Table of Contents
The Planning and Direction phase serves as the foundation of the entire intelligence cycle, establishing purpose and focus for all subsequent activities. This critical stage not only defines the overarching objectives but also aligns the efforts of various stakeholders, ensuring that all participants understand their roles and contributions. Without clear objectives and stakeholder alignment, even the most sophisticated intelligence operations risk becoming unfocused, inefficient, and disconnected from organizational needs. Moreover, the absence of a strong Planning and Direction phase can lead to wasted resources and missed opportunities, underscoring the necessity of comprehensive planning to guide intelligence efforts effectively. By fostering collaboration and communication among all involved parties, this phase cultivates a shared vision that enhances the overall effectiveness and relevance of the intelligence operations undertaken.
Understanding Planning and Direction
The Planning and Direction phase serves three critical functions:
First, it articulates exactly what the organization needs to know about threats by establishing clear intelligence requirements. These requirements range from strategic questions about emerging threat actors to tactical inquiries about specific malware samples or campaigns.
Second, it aligns intelligence activities with organizational priorities, ensuring that limited resources focus on the most significant risks and business objectives.
Third, it creates the framework for measuring success, establishing when, how, and to whom intelligence will be delivered, along with metrics for evaluating effectiveness.
Intelligence Requirements Development
Intelligence requirements articulate the specific information needs of an organization. An effective requirements framework typically follows a hierarchical structure:
Priority Intelligence Requirements (PIRs): These high-level questions align with strategic objectives and address fundamental concerns about the threat landscape.
Example: “What threat actors are specifically targeting our industry sector, and what are their primary motivations?”
Specific Intelligence Requirements (SIRs): These more detailed questions support PIRs and focus on particular aspects of the threat environment.
Example: “What tactics, techniques, and procedures (TTPs) is APT29 currently employing to target healthcare organizations?”
Intelligence Collection Requirements (ICRs): These identify the specific data points needed to answer SIRs.
Example: “What command and control infrastructure is associated with recent APT29 campaigns targeting healthcare providers?”
Requirements should be:
- Specific enough to guide collection and analysis
- Measurable to evaluate success
- Achievable given available resources
- Relevant to organizational risk
- Time-bound when appropriate
Stakeholder Engagement
Effective planning requires input from key stakeholders across the organization:
Executive Leadership: Provides strategic direction and business context to ensure intelligence supports organizational goals and risk management priorities.
Security Operations Teams: Offers operational insights about immediate defense needs and practical challenges faced by frontline defenders.
Security Architects: Contributes tactical requirements related to security controls and system design implications.
Risk Management Personnel: Helps connect intelligence activities to enterprise risk frameworks and compliance obligations.
Business Units: Provides context about critical assets, processes, and potential business impacts that might influence threat prioritization.
The planning phase should establish a regular cadence of stakeholder meetings to review requirements, provide feedback on intelligence products, and ensure continued alignment between intelligence operations and organizational needs.
Resource Allocation
Based on established requirements, organizations must make critical decisions about:
Collection Sources: Which technical feeds, open sources, human intelligence channels, and other information sources to prioritize.
Analyst Time: How to distribute limited analytical resources across different intelligence streams, from strategic research to tactical indicator analysis.
Tools and Platforms: Which technological investments will provide the most significant return in supporting intelligence operations.
External Services: Which commercial intelligence providers, managed security services, or consultants might complement internal capabilities.
Resource allocation should reflect a balance between comprehensive coverage of key threats and sufficient depth to provide actionable intelligence about the most significant risks.
Establishing Priorities
Not all threats pose equal risk, and not all intelligence questions are equally urgent. Effective prioritization typically considers:
Asset Criticality: Intelligence focused on threats to mission-critical systems and data receives higher priority.
Threat Probability: Intelligence addressing likely threats receives higher priority than intelligence about theoretical or rare scenarios.
Potential Impact: Intelligence about threats with potentially severe consequences receives greater attention.
Defensive Capability: Intelligence that addresses areas where defensive measures are weakest may require more urgent attention.
Strategic Alignment: Intelligence that supports major business initiatives or significant security transformations may warrant higher priority.
Common Challenges
Organizations frequently encounter obstacles during the Planning and Direction phase:
Unclear Requirements: Vague or overly broad requirements fail to provide sufficient guidance for intelligence operations. “Tell us about all threats” is not an actionable requirement.
Misalignment with Business Needs: Intelligence activities disconnected from business context risk producing technically interesting but practically irrelevant insights.
Stakeholder Overreach: Attempting to satisfy too many stakeholders with divergent needs can dilute focus and effectiveness.
Capability-Reality Mismatch: Planning ambitious intelligence operations without sufficient resources leads to unrealistic expectations and eventual disappointment.
Static Requirements: Failing to regularly review and update requirements as threats and business priorities evolve leads to diminishing relevance over time.
Best Practices
These practices help organizations establish an effective Planning and Direction phase:
Formalize the Requirements Process: Create standard templates and review cycles to ensure consistent, clear documentation of intelligence needs.
Prioritize Ruthlessly: Focus intelligence efforts where they will have the greatest impact rather than attempting to cover all possible threats equally.
Document Assumptions: Explicitly capture the underlying assumptions that inform requirements to enable validation as conditions change.
Establish Clear Timelines: Define specific delivery schedules and deadlines for intelligence products to set expectations and drive accountability.
Create Feedback Mechanisms: Develop formal processes for stakeholders to evaluate intelligence products and refine requirements based on real-world utility.
Tools and Technologies
Several technologies can support effective Planning and Direction:
Requirements Management Platforms: Tools like Jira and Confluence help track intelligence requirements and projects.
Collaboration Platforms: Microsoft Teams and SharePoint enable stakeholders to contribute to requirement development.
Custom Requirements Databases: Specialized tracking systems maintain relationships between requirements at different levels.
Strategic Planning Software: Enterprise alignment tools help connect intelligence activities to business objectives.
Risk Management Platforms: These provide context for intelligence prioritization and help demonstrate value.
Measuring Effectiveness
Metrics for evaluating Planning and Direction might include:
Requirement Coverage: Percentage of organizational priorities addressed by formal intelligence requirements.
Requirement Clarity: Stakeholder assessment of requirement understandability and actionability.
Requirement Stability: Frequency and magnitude of requirement changes over time.
Alignment Score: Degree of harmony between intelligence priorities and security or business priorities.
Requirement Response Time: Duration from stakeholder identification of a need to formal requirement documentation.
Case Study: Planning in Action
Consider a healthcare organization implementing a Planning and Direction process:
- Initial Assessment: The organization identifies key stakeholders from executive leadership, IT security, compliance, clinical operations, and research departments.
- Requirement Development: Through facilitated workshops, the organization establishes PIRs focusing on threats to patient data, clinical systems, and research intellectual property.
- Prioritization: The organization ranks requirements based on potential impact to patient safety, regulatory compliance, and operational disruption.
- Resource Allocation: Based on priorities, the security team allocates budget for commercial threat feeds covering healthcare threats and dedicates two analysts to focus specifically on ransomware and nation-state threats.
- Documentation: All requirements are documented in a central repository with clear owners, timelines, and success criteria.
- Regular Reviews: The organization establishes quarterly requirement reviews with stakeholders to assess intelligence effectiveness and evolving needs.
Conclusion
The Planning and Direction phase sets the tone for the entire intelligence cycle. When done well, it creates clarity of purpose, aligns intelligence activities with organizational priorities, and establishes the foundation for measuring success. By investing time in this crucial first phase, organizations dramatically increase the likelihood that their intelligence operations will deliver meaningful value.
In the next article, we’ll explore the Collection phase, examining how organizations gather the raw data needed to fulfill their intelligence requirements.