Today’s rapidly evolving digital threat environment has made it more critical than ever to use insights from cyber threat intelligence (CTI) to anticipate threats and defend against them. But building a successful, mature CTI program that aligns with an organization’s core objectives and key outcomes is no easy feat. That’s why we at Intel 471 have sponsored and led the development of the CTI Capability Maturity Model (CTI-CMM), an easy to use, vendor-neutral model that promotes a “stakeholder-first” approach to building a mature CTI program, evaluating its progress, and continuously improving it during the CTI maturity journey.
The model aims to help decision-makers, leaders, and practitioners navigate the complexities of building a mature CTI program and bridge the gap between technical capabilities and strategic objectives. It adopts the view that a CTI program exists to support the people who make decisions and take actions to protect your organization, which include stakeholders from senior management, security operations, incident response, forensics, legal and risk management professionals.
The all-volunteer team of 28 experts consist of members and advisors from the CTI community representing a wide range of sectors, geographic regions, backgrounds, and experiences, including practitioners and leaders at Intel 471, IBM, Kroger, Venation, Mandiant, IntL8, Reqfast, Trellix, Autodesk, Centre for Cybersecurity Belgium (CCB), Northwave Cyber Security, Workday, Marsh McLennan, Signify, Tidal Cyber, DeepSeas, BP, Gojek, SANS Institute and more.
The CTI-CMM is also built to align with industry best practices and the concepts and format of a recognized cybersecurity maturity model, the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2). The C2M2 contains contributions from experts representing a range of private and public sector organizations. It is aligned with other internationally recognized cyber standards and best practices, including the National Institute of Standards and Technology (NIST) Special Publication 800-53 and the NIST Cybersecurity Framework (CSF).
The C2M2 is designed to help measure the maturity of a cybersecurity program by focusing on the capabilities of domains found within most organizations, such as risk management and vulnerability management. Coincidentally, the C2M2 domains represent stakeholders commonly supported by CTI programs, creating a natural reference point for the CTI-CMM to align to.
The CTI-CMM’s vendor-neutral approach is similarly designed to foster collaboration among stakeholders that advances the field for the benefit of all. It also aims to reduce risk by promoting a comprehensive understanding of CTI’s role in safeguarding the organization’s assets and reputation.
Organizations can use this CTI-CMM framework to assess their current CTI maturity level and as a blueprint for making continuous improvements that help organizations realize their CTI program’s full potential across tactical, operational, and strategic intelligence practices.
“Unlocking the full potential of your CTI program requires alignment with the capabilities of each stakeholder it supports, and a tangible measurement of success synchronized with organizational priorities,” said Michael DeBolt, Chief Intelligence Officer at Intel 471, program creator and lead of the CTI-CMM.
“The CTI Capability Maturity Model is designed to support CTI teams in building their capabilities by aligning to defined practices for stakeholder business domains unique to each organization. The model establishes shared values and principles across the industry to empower organizations to take a holistic approach to cyber threat intelligence with stakeholders and business outcomes as the centerpiece focus.”
CTI-CMM program co-lead, Colin Connor, CTI Services Manager at IBM X-Force said: “Advising numerous clients globally, I have observed a consistent need for an outcome-focused model for cyber intelligence programs. The CTI-CMM bridges the gap to help CTI programs create impactful and demonstrable value for their organization.”
The CTI-CMM provides users with key CTI maturity indicators to evaluate practices that support each stakeholder domain, which are contextualized with the CTI Mission, such as reducing the attack surface using CTI about the threat environment, CTI Use Cases, and CTI Data Sources, such as vulnerability intelligence, dark web intelligence, and breach intelligence. Key domains covered in the CTI-CMM include:
Asset, Change, and Configuration Management.
Threat and Vulnerability Management
Risk Management
Identity and Access Management
Situational Awareness
Event and Incident Response, Continuity of Operations
Third-Party Risk Management
Workforce Management
Cybersecurity Architecture
Cybersecurity Program Management
Contributing CTI experts defined the following values and principles to support the CTI community:
Shared Values
Intelligence provides value through collaboration with our stakeholders and supporting their decision-making process.
Intelligence is never completed. Improvement is continuous. This also applies to adoption. Constant improvement is crucial for success and distinguishing from other models who failed to keep up with the time.
Intelligence is not proprietary, nor is it prescriptive. Therefore, the model should never be claimed by a single commercial party.
Shared Principles
Contextualizing threat intelligence within risk
Continuous self-assessment and improvement
Actionable intelligence based on stakeholder needs
Quantitative and qualitative measurement of intelligence
Collaborative and iterative intelligence processes
The work of continuous improvement is never over. The CTI-CMM team is already planning for future enhancements and additions to the model, including adding a FRAUD domain and developing a tool to help guide the user through the maturity assessment process. If you would like to get involved, provide feedback, or simply learn more about new developments, join the community at cti-cmm.org!
