now that we spent some time talking about tactical and operational information sharing, let's talk about strategic information sharing.
tactical and operational timelines are obviously much shorter.
These could be from a few months, up to a year, a year and 1/2
where, as a strategic timeline might be 2 to 5 years
again, depending on who you ask,
you might want to verify the some of these definitions if there's a standard within your organization.
Part of the goal with strategic planning is trying to make your business case for a C. T. I program
in much the same way that you would make a business case for a cybersecurity program of which SETI I's is only a part. Sometimes the support of executives can be a little bit challenging,
challenging to obtain. That is,
it's one thing to just provide a budget and say that the program will be funded.
But it's another to have the moral support and visibility that a true executive champion Kenbrell onto the table.
A champion or an advocate in this context is is pretty important because it lets other entities within the organization know that this is important activity
and it should be supported. And, uh, there should be some expectation of cooperation during the times when the
practitioner needs extra help from other teams. For instance, in the assistance for forensic investigations. What have you The idea of trying to become proactive
is also a important path to be headed on as we can see from past experience,
always being reactionary, trying to deal with problems after they've already happened
is quite often a losing proposition.
The damage is already done,
and the analyst or your incident response and other individuals are always playing catch up and trying to figure out
what they could have done better to prevent this from happening in the first place.
That's why trying to get on a more proactive footing is so vital.
And of course, that's also why it's so challenging because it's not easy to
look at some pattern of behavior and
make a realistic prediction as to something that's about to happen. Based on past events,
that is part of the art and science of this line of work, and we've talked about that a little bit in some prior sections.
The owners of a organization or its highest level leadership are certainly going to need
ah, large amount of information or to make an important decision about something so vital as the C T. I program
you might think about. For Maia
Senior leadership. Point of view, you might think, Well, what is my return on investment?
If we take a $1,000,000 let's say and put it into a new program,
which might include some hardware and software might include staff
certainly would include some training, whether it's vendor provided training or
on the job training.
There is an expectation that this effort will take some time to be productive.
In addition to the initial cost of a C. T. I program, you also have to think about the total cost of ownership.
Sometimes you see this variable assigned to
hard assets like software and hardware
and other pieces of physical infrastructure.
But it could also apply to a C T. I program.
Because of the invent, the investment of hardware and software and staff and training,
there are expected to be ongoing costs as that program goes through. It's the annual fiscal year. For instance,
maybe there's an allotment for training
the support agreements that are needed for the software tools or the hardware platforms that are used to
uh, functionality to the organization.
So the financial forecasting and strategic sense is certainly important so that appropriate budget levels can be
dealt with on a year over your basis.
Other aspects of people that are having their hands on the purse strings, so to speak,
would be making sure that
not only is the financial portion acceptable, but also that the information coming back to the organization truly has some value.
Under ideal circumstances, the organization should
be building up assurance or confidence in its capabilities to handle
Also in its ability to handle the analysis required after an event has happened in order to perform the appropriate
research and out of and investigation
to get to a point where there are the
activity can be more readily recognized
and more easily prevented.
And this also would translate well into thinking about reduced response time.
The time point from on indication of ah problem to a confirmed detection to the actual remediation response should be getting shorter over over each year as the program matures
that would be expected anyway.
It's not easy to achieve. There are a lot of factors that are beyond the control of the of the analyst or the security practitioner, and you're really doing the best you can with what you've got available.
The quality assurance levels as it relates to
published information or for AH
intelligence has generated,
is also something that's difficult to achieve
As a program matures.
There is more, hopefully, more reliance on the hard work and dedication of the individuals on the teams
to produce intelligence that
can be relied upon. It shone value in the past.
The practitioners are taking the time to make sure they don't introduce any errors, getting rid of bias and some other things that we talked about it earlier sections.
When this is done correctly, then it becomes simpler for
the intelligence against produced two heavy perceived value.
And this also helps justify budgets for the entire program, which includes a salary of staff, additional training, hardware and software acquisitions and so on.
One of the easiest ways to
provide this feedback loop to executive decision makers is
something as simple as a security status report.
I talked about security staff supports in earlier sections
and their overall value theirs
many different opinions about how often they should be produced. We could think about the two major
triggers for a security status report that would be a time based trigger or an event based trigger.
Time based means, of course, that's coming out every day or every week.
Some other level of reporting might come on every month or every quarter.
But event these triggers are probably gonna be a lot more common. Where there's been some event,
and a report has to be generated so that
Mandarin can appropriate,
not appropriate, but can formulate the correct Reese response.
And we talked about risk response in earlier sections as well. These air things like accepting the risk, ignoring it, sharing it, transferring it
So these reports have a lot of value to the organization and cannot be overlooked
as a way to keep making incremental improvements in the assurance and confidence levels