When I started my career as a “classically trained” intelligence analyst operating in the public sector, there was very little ambiguity about my role: approach issues objectively, challenge bias, and exhaust all avenues of research before coming to a well-caveated conclusion. I knew who my stakeholders were and what their requirements were. I understood my place as a cog in a very large, very powerful wheel.

As I moved through my career, away from counterterrorism and conventional national security issues into the realm of cyber security in the private sector, things really started to shift. That’s not to say the core tenets of being an intelligence analyst changed – those of us who were “raised” in this career field have forged a sort of bond and vehemently protect the values of our training around conference tables and in bars the world over. But I can safely say, cyber threat intelligence in the commercial world is an unwieldy beast, and it throws a wrench in the works when it comes to finding your place in large, private organizations.

Aside from learning to work with limited resources, and often on extremely small teams, with undefinable requirements, the single biggest challenge was proving the value of threat intelligence, thus justifying my team’s existence. When the questions asked of me changed from, “do you have everything you need to assess this threat?” in my government world, to “why do you need more money to help us understand if there is a threat – don’t we already have tools that do that?” in the private sector, the pressure really intensified. For the first time in my career, I was on the hook to account for every single capital spend – whether financial or human. And rightfully so. The security industry was created by selling widgets and gadgets with the promise that if you connect enough of them together, you’ll be safe. But the reality is, and has always been, the bad guys are faster than the good guys, and these tools don’t maintain themselves. But there’s an even bigger problem: the tools are expensive. Security operations teams became giant cost centers – a necessary evil – to keep a company safe.

Then there was Target. And Michael’s. And Hilton. And Equifax…and…and…and…No matter how hard the operations teams worked to get ahead of the problem, the hits just kept on coming. These companies have great teams, they care about their customers, and they spend millions making the effort to protect them. And they still got hurt. The problem wasn’t that they weren’t spending money, it was that money wasn’t being spent in the right way.

Threat intelligence should influence those decisions – help leadership understand where they can get the best bang for their buck, based on empirical data and the company’s threat reality. Then it hit me: my job wasn’t to point out potential threats – vendors do enough of that – my job was to be the internal marketing arm of the security operations team. That was a tough pill to swallow for someone who fancied herself an influencer of national security policy (no matter how misguided and arrogant that was). Nonetheless, my vocabulary shifted from the academic debate about the intent and motivation of an adversary to talking about risk registers and ROI. And it worked.

It’s an accepted fact in the intelligence world that when we get it right, nobody hears about it. But when there is an intelligence failure, it’s usually spectacular and public. I’ll put it this way: if you think to send your power company a thank you note each time you flip on a light switch and it works, but show grace when it doesn’t, then read no further. But, if you just expect the things you pay for to work as promised without fanfare, then consider this: the intelligence team’s job is to internally market every single time something works. That way when it doesn’t, because at some point it won’t,  there’s a little grace. Every spear phishing message stopped at the mail gateways, every time DLP catches a document leaving the network, and every time you don’t waste resources spinning up a team to deal with an improbable DDoS threat that comes across Twitter, is an opportunity to showcase value.

You have to become an aggressive marketing function – with branding, and catchy titles, and consistent content delivery. Slowly, but surely, filling the inboxes of the C-Suite with messages spelling out exactly what security has done for them lately. This isn’t a metrics discussion – security operations can do that – this is an exercise in contextualizing a threat. It’s not that a threat was stopped, it’s what threat was stopped, and the impact  avoided because of it. Take something you deal with daily: the broad-scope spear phishing campaign that hits your HR department asking them to change their platform passwords. Simply saying the campaign was stopped at the perimeter by putting “23 spear phishing attempts thwarted” on a CISO slide isn’t enough. If you know how much it costs (in money and operational downtime) to re-image a computer, force password resets or involve your third-party personnel management software provider in a full-fledged account takeover investigation. You now know how much money the security team just saved the company. Use it – it’s no longer a hypothetical.

With consistency, things start to change. Discussions about security morph from “cost center” to “loss prevention center.” Dollar figures are assigned to successes as well as failures; balance sheets become more balanced. The whole team will grumble less about the hassles of two-factor authentication and spear phishing awareness training, because they get it. They know it works because you told them it does. You gain allies, and you gain a very important seat at the table. Then you gain budget. And with money, comes capability, and before you know it, you have a full-fledged intelligence-led security operations team. Obviously, this doesn’t happen overnight – and sometimes not even within a year or two – but, it does happen. It all starts with that first, easy win and the marketing campaign you launch to scream your success from the mountaintop.