelligence (CTI) can help take a cybersecurity program to the next level on many different fronts. When organizations choose quality sources of threat intelligence that are relevant to their technology environments and their business context, these external sources can not only power swifter threat detection but also help leaders better understand their risk exposure and prioritize future security investments.

CISOs and cybersecurity executives are increasingly staking their program investment goals on the promises of CTI. Recent studies show that three in five organizations spend at least 11% to 30% of their overall cybersecurity budget on threat intelligence capabilities. That equates to $250,000 or more a year spent on threat intelligence products from external vendors by 80% of cybersecurity teams.

But how much of that money is well spent? While most analysts still project security spending to rise in 2025, there are signs that CISOs are going to be called to justify and tighten the efficiency of their spend in the coming year. According to recent research by IANS, over a third of CISOs faced flat to declining budgets in 2024 and staff growth has diminished by half compared to 2022 hiring patterns.

CTI stands to drive a lot of value across threat detection, incident response, vulnerability management, and broader risk management, but it can also prove to be a money pit. The distributed nature of how threat intel is used makes it really hard to bring financial efficiency and accountability to bear on CTI. Organizations can stand to waste resources on not just bad intelligence and inadequate analysis, but also on great intelligence that isn’t effectively used to change security outcomes.

There’s no easy answer to tracking CTI return on investment, but many threat intelligence experts say that there are some common ways CISOs can avoid the most likely sources of wasted intelligence spending. The following are five mistakes to avoid in the effort to maximize a program’s efficiency.

Not having a risk management program in place

To truly get value out of a comprehensive CTI program, CISOs need to lay the foundation with a solid risk management program and the infrastructure needed to appropriately analyze and contextualize the feeds they ingest.

“CTI really needs to fall underneath your risk management and if you don’t have a risk management program you need to identify that (as a priority),” says Ken Dunham, cyber threat director for the Qualys Threat Research Unit. “It really should come down to: what are the core things you’re trying to protect? Where are your crown jewels or your high value assets?”

Without risk management to set those priorities, organizations will not be able to appropriately set requirements for intelligence collection that will have them gather the kind of relevant sources that pertain to their most valuable assets.

Additionally, CTI is most valuable when it is used to contextualize security analytics about activity occurring within an organization’s infrastructure. This means organizations need to get their analytics program and their data science and data management ducks in a row to truly squeeze value out of the external intel they bring in.

“Strategically, balancing the lowering of TCO [total cost of ownership] with security value and time-to-value, while integrating with all important internal data sources and tools is a difficult equation,” explains Balazs Greksza, threat response lead at Ontinue. “Security is not a big data problem. In fact, it is a “right information and intelligence at the right time” problem, to come to the right conclusions.”

This means CISOs need to carefully think about where all the use cases for where the internal data and external intel will be contextualizing each other. Greksza says a security data lake has a much different use case than an XDR, SIEM, or compliance monitoring solution. This means defining clear objectives and requirements for how all of the intel and analytics data will drive better decision making. CISOs may want to lay the foundation by bringing data platform engineers on board to create a comprehensive data strategy for the SOC and beyond, he says.

Relying on poor quality intel

Bad intelligence can often be worse than none, leading to a lot of time wasted by analysts to validate and contextualize poor quality feeds. Even worse, if this work isn’t done appropriately, poor quality data could potentially even lead to misguided choices at the operational or strategic level. Security leaders should be tasking their intelligence team with regularly reviewing the usefulness of their sources based on a few key attributes. The typical acronym that many intelligence professionals use for this is CART, which stands for completeness, accuracy, relevance and timeliness.

Completeness means that each piece of intelligence gives a full picture of the threat, including actors, methodologies and affected systems, says Callie Guenther, senior manager of cyber threat research for Critical Start. Meanwhile, accuracy is perhaps one of the most crucial elements of quality that will make or break a source’s value. “The credibility and reliability of the source are paramount,” she says. “Inaccurate intelligence can lead to false positives, wasted resources, and potential exposure to unaddressed threats.”

Relevance means that the intelligence is pertinent to the organizations industry, tech stack, and geographical location. And timeliness is all about ensuring that intelligence is current enough that it can make a difference in how an organization will act. Obviously, intelligence sources will often have to strike a balance between timeliness and accuracy as threat research unfolds.  

Finally, Guenther would add another ‘A’ into the mix to make it CAART: actionability. “Intelligence should be detailed and specific enough to drive security actions, such as tuning security devices, updating policies, or patching vulnerabilities,” she says.

Glazing over requirements gathering

Even more fundamental than evaluating potential intelligence sources for quality, CISOs need to be sure their teams are choosing sources that actually meet their security program and business needs. One the most common mistakes that security teams make in their threat intelligence programs is skipping right over the process of figuring out who needs what kinds of intelligence to make smart security decisions.

“CTI is only as effective as an organization is in receiving it. In order to build an effective CTI program, the organization at all levels must issue requirements to the intel team and be receptive to consuming intelligence to inform processes and decisions,” says Dov Lerner, security research lead for Cybersixgill.

This requirement gathering stage is the first step in the CTI lifecycle but it’s often missed or limited to just the SOC analysts who have specific technical requirements. “Organizations may fail to define clear, actionable, and prioritized intelligence requirements, leading to irrelevant or overwhelming amounts of data,” Guenther says, agreeing with Lerner that intel teams should be gathering requirements from many different types of intelligence consumers from across the business.

To really get the most out of CTI investments, this will mean that CTI has to have the bandwidth and the organizational connections to engage with a range of stakeholders in security and beyond, according to Lerner.  

Some organizations may want to also consider creating a program for stakeholders to request new intel. This is how Matt Hull, global head of cyber threat intelligence at NCC Group, says his firm makes requirements gathering more repeatable and consistent. NCC has a system that’s almost like ticketing for intelligence requests. “We have what we call an RFI process — a request for intelligence — that’s essentially a mechanism into my team that says (to stakeholders) ‘What question do you want answering?’” he says. “And then it is triaged and passed to the relevant team.”

Hyper focusing on tactical threat intel

One of the most common threat intel mistakes Guenther sees organizations make when they start a CTI program is overemphasizing tactical intelligence. “While tactical intelligence is essential, focusing solely on IoCs [indicators of compromise] without strategic or operational context can lead to a reactive rather than proactive security posture,” she says.

Both Hull and Dunham are firm believers that the strongest CTI teams are able to collect and operational intelligence on three major fronts: tactical, operational, and strategic intelligence. The tactical intelligence follows the traditional mold of IoC and very specific pieces of technical information from malware analysis and other monitoring that could enhance threat detection. The operational intelligence moves up a layer to behavioral intelligence around tactics, techniques, and procedures (TTPs). And the strategic intelligence is the bigger picture information that ropes in context about geopolitical, industry, and business context. At NCC, Hull has three different teams that focus on each of these strands to ensure the program is hitting each area appropriately.

The strategic piece is often the one that organizations tend to miss the most and this is the one that can often drive the most financial value, as strategic intel can help prioritize spending based on what’s actually happening in the threat landscape. On top of that, strategic intelligence can also help CISOs prove their actions and ROI in the long run.

“It’s quite hard to understand what the return on investment is from a CTI capability.  Feeding your intelligence into risk management processes is really, really useful because you’re able to sort of quantify some of the inputs from your threat intelligence into risk management work,” Hull says, explaining that this can start CISOs on a path toward more complex analysis around cyber risk quantification, for example.

Devaluing dissemination

Even if CTI is doing an excellent job collecting the right kind of quality intelligence that its stakeholders are asking for, all that work can go for naught if it isn’t appropriately routed to the people that need it — in the format that makes sense for them.

“One of the areas where there can oftentimes be a struggle is in the dissemination phase, which is typically when CTI analysts process and deliver finished intelligence to stakeholders,” says Lerner.

As he explains, many intel teams don’t do a good job tailoring information to the appropriate audience. Strategic intelligence meant for the C-suite will not offer much value if it’s full of acronyms and technical data, for instance. And tactical intelligence that’s in an unstructured report and not easily consumable by a SOC analyst is similarly unusable.

One of the best ways to ensure focused and targeted dissemination is to nail down the details at the requirements phase, says Hull. “When you set those requirements, you set the direction about the cadence with which dissemination takes place and the mechanism by which a dissemination takes place,” he says, explaining that the important thing is to establish out of the gate how to make it most easily accessible and shared by the relevant stakeholder.

Clearly, there’s no easy button for maximizing CTI value within a cybersecurity program, but CISOs that can focus on avoiding these five mistakes stand a better chance of getting the most out of their intel.