Security Experts:

How to Build a Better Cyber Intelligence Team

As You Build Your Cyber Intelligence Program, Don’t Overlook the Importance of Investing in the Right People

When we talk about cyber intelligence, or cyber threat intelligence (CTI) for those still using that terminology, inevitably there is a discussion about tools, technologies, and data. We often focus on the best vendors who can bring the most material to the cyber fight and make it actionable quickly so we can stay ahead of the dreaded “threat actors.” Listen. All of that is good. We DO need technologies to harness large amounts of data, information, and intelligence so we can act before it is too late. We hope to even become proactive so we can “prevent” instead of “responding.” But, in all that discussion we often fail to analyze who we need to have in leadership and performance positions on our intelligence teams. Let’s explore this.

Common…and Wrong

The most common way I have seen intelligence teams formed is that leadership decided their enterprise needs a CTI team. Those in charge either came to that conclusion because they were influenced by their peers or, more often, they were informed by those above them that this was a need. Either way, the die is cast and team building begins. 

In these cases, the most common action is to promote a high performer from within – who has no background in intelligence – to lead the new CTI team. That person, often carrying a strong incident response or network security background, attempts to fill the role by either falling back on what they know or reading as much as they can to learn on the fly what CTI is. 

Intelligence is not a hobby. It is not a subset of cybersecurity one can easily pivot into. But they try, and the team they build usually looks a lot like themselves. The enterprise ends up with a team of SOC analysts and incident responders with CTI titles who do not produce intelligence because they are not intelligence professionals. This is an example of good people trying to do the right things while in positions where they are unlikely to succeed.

Threat Intelligence MapUltimately, when this team fails to make the security organization any more proactive and fails to meet measurable goals and objectives everyone updates their resume and looks for new jobs in their old specialties. Or, worse yet, these people now market themselves as CTI analysts because there is a massive gap in the market and they now have that “title” on their resumes. 

Despite their best efforts to address the intelligence requirements of a customer that never knew how to capture them, vendors often take the rest of the blame for the failure to build an effective cyber intelligence program. So, a whole new batch of vendors, happy to capitalize on the perception of their competition failing, will be the benefactors of this change of direction. But, if the talent strategy doesn’t change, the results are unlikely to improve much.

Uncommon…and Still Wrong

Another common way people go about building their intelligence team is to recruit from the Intelligence Community (IC) and law enforcement agencies. The thinking is that there is a lot of impressive talent in the government and these people bring experience and credibility. Who wouldn’t be impressed by a team filled with hundreds of years of experience within three-letter agencies, right? True. But here are two serious challenges to this approach:

1. Culture Shock: People who spent entire careers inside the government can become institutionalized. They can struggle to adapt to an entirely different set of goals, expectations, budget plans, schedules, and social norms.

2. Verification: There are far too many people coming out of the IC with impressive resumes that are hard to verify. They hide behind “it’s classified” knowing most will not check. NEVER hire someone unwilling or incapable of validating their credentials.

A team built entirely on amazing credentials in intelligence or law enforcement will also likely struggle to create enough diversity of thought, flexibility, and adaptability. This kind of “groupthink” can result in organizational confirmation bias – an echo chamber – that leads to inaccurate conclusions.

Least Common…but Best

The least common way cyber intelligence teams are formed is by starting with a leader who has a wealth of experience in traditional intelligence AND a working knowledge of cybersecurity. This does not mean finding a “unicorn” with decades of intelligence experience and a CISSP credential. What this means is finding someone who:

• Has extensive knowledge of analytic tradecraft and standards.

• Can capture the tactical, operational, and strategic intelligence needs of an enterprise

• Can leverage talent, tools, and access to provide people and machines with timely, accurate, and relevant intelligence needed for informed decisions and decisive actions.

• Can communicate effectively from Tier 1 analysts up to the C-Suite or Board.

• Can create and articulate a strategy for building an intelligence program that can drive an organization from a reactive to a proactive state of security.

• Can speak the language of executive leadership in terms of risk and value.

Once that leader has been identified, the ideal team will have a mix of backgrounds, including traditional intelligence, law enforcement, cybersecurity, data science, and journalism.

This diversity of background creates an environment where competing hypotheses often lead to assessments and conclusions that go beyond what most teams can create through the limited lens of only technology or intelligence backgrounds.

For instance, when developing a better understanding of a threat actor or group, being able to see the threat through the lens of a cybersecurity expert (tactics, techniques, and procedures), a traditional intelligence or law enforcement analyst (motives and likely next steps), and a data scientist (big data trends) will often result in a wholistic picture that is lost when teams only see problems from any one of these points of view. Journalists are often adept at research and storytelling, which is a key component often overlooked in intelligence.

As intelligence is ultimately about communication, it is only valuable if it is consumed and understood. Never underestimate the importance of capturing the reader’s attention and sustaining it through what can often be difficult or tedious material.

The last hidden advantage of building such a diverse team is that varied backgrounds empower us to connect with the widest audience. This is important because, ultimately, intelligence is a service. To successfully communicate the importance of intelligence, we need to first be able to build relationships. To connect. To be credible. And that credibility is built through shared understanding.

The list of customers for intelligence in a large enterprise can include Red Team, Blue Team, Purple Team, incident response, physical security, insider threat, brand protection, governance, risk, and compliance, executives and many more. These groups do not all speak the same language, so a diverse intelligence team has the people needed to build relationships with various organizations such as these. Without those relationships, that can engender shared understanding and trust, even a “perfectly” constructed intelligence team will find it incredibly difficult to provide the measurable security improvements needed to justify existence and growth.

The Bottom Line

No matter how much we invest in access, tools, or cutting-edge technologies, intelligence is still about people. So, as you build your cyber intelligence program – and have all the vendors lined up to take your money – don’t overlook the importance of investing in the right people. Otherwise, even big spending organizations can find themselves on a treadmill of changing personnel and vendors that gives the appearance of progress while getting nowhere closer to the stated cybersecurity goals.

view counter
AJ Nash is Director of Cyber Intelligence Strategy at Anomali. He has more than two decades of experience in intelligence collection, analysis, reporting, briefing, process improvement, and leadership. Prior to Anomali, he was a Senior Manager of Cyber Threat Intelligence at Capital One, Global Head of Cyber Intelligence at Symantec, and a guest lecturer at several universities. His background includes time spent in the United States Air Force, the National Security Agency, and the United States Cyber Command.