Building resilient cyber threat intelligence communities
Cyber threat intelligence is no longer a luxury: intelligence sharing communities must mature, and there are many common lessons to learn.
Over the last six years, I’ve had the privilege of working with governments, national central banks, and communities of interest around the world, helping them build and refine their cyber threat intelligence (CTI) communities. From the most cyber mature entities to those in emerging economies with lesser resources, there are clear pattens. And while maturity levels may vary a great deal, the core challenges and the solutions are remarkably similar.
Coming from a military intelligence background, I have always viewed intelligence sharing as a fundamental principle. While “need to know” was a core dictate, “need to share” was equally vital – especially when it came to operations. Moving into the private sector was a culture shock, because the hesitation to share intelligence wasn’t just a reality, it was pervasive.
Size matters
This led to my first key lesson – size matters.
Take, for example, when I was working with a national central bank to build a CTI community. Despite the effort and a lot of good intentions, the initiative was sadly doomed to fail. Why? Because the country’s biggest banks already had their own, smaller, highly trusted network. They just didn’t want to share intelligence outside of that group.
The argument here is pretty simple. No financial institution is individually resilient. Cyber risk affects everyone and banks have a responsibility to protect the wider financial ecosystem.
At the other extreme, I observed an active global Information Sharing and Analysis Centre (ISAC) where dozens of members participated in calls, yet very little of value was exchanged. The issue here was that the community was too big. People just were not willing to share intelligence with faceless individuals that they didn’t know and thus, trust.
So, clearly CTI communities must be big enough that they actually have an impact on the whole of the ecosystem, but also small enough to that trusted relationships develop.
Intelligence vs. Data
My second key lesson, was around the constant struggle over the definition of “intelligence.” A term we know well, but older communities, built out of IT teams, struggled to understand. Many CTI communities were highly tactical, focused solely on indicators of compromise (IoCs) that were shared via platforms like the Malware Information Sharing Platform (MISP). But in reality, this wasn’t intelligence. It was the sharing of threat data.
The conversation needed to be elevated, so I advocated for broader discussions on threat information, strategic intelligence and best practices. Also, that intelligence needed to be tailored for different audiences. For example, automated data outputs for analysts; technical papers for cyber experts; intelligence summaries for CISOs, and strategic reports and horizon scanning for executives and board members. Intelligence briefings that were relevant to them and their unique community.
Ultimately, intelligence products must have a clear “so what?” that identifies what the intelligence means and crucially what the decision makers should do with it. There’s little point to threat intelligence if it has no context and does not inform decision making.
Navigating the legal challenge
There are obviously legal concerns in intelligence-sharing communities. Unfortunately, these have in the past been used as an excuse not to share. GDPR, for example, initially caused uncertainty but over time organisations understood that data privacy regulations were not meant to be barriers, they are guidelines for structured sharing.
To mitigate privacy concerns, most successful intelligence sharing communities will implement centralised contracts and terms of reference to ensure liability protection, along with sharing guidelines that define permissible data exchange within legal frameworks, and automated threat data processing.
CIISI – a successful framework
The CIISI-EU framework is a testament to the power of trusted intelligence sharing. Five years ago, the European Cyber Resilience Board (ECRB) and the European Central Bank (ECB) discussed creating a small, yet highly effective community focused on strategic insights, best practice exchange and operational intelligence. From this initiative, the CIISI framework was established and has since been adopted by other nations.
Comprised of 26 entities – including SecAlliance and ThreatMatch as the centralised intelligence function – alongside Europol and ENISA, CIISI strikes the right balance between tactical, operational, and strategic intelligence. It brings together joint research, coordinated intelligence functions, workshops and training, to ensure that decision-makers at all levels have access to relevant intelligence products.
A defining strength of the framework is that the ECB not only implemented it but also released its white paper and intelligence-sharing rulebook, allowing other organisations and nations to learn from its approach.
Having been directly involved in the creation of CIISI, I was able to apply its principles to replicate similar frameworks across various countries, adapting each to fit specific sectoral, cultural and maturity requirements. However, while every community does have its own unique needs, certain fundamental principles are constant.
Firstly, intelligence should be shared as widely as possible within appropriate classification levels to maximise its impact while preserving trust. Communities must also be large enough to drive meaningful outcomes, but small enough to maintain the necessary level of confidence among members.
It is essential to develop intelligence products tailored for different audiences, ensuring engagement at the executive level to secure leadership buy-in and funding.
Building trust is a cornerstone of successful intelligence sharing. And that is why meeting face-to-face at least twice a year is really important for strengthening relationships among community members.
Intelligence assessments, informational insights and data should be actively exchanged, with automation playing a key role in making this process more efficient. Now in 2025, tactical intelligence sharing should largely be more automated, enabling more time on operational and strategic outputs. Establishing a centralised platform is crucial, moving intelligence sharing away from fragmented channels such as email and WhatsApp. This platform must distribute not only indicators of compromise (IOCs) but also finished intelligence products and strategic reports. It must be human centric and easy to use for all user types, not just technical teams. It must control the dissemination at community, but also organisational and individual level to allow members to control access to their intelligence.
A dedicated intelligence function is essential to drive dissemination, identify patterns, add assessments, and act as a catalyst for engagement. To reinforce commitment, members should sign up to a charter, rulebook, or formal terms of reference, outlining their obligations to contribute intelligence. Additionally, providing templates and policy frameworks can help organisations navigate internal legal challenges, ensuring that regulatory barriers do not stifle collaboration.
CIISI has demonstrated that implemented properly, structured intelligence sharing frameworks can drive real impact. Its principles continue to shape communities worldwide, refining how intelligence is exchanged, processed, and acted upon to enhance cyber resilience at national and sectoral levels.
In 2025 and beyond, as cyber threats continue to evolve, intelligence-sharing communities must continue to adapt to become more strategic, more collaborative and more impactful. The principles outlined in this article provide an outline for building resilient, effective CTI ecosystems that contribute to national and sector-wide cybersecurity resilience.
