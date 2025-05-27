Over the last six years, I’ve had the privilege of working with governments, national central banks, and communities of interest around the world, helping them build and refine their cyber threat intelligence (CTI) communities. From the most cyber mature entities to those in emerging economies with lesser resources, there are clear pattens. And while maturity levels may vary a great deal, the core challenges and the solutions are remarkably similar.

Coming from a military intelligence background, I have always viewed intelligence sharing as a fundamental principle. While “need to know” was a core dictate, “need to share” was equally vital – especially when it came to operations. Moving into the private sector was a culture shock, because the hesitation to share intelligence wasn’t just a reality, it was pervasive.

Size matters This led to my first key lesson – size matters. Take, for example, when I was working with a national central bank to build a CTI community. Despite the effort and a lot of good intentions, the initiative was sadly doomed to fail. Why? Because the country’s biggest banks already had their own, smaller, highly trusted network. They just didn’t want to share intelligence outside of that group. The argument here is pretty simple. No financial institution is individually resilient. Cyber risk affects everyone and banks have a responsibility to protect the wider financial ecosystem. At the other extreme, I observed an active global Information Sharing and Analysis Centre (ISAC) where dozens of members participated in calls, yet very little of value was exchanged. The issue here was that the community was too big. People just were not willing to share intelligence with faceless individuals that they didn’t know and thus, trust. So, clearly CTI communities must be big enough that they actually have an impact on the whole of the ecosystem, but also small enough to that trusted relationships develop.

Intelligence vs. Data My second key lesson, was around the constant struggle over the definition of “intelligence.” A term we know well, but older communities, built out of IT teams, struggled to understand. Many CTI communities were highly tactical, focused solely on indicators of compromise (IoCs) that were shared via platforms like the Malware Information Sharing Platform (MISP). But in reality, this wasn’t intelligence. It was the sharing of threat data. The conversation needed to be elevated, so I advocated for broader discussions on threat information, strategic intelligence and best practices. Also, that intelligence needed to be tailored for different audiences. For example, automated data outputs for analysts; technical papers for cyber experts; intelligence summaries for CISOs, and strategic reports and horizon scanning for executives and board members. Intelligence briefings that were relevant to them and their unique community. Ultimately, intelligence products must have a clear “so what?” that identifies what the intelligence means and crucially what the decision makers should do with it. There’s little point to threat intelligence if it has no context and does not inform decision making.

Navigating the legal challenge There are obviously legal concerns in intelligence-sharing communities. Unfortunately, these have in the past been used as an excuse not to share. GDPR, for example, initially caused uncertainty but over time organisations understood that data privacy regulations were not meant to be barriers, they are guidelines for structured sharing. To mitigate privacy concerns, most successful intelligence sharing communities will implement centralised contracts and terms of reference to ensure liability protection, along with sharing guidelines that define permissible data exchange within legal frameworks, and automated threat data processing.