Dan Sorensen fractional vCISO & AI governance leader. 23-yr USAF veteran translating cyber threats into boardroom decisions.
In March, when I argued in my article “The Threat Intelligence Gap: Why AI-Augmented CTI Still Fails At The Human Layer” that the threat intelligence gap is a leadership problem wearing a technology mask, the responses fell into two camps. Practitioners agreed, usually with some version of “Finally, someone said it.”
Executives asked a different question. They wanted the build order. What does a cyber threat intelligence (CTI) function actually look like when it’s resourced as a strategic capability instead of staffed as a security operations center (SOC) appendage? What does the CFO see? What does the board see?
The demand is measurable, not anecdotal. The “SANS 2025 CTI Survey” found that 52% of executives now decide on intelligence requirements, up from 33% just a year earlier. The same survey found 62% of CTI teams cited lack of funding as their top blocker. Executive appetite is outrunning the resourcing model.
That’s the question this article intends to answer.
The Numbers That Should Be Driving The Conversation
IBM’s “Cost of a Data Breach Report 2025,” based on breaches experienced by 600 organizations worldwide, surfaced findings that reframe the investment case.
U.S. organizations now average $10.22 million per breach, a record high. Organizations using AI and automation extensively saved an average of $1.9 million per breach compared to those that didn’t.
The AI governance picture is worse than most executives realize. Ninety-seven percent of organizations that experienced an AI-related security incident lacked proper AI access controls. Sixty-three percent had no AI governance policies at all. Shadow AI, unsanctioned generative AI tools, factored into roughly one in five breaches studied, and organizations with high levels of it absorbed an average of $670,000 in added breach costs. Attackers used AI in approximately 16% of breaches, primarily to accelerate phishing and produce convincing deepfakes.
Read that cluster of numbers as a single data point. The organizations pulling ahead in breach economics are the ones that have built AI capabilities with governance, instrumentation and a human in the loop. The ones falling behind are running the same tools without the scaffolding.
The same logic applies to CTI.
The Build Order
When I walk executives through what a resourced CTI function actually requires, I work in the following order. Skipping steps produces the programs I described in March. We’ve all seen how those end up.
Step 1: Naming The Intelligence Customer
Before any tool is selected or analyst hired, the organization should answer one question: Who is the primary customer for this intelligence, and what decisions do they need it to inform?
For most enterprises, the honest answer is not the SOC. The SOC consumes indicators. The intelligence customer is the executive who needs to understand adversary interest in a pending acquisition, the geography your supply chain just got rerouted through or the regulatory regime changing in a market you sell into.
The World Economic Forum’s “Global Cybersecurity Outlook 2026” found that “91% of the largest organizations have changed their cybersecurity strategies due to geopolitical volatility.” That’s intelligence demand, whether or not anyone inside the building is supplying it. When the customer is named and the decisions are specified, requirements become definable. When they’re not, the function drifts back to feed management.
Step 2: Benchmarking Against A Real Maturity Model
The CTI Capability Maturity Model (CTI-CMM) exists precisely because organizations need an honest read on where they are before they can plan where they’re going. It evaluates CTI capability across the dimensions that actually matter: stakeholder engagement, requirements management, collection, analysis, dissemination and program governance.
Most organizations that describe themselves as having a “mature” CTI program score at the lower maturity levels when measured against CTI-CMM. That’s useful information. A board cannot approve investment in a capability nobody has rigorously measured. A maturity assessment converts a hand-wave into a baseline.
Step 3: Adopting A Shared Operational Vocabulary
MITRE ATT&CK has become the common vocabulary of cyber defense for a reason. It gives red teams, blue teams, threat hunters, CTI analysts and incident responders a shared way to describe adversary behavior. An organization that tags its detections, its tabletop exercises, its incident reports and its threat briefings against ATT&CK can actually learn from itself over time. An organization that doesn’t can’t.
This is the operational prerequisite for working at the top of Bianco’s Pyramid of Pain, which I referenced in my article in March. You can’t disrupt TTPs you haven’t cataloged.
Step 4: Building The Human Validation Gate
This is the point I made in March, and it’s nonnegotiable. Confidence scoring, source reliability assessment and cross-feed correlation must pass through human judgment before driving action. This is the primary defense against feed poisoning, the discipline that separates finished intelligence from alert noise and the capability executives are actually paying for.
Step 5: Measuring The Function In The Language Of The Board
The “SANS 2025 CTI Survey” found that 55% of organizations measure CTI effectiveness, 32% don’t and 14% don’t even know whether anyone is trying. Measurement isn’t hard. Most programs just measure the wrong things.
Metrics that survive a board review answer three questions. What did we anticipate that we would otherwise have been surprised by? What decisions did we accelerate or change as a result? What did that save us, in dollars or in risk? Threats analyzed, feeds consumed and IOCs ingested are operational metrics. They belong in a SOC dashboard, not a board deck.
The Work Ahead
The five steps above are the skeleton. The muscle gets built decision by decision: structuring intelligence requirements around specific business choices, procuring CTI capability without getting captured by vendor frameworks, designing the human validation gate so it scales and reporting CTI value in terms that survive a CFO review.
The through-line is the argument I made in March and continue to stand behind. Technology is a force multiplier, never a substitute for doctrine. The organizations building durable CTI capability in 2026 are treating it as a leadership discipline, governed from the top and measured rigorously.
The rest, as I wrote before, is the work.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?








