Strategic Thinking and Planning SIG

Mission

In the face of increasing budget constraints and shifting dynamics in service offerings, there is a need for CERTs and associated organisations (e.g., ISACs) to share approaches and best practices in strategic planning and anticipate, not simply respond to, future trends. For this purpose, the proposed SIG will work to create a dedicated, global forum for strategic dialogue and knowledge exchange on the current and emerging challenges, opportunities, and innovations within national, regional, and organisational CERTs, regardless of their business model (e.g., self, or externally funded; member-based; proprietary; etc.). The SIG will be anchored to the principles of information sharing, co-design, and common uplifting.

Goals & Deliverables

Over the next 12 months, this SIG aims to:

1. Facilitate structured discussions on shared strategic and operational challenges facing CERTs and similar organisations (e.g., ISACs), such as workforce sustainability, funding models, public-private engagement, governance structures, and the increasing pressure to deliver impact and maintain relevance.
2. Share models and case studies of how different CERTs are evolving – including changes in mandate, expansion into advisory functions, or adaptation to sector-specific needs – to help members identify transferrable insights.
3. Develop a landscape overview of strategic themes affecting CERTs globally, informed by member contributions, to assist leaders and policymakers in shaping future-ready teams.
4. Host expert briefings or roundtables on topics such as CERT maturity, capability building, role clarity in multi-agency contexts, and threat intelligence-sharing frameworks.
5. Produce a position paper or summary report highlighting key trends, insights, and recommendations from the SIG’s first year, which could inform wider FIRST initiatives or partner engagements.
6. Produce actionable artefacts and re-usable materials (e.g., presentations) to help leaders and decision-makers in CERTs communicate internally and externally on CERT’s goals, mission, and evolving landscape.

If there is strong engagement, the group may explore opportunities for deeper cross-CERT collaboration or shared tooling and training approaches in the following year.

Meetings

• At the Annual Conference (in person)
• Quarterly (virtually)

Chair

• Dr Ivano Bongiovanni (General Manager, AUSCERT)

Mailing list

Any FIRST member may join, others are welcome as well, requests must be approved by the SIG chairs.

• stp-sig@first.org (subscribers only; please complete the Request to Join form below)

Request to Join

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Cybersecurity Communications SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Digital Safety SIG
    • DNS Abuse SIG
      • Stakeholder Advice
        • Detection
          • Cache Poisoning
          • DGA Domains
          • DNS As a Vector for DoS
          • DNS Rebinding
          • DNS Server Compromise
          • DoS Against the DNS
          • Domain Name Compromise
          • Dynamic DNS (as obfuscation technique)
          • Fast Flux (as obfuscation technique)
          • Infiltration and exfiltration via the DNS
          • Lame Delegations
          • Local Resolver Hijacking
          • Malicious registration of (effective) second level domains
          • On-path DNS Attack
          • Stub Resolver Hijacking
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Passive DNS Exchange
    • Policy SIG
    • PSIRT SIG
    • Red Team SIG
    • Retail and Consumer Packaged Goods (CPG) SIG
    • Security Lounge SIG
    • Security Operations Center SIG
    • Strategic Thinking and Planning SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
    • Volunteer Contribution Record
  • Previous Activities
    • Best Practices Contest