SANS 2020 CTI Survey shows CTI is maturing with more collaboration and more definition of requirements
February 2020 by SANS INSTITUTE
In the past few years, CTI has evolved from small, ad hoc tasks performed disparately across an organisation to, in many cases, robust programs with their own staff, tools and processes that support the entire organisation. This is according to the SANS 2020 CTI Survey, the latest report by the global leader in cyber security training and certifications, SANS Institute.
“In the past three years, we have seen an increase in the percentage of respondents choosing to have a dedicated team over a single individual responsible for the entire CTI program,” says survey author and SANS instructor Robert M. Lee.
In fact, survey results indicate that just under 50% of respondents’ organisations have a team dedicated to CTI, up from 41% in 2019. In total, more than 84% of organisations reported having some kind of resource focusing on CTI. While the number of organisations with dedicated threat intelligence teams is growing, results also demonstrate a move toward collaboration, with 61% reporting that CTI tasks are handled by a combination of in-house and service provider teams.
“We continue to see an emphasis on partnering with others, whether through a paid service provider relationship or through information-sharing groups or programs,” continues Lee. “Collaboration within organisations is also on the rise, with many respondents reporting that their CTI teams are part of a coordinated effort across the organisation.”
Another sign of maturity is the definition and documentation of intelligence requirements. The number of organisations reporting a formal process for gathering requirements increased 13% from last year, to almost 44% in 2020. This makes the intelligence process more efficient, effective and measurable – keys to long-term success.
When asked which inhibitors were holding their organisation back from implementing CTI effectively, the highest response – by 57% of respondents – was a lack of trained staff or lack of skills needed to fully utilise CTI, while 52% named a lack of time to implement new processes, and 48% said the issue was a lack of funding.
The report also looked at where CTI team members are drawn from within the organisation, the types of information used for intelligence gathering and the sources used for gathering that intelligence.
The 2020 SANS Cyber Threat Intelligence (CTI) Survey received 1006 responses from a wide-ranging group of security professionals from various organisations. There was good representation from small, medium and large organisations and from across the globe, with 327 respondents coming from organisations headquartered in EMEA.