Operations rely on sound decision-making from leaders who are capable of making them. Like many IT projects, we don't go from idea to reality in seconds. It takes planning, managing stakeholders, getting people on board with the idea, massaging egos, and so on. But how did we get that idea in the first place? It also didn't just pop up from nowhere.

Ideas are born from trying to fix or improve something that we've dealt with using data that we believe may or may not be true. Babies do not learn how to walk and crawl on their own. They see a toy, they get frustrated because they can't get it, and then they learn to crawl. They see people walking on two feet, practice, struggle to stand, and eventually take their first steps. This is because they had a problem, used data from their own experiences, tested their theories, and came to conclusions.

Every organization has a vision and a mission statement that is meant to be the core of its existence. It is the same way business leaders communicate their intent to their employees.

The military has a concept called commander's intent, which mirrors the intention of that particular unit, brigade, regiment, division, or corps. It drives all of the supporting units to a single unified purpose of meeting that intent so that they can complete the mission.

Commanders have a lot of responsibility and don't want to make a decision on every piece of data coming at them. They make decisions based on specific pieces of data that pertain to solving a specific question. Gathering of that information for the commander is based on a term called Priority Information Requirements (PIRs). These PIRs are what drives intelligence gathering operations as it provides guidance on what information is the most important to the commander so that they can plan for the next steps.

Good PIRs have three criteria:

• They ask only one question
• They focus on a specific fact, event, or activity
• They provide intelligence required to support a single decision

Military examples:

• What size force is defending objective A?
• Will enemy battalion X arrive before Y time on Z date?
• How many obstacles are on D road that will impede our movement?

Can we not apply the same logic within our IT/InfoSec organizations? The idea is no different to gathering metrics for Key Performance Indicators (KPIs). When we have targets, we need to measure them and analyze them to see whether or not we have met or missed the mark. Either way, the information gathered will decide what we do next.

Having a top-down approach when defining specific information to be derived from our security tools, will fuel our intelligence capabilities when evaluating the best way to move forward. 

Let's use the Center for Internet Security Controls top five as commercial PIR examples. These are high level PIRs that can be filtered down to the tactical and operational teams to answer:

1. Do we have an inventory of authorized and unauthorized devices?
   
   • Tactical: Do we have a complete list of authorized devices?
     • Operational: How are we continuing to gather this list?
   • Tactical: Do we have the capability of identifying unauthorized devices?
     • Operational: Where are we finding these devices?
2. Do we have an inventory of authorized and unauthorized software?
   • Tactical: Do we have a list of authorized software?
   • Tactical: What are our most critical applications?
     • Operational: Where are these located? 
   • Tactical: How are we protecting these?
     • Operational: What security tools are in place to ensure that the information does not get compromised?
   • Tactical: Do we have a list of unauthorized software?
     • Operational: Where do the systems with this software exist?
3. Do we have secure configurations for hardware and software?
   • Tactical: What systems and software have secure configurations?
     • Operational: How are we monitoring any deviation from the standard?
   • Tactical: What systems and software do not have secure configurations?
     • Operational: How do we develop secure configurations for systems and software?
4. Do we have a continuous vulnerability assessment and remediation capability?
   • Tactical: Do we have the capability of scanning for vulnerabilities in all areas of the network?
     • Operational: Do we have an accurate list of subnets allocated to the organization?
   • Tactical: Do we have the capability to patch vulnerabilities that have been found?
     • Operational: How can we influence application/system owners to patch when we do not have the authority to tell them to do it?
5. Do we control the use of administrative privileges?
   • Tactical: Do we have a list of privileged users?
     • Operational: Who are they?
   • Tactical: What are the levels of privileged user access?
     • Operational: Who has what level of access?

Once we begin to look at the different functions of an information security organization, we can treat them as separate disciplines of intelligence gathering internally and externally. We begin to see that each security team utilizes the answers from high level PIRs to provide the status to the senior leadership of the organization.

This would provide the capability of an organization's leadership to understand the environment, apply the risk management processes, and make a decision on where to dedicate resources:

The reality is that it is difficult to begin processing the information from multiple sources to make a big picture or battlespace. We have to accept that there will be ambiguity and not-clearly defined targets. Building this capability will take time, collaboration, and a mindset change at all levels.

Flow of IT/InfoSec operations can be seen in the following image: