How do you know you are working on the right intelligence requirements? How do you decide which stakeholders’ requirements to fulfill? Who gets priority? You need priority intelligence requirements to ensure your output aligns with objectives that drive your business forward.
Priority intelligence requirements allow you to focus on what matters most to your business, what requirements have the greatest impact, and what will significantly improve your cyber security posture. But how do you prioritize the right ones?
This article answers this question by providing actionable guidance on prioritization methods you can use right now!
These methods include MoSCoW, RACI matrices, and data analysis techniques that empower you to facilitate the prioritization of intelligence requirements with your stakeholders. Let’s get started.
What Are Priority Intelligence Requirements?
Picture this: You are a new cyber threat intelligence analyst or manager and decide to start writing a list of intelligence requirements your team should fulfill. A few hours into creating your list, you discover everyone wants a new intelligence requirement.
The security operations team, incident response team, malware analysis people, marketing department, and even finance all want to be on your list. How do you prioritize whose requirements you fulfill? Let me introduce you to priority intelligence requirements (PIRs).
PIRs are the intelligence requirements you want to prioritize, the ones you aim to fulfill, and the ones with the greatest impact on the business.
Like many cyber threat intelligence (CTI) concepts, PIRs are derived from military terminology. They are defined as “Intelligence requirements which a commander has an anticipated and stated priority in the task of planning and decision making” (Joint Chiefs of Staff).
Put simply, they are mission-critical intelligence requirements that are key to your organization’s success. You and a key decision maker have prioritized fulfilling these requirements based on your business’s objectives. That’s it. Just a list of your top intelligence requirements that you must fulfill.
So why is it so important that your CTI team creates them? Let’s examine them more closely.
Why Are Priority Intelligence Requirements Important?
PIRs help your team prioritize their efforts. They let you know which intelligence requirements to focus on, what matters most to your business, what delivers the most value to your cyber defenses, and the activities that best utilize your team’s precious resources.
In theory, intelligence requirements can be endless. The amount of intelligence that exists from which your business could benefit is almost infinite. However, you and your team are a finite resource, and trying to fulfill too many requirements will overwhelm and burn you out. You must follow a structured, well-directed approach to gain the most value possible from your team’s resources.
With this in mind, here are the key benefits of turning your intelligence requirements into PIRs:
- Prioritize Resources Efficiently: Security teams have limited time and resources. PIRs help them focus on the most relevant threats and vulnerabilities, ensuring that effort is directed where it matters most.
- Improve Strategic Decision-Making: PIRs align threat intelligence efforts with business objectives, helping senior leadership make informed security decisions.
- Reduce Noise: PIRs filter out irrelevant data and reduce the noisy threat landscape, allowing analysts to concentrate on high-value threats.
- Focused Threat Hunting and Incident Response: By defining specific intelligence requirements, security teams can better focus on the relevant threats when performing proactive threat hunting or reactive incident response.
So, PIRs are something all CTI teams must have. That’s great. But how do you go about creating them?
How to Create Priority Intelligence Requirements
To create PIRs, you first need a list of intelligence requirements that you can prioritize. There are many ways to create this initial list.
- You can start with General Intelligence Requirements (GIRs) and distill them into intelligence requirements relevant to your organization.
- You can interview key stakeholders or conduct workshops with leadership groups to establish their biggest concerns and how intelligence can help them.
- You can perform an Intelligence Preparation of the Cyber Environment (IPCE) exercise to analyze your business’s cyber environment. This allows you to create highly relevant intelligence requirements based on crown jewel analysis, threat modeling, and threat profiling.
These strategies will give you a long list of intelligence requirements to benefit your business. However, it is unlikely that you will be able to fulfill every requirement you generated due to a lack of capability, time, or manpower. The first step is to filter out the requirements you cannot fulfill based on your current resources.
Just because you cannot fulfill a requirement doesn’t mean you shouldn’t track it. Record the requirement and what would be required to fulfill it (e.g., additional tools or staffing). When it comes time to review your team’s budget, you can highlight areas of your CTI program that could be improved by fulfilling these requirements and what would be required by the business.
You might find the inability to fulfill certain requirements obvious. For example, if stakeholders want you to perform detailed attribution, sophisticated HUMINT operations, or “hacking back” activities, this often requires capabilities that many CTI teams do not have. For others, like dark web monitoring, it may take more investigation to discover if your team has the ability and resources to fulfill them effectively.
Once you have a realistic list of intelligence requirements your team could achieve, you can start building your list of PIRs. Let’s explore some methods you can use to create this list.
If you’re still struggling to get started creating intelligence requirements, check out this great presentation on creating priority intelligence requirements on a limited budget. It should give you some practical ideas about engaging your business’s stakeholders.
MoSCoW
The easiest way to prioritize intelligence requirements is to use the MoSCoW prioritization technique. This four-step approach prioritizes what requirements deliver the best return on investment (ROI) for the business. It splits requirements into must-haves, should-haves, could-haves, and won’t-haves (hence the anagram MoSCoW).
- Must have: Requirements that are required for your team’s success. They are the ones that tackle the most strategically impactful issues for your stakeholders and offer the greatest ROI. You can’t be successful without fulfilling them.
- Should have: These requirements are important to succeed but not necessarily required. For instance, a requirement will fall under this category if it creates an intelligence gap, but filling it is not an immediate priority. You acknowledge this gap should be on your future roadmap to fill.
- Could have: This category includes requirements that have a smaller impact on your team’s mission but could be relatively easy to fulfill. They are desirable but unimportant.
- Won’t have: These are requirements your team will not fulfill. You can list the requirements you filtered out previously based on your team’s current resources (e.g., capability, time, manpower). Fulfilling them would be unrealistic.
Once you complete your MoSCoW analysis, you should have buckets for each intelligence requirement you identified. Ideally, you would take requirements in the must-have bucket as PIRs, the should-have bucket list as ones you are working toward fulfilling (short-term roadmap), and the could-have list as long-term goals.
Unfortunately, depending on the size of your business, it is not always this straightforward.
There will be times when your must-have bucket will overflow with requirements, there will be disagreements between stakeholders about what should be in each bucket, and who gets the final say on PIRs will be challenged.
Ultimately, you are not responsible for prioritizing which intelligence requirements your company chooses; the key stakeholders are. Your job is to facilitate this process and ensure your team can fulfill whatever intelligence requirement the customer believes will be most impactful for the business.
In most large businesses, multiple stakeholders will have a say in what intelligence requirements get prioritized, making implementing MoSCoW across business functions challenging.
Let’s look at another method for prioritizing intelligence requirements that can help.
RACI Matrix
A RACI matrix is a popular tool used by project managers and consultants across various industries. It allows you to clarify the roles and responsibilities for completing a project or making a decision. They help facilitate clear communication and smooth workflows within projects that involve multiple teams.
In practice, a RACI matrix is simply a spreadsheet that lists all stakeholders involved in a decision or project and their level of involvement in each task. In CTI, this matrix would consist of stakeholders (or intelligence consumers) and their proposed requirements.
- Responsible (R): The stakeholder (or team) responsible for completing the task. Their input is required for the intelligence requirement to be fulfilled.
- Accountable (A): The stakeholder overseeing the task’s completion and ensuring the responsible party completes their work. They are usually department heads or have executive leadership roles.
- Consulted (C): Any stakeholder who provides input or feedback on the project. Their input is not needed to complete the requirement, but it may be required ad hoc.
- Informed (I): Any stakeholder informed about the task’s completion. They are not the direct beneficiaries of the requirement but may find the intelligence product(s) produced useful.
You can use a RACI matrix to prioritize intelligence requirements based on stakeholders’ requests. For example, here is a template to map a stakeholder to their level of involvement in an intelligence requirement.
| Intelligence Requirement | Stakeholder 1 | Stakeholder 2 | Stakeholder 3 | Stakeholder 4 |
|---|---|---|---|---|
| Requirement 1 | ||||
| Requirement 2 | ||||
| Requirement 3 | ||||
| Requirement 4 | ||||
| Requirement 5 |
Now, fill in the level of involvement each stakeholder would have in the proposed list of intelligence requirements.
| Intelligence Requirement | Stakeholder 1 | Stakeholder 2 | Stakeholder 3 | Stakeholder 4 |
|---|---|---|---|---|
| Requirement 1 | C | I | A | I |
| Requirement 2 | C | A | R | I |
| Requirement 3 | A | R | C | I |
| Requirement 4 | A | R | I | I |
| Requirement 5 | A | I | A | C |
Here, you can see that Stakeholders 2 and 3 have requirements that are fully under their responsibility, so their “voice” (input) should count the most when prioritizing those requirements.
RACI gives a clear chain of command between business units/roles and whose voice has priority for a certain requirement. You can use this data to better sort the buckets you created using the MoSCoW method, giving you a refined list of must-have requirements (your PIRs).
But how can you make this more formal and allow every stakeholder’s voice to be heard (not just those responsible)? That is where aggregating, sorting, and ranking come in.
Aggregating, Scoring, and Ranking
Aggregating, scoring, and ranking are all data analysis techniques used to manipulate data and help you prioritize what is important. You can use these techniques to formalize what intelligence requirements get prioritized within your organization.
The simplest approach is aggregation. You just see what intelligence requirements stakeholders have in common. For instance, if three of your stakeholders all say one requirement is a must-have, then you can rank that requirement highly. Here is a table showing the aggregation of requirements.
| Intelligence Requirement | Stakeholder 1 | Stakeholder 2 | Stakeholder 3 | Stakeholder 4 |
|---|---|---|---|---|
| Requirement 1 | X | X | X | 0 |
| Requirement 2 | 0 | X | X | 0 |
| Requirement 3 | X | X | X | X |
| Requirement 4 | X | 0 | 0 | 0 |
| Requirement 5 | 0 | 0 | 0 | 0 |
This table marks an “X” if the stakeholder believes it should be a must-have intelligence requirement. You can see that all stakeholders agree that Requirement 3 is a must-have, so it should be on your PIR list.
Using this method, you can sort requirements by their vote count and use this to prioritize them. Once you have a sorted list, you can decide how many requirements your CTI team is capable of fulfilling and take this number from the top of the list. These become your PIRs.
| Intelligence Requirement | Votes |
|---|---|
| Requirement 3 | 4 |
| Requirement 1 | 3 |
| Requirement 2 | 2 |
| Requirement 4 | 1 |
| Requirement 5 | 0 |
This is an easy way to prioritize requirements. However, if a strong disagreement arises, stakeholders feel like they are not being fairly represented, or you have too many must-haves, you can introduce the RACI matrix to your analysis.
Using the RACI matrix you created, add a score for each level of responsibility to reflect the “voice” a stakeholder should have in deciding whether that requirement should be a priority.
| Level of Responsibility | Score |
|---|---|
| Resonsible | 6 |
| Accountable | 4 |
| Consulted | 2 |
| Informed | 1 |
Next, ask your stakeholders to vote for what requirement they think should be a must-have (PIR) and assign scores to each vote based on the stakeholder’s level of responsibility.
| Intelligence Requirement | Stakeholder 1 | Stakeholder 2 | Stakeholder 3 | Stakeholder 4 |
|---|---|---|---|---|
| Requirement 1 | 2 | 1 | 6 | 0 |
| Requirement 2 | 0 | 4 | 6 | 0 |
| Requirement 3 | 4 | 6 | 2 | 1 |
| Requirement 4 | 6 | 0 | 0 | 0 |
| Requirement 5 | 0 | 0 | 0 | 0 |
Finally, the data is aggregated to produce a ranking for each requirement. This gives a slightly different-looking order. Notice how Requirements 1 and 2 have changed positions.
| Intelligence Requirement | Score |
|---|---|
| Requirement 3 | 13 |
| Requirement 2 | 10 |
| Requirement 1 | 9 |
| Requirement 4 | 6 |
| Requirement 5 | 0 |
This approach is more methodological and comprehensive than just counting by votes. It reassures stakeholders that their voice has been heard based on their level of involvement in the intelligence product. Again, take this list and work down the list of requirements, adding how many you think your team can fulfill.
You can repeat this process for should-have or could-have requirements to add more requirements to your PIRs. However, you will usually have enough PIRs to keep your team busy with must-have requirements.
As a rule of thumb, an individual analyst has the capacity to fulfill 3-5 PIRs. The more analysts you have, the more PIRs you can take on. In addition, introducing automation and/or AI into an analyst’s workflow will likely increase this capacity.
Conclusion
This article explored the importance of priority intelligence requirements in your cyber threat intelligence program. It examined why you need them to be successful and how you can create them using various prioritization methods, such as MoSCoW, RACI matrices, and data analysis techniques (aggregating, sorting, and ranking).
You now have the knowledge and tools to analyze your organization’s intelligence requirements and work with key stakeholders to produce an actionable list of priority intelligence requirements your team can fulfill.
Remember, don’t overwhelm yourself with requirements. Focus on what is most impactful to your business and prioritize the stakeholders most involved in those requirements. If you’re still unsure who to prioritize, focus on the ones who give you the most funding!
Frequently Asked Questions
What Are Intelligence Requirements?
Intelligence requirements are questions or informational needs that guide your cyber threat intelligence work.
Threat intelligence is collected, processed, and analyzed information about an entity that affects your organization’s security. Your intelligence requirements are the insights you seek to gain about this entity so you can better defend yourself when conducting business in the cyber realm.
What is an Example of a Priority Intelligence Requirement?
Creating priority intelligence requirements (PIRs) can be challenging. Analysts face many challenges when making them. A good example of a PIR would be “Has Actor X targeted Region Y in the last six months?”
This requirement answers a single question (singular), focuses on a single threat actor and region (atomic), leads to a decision (decision-centric), and defines a time period (timely). Aim to make all your PIRs singular, atomic, decision-centric, and timely.
What Are General Intelligence Requirements?
General intelligence requirements (GIRs) are broad, long-term information needs that help guide an organization’s overall intelligence program. They are usually broad in scope, encompass a wide range of topics, and require distilling to be relevant to your organization. They are a good starting point for creating priority intelligence requirements (PIRs).
How to Write Intelligence Requirements?
You can create intelligence requirements in three simple steps:
- Determine Consumers: Determine who you will generate intelligence for and what intelligence they need (e.g., technical vs. non-technical, operational vs. strategic vs. tactical).
- Identify Knowledge Gaps to Fill: Sit with your intelligence consumer and determine their intelligence needs. These are knowledge gaps they need filling, pain points they need easing, or any use cases that can be enhanced with intelligence.
- Refine Knowledge Gaps into Intelligence Requirements: Refine intelligence needs into requirements that your cyber threat intelligence team can fulfill. Focus on making them singular, atomic, decision-centric, and timely.
You can download a free Intelligence Requirement Template here.
