How to Build a Better Cyber Intelligence Team

6 minute read

As You Build Your Cyber Intelligence Program, Don’t Overlook the Importance of Investing in the Right People

When we talk about cyber intelligence, or cyber threat intelligence (CTI) for those still using that terminology, inevitably there is a discussion about tools, technologies, and data. We often focus on the best vendors who can bring the most material to the cyber fight and make it actionable quickly so we can stay ahead of the dreaded “threat actors.” Listen – all of that is good. We need technologies to harness large amounts of data, information, and intelligence so we can act before it’s too late. We hope to even become proactive so we can “prevent” instead of “respond.” But in all that discussion we often fail to analyze who we need in leadership and performance positions on our intelligence teams. Let’s explore this.

Common Pitfalls from Common Approaches

The most common way I have seen intelligence teams formed is this: leadership decides their enterprise needs a CTI team. Those in charge either came to that conclusion because they were influenced by their peers or, more often, those above them informed them that this was a need. Although there’s nothing inherently wrong with leadership deciding the organization needs a CTI team, this top-down approach is extremely vulnerable to common mistakes that can undermine the credibility and efficacy of a CTI team. But the decision has been made, the die is cast, and team building begins. 

In these cases, the most common action is to promote a high performer from within – who has no background in intelligence – to lead the new CTI team. That person, often carrying a strong incident response or network security background, attempts to fill the role by either falling back on what they know or reading as much as they can to learn what CTI is, on the fly. 

Intelligence is not a hobby. It’s not a subset of cybersecurity to which one can easily pivot. But they try, and the team they build usually looks a lot like themselves. The enterprise ends up with a team of SOC analysts and incident responders with CTI titles who do not produce intelligence. It’s not that the team isn’t skilled. They just happen to lack to particular skillset needed for this very specific function. This is an example of good people trying to do the right things while in positions where they are unlikely to succeed.

Ultimately, when this team fails to make the security organization any more proactive and fails to meet measurable goals and objectives, everyone updates their resume and looks for new jobs in their old specialties. Or, worse yet, these people now market themselves as CTI analysts because there is a massive gap in the market and they now have that “title” on their resumes. 

Despite their best efforts to address the intelligence requirements of a customer that never knew how to capture them, vendors often take the rest of the blame for the failure to build an effective cyber intelligence program. So, a whole new batch of vendors, happy to capitalize on the perception of their competition failing, will be the benefactors of this directional change. But if the talent strategy doesn’t change, the results are unlikely to improve.

Common Pitfalls from Less Common Approaches

Another common way people build their intelligence team is to recruit from the Intelligence Community (IC) and law enforcement agencies. The thinking is that there is a lot of impressive talent in the government, and these people bring experience and credibility. Who wouldn’t be impressed by a team filled with hundreds of years of experience within three-letter agencies, right? True. But here are two serious challenges to this approach:

1. Culture Shock: People who spend entire careers inside the government can become institutionalized. They can struggle to adapt to an entirely different set of goals, expectations, budget plans, schedules, and social norms.

2. Verification: There are far too many people coming out of the IC with impressive resumes that are hard to verify. They hide behind “it’s classified” knowing most will not check. NEVER hire someone unwilling or incapable of validating their credentials.

A team built entirely on amazing credentials in intelligence or law enforcement will also likely struggle to create enough diversity of thought, flexibility, and adaptability. This kind of “groupthink” can result in organizational confirmation bias – an echo chamber – that leads to inaccurate conclusions.

Against the Grain – Adopting Uncommon Best Practices

The least common way to form cyber intelligence teams is also the best strategy – start with a leader who has a wealth of experience in traditional intelligence AND a working knowledge of cybersecurity. This does not mean finding a “unicorn” with decades of intelligence experience and a CISSP credential. What this means is finding someone who has extensive knowledge of analytic tradecraft and standards and can:

  • Capture the tactical, operational, and strategic intelligence needs of an enterprise.
  • Leverage talent, tools, and access to provide people and machines with timely, accurate, and relevant intelligence needed for informed decisions and decisive actions.
  • Communicate effectively from Tier 1 analysts up to the C-Suite or Board.
  • Create and articulate a strategy for building an intelligence program that can drive an organization from a reactive to a proactive state of security.
  • Speak the language of executive leadership in terms of risk and value.

Once your team identifies the right leader, the ideal team will have a mix of backgrounds, including traditional intelligence, law enforcement, cybersecurity, data science, and journalism.

This diversity of background creates an environment where competing hypotheses often lead to assessments and conclusions that go beyond what most teams can create through the limited lens of only technology or intelligence backgrounds.

For instance, when a team is developing a better understanding of a threat actor or group, seeing the threat through the lens of a cybersecurity expert (tactics, techniques, and procedures), a traditional intelligence or law enforcement analyst (motives and likely next steps), and a data scientist (big data trends) often result in a holistic picture. When the team sees problems from only one of these perspectives, they lose the holistic view that likely contains vital context. Leaders often overlook the value journalists bring to intelligence teams as well. The reality is their research and storytelling skills are key to producing valuable intelligence.

Creating Credible, Consumable Intelligence

Intelligence is ultimately about communication, and it’s only beneficial if the right people consume and understand it. Never underestimate the importance of capturing the reader’s attention and sustaining it through what can often be difficult or tedious material.

The last hidden advantage of building such a diverse team is that varied backgrounds empower us to connect with the widest audience. This is important because intelligence is a service. To successfully communicate the importance of intelligence, we must be able to first build relationships. To connect. To establish credibility – credibility built through shared understanding.

The list of customers for intelligence in a large enterprise can include Red Team, Blue Team, Purple Team, incident response, physical security, insider threat, brand protection, governance, risk, and compliance, and executives. And this is by no means a comprehensive list. These groups do not all speak the same language, so a diverse intelligence team includes the people needed to build relationships with various organizations and relevant stakeholders. Without these relationships that help engender shared understanding and trust, even a “perfectly” constructed intelligence team will find it incredibly difficult to provide the measurable security improvements needed to justify existence and growth.

The Bottom Line

No matter how much we invest in access, tools, or cutting-edge technologies, intelligence is still about people. So as you build your cyber intelligence program – and evaluate all the vendors (including us!) – don’t overlook the importance of investing in the right people and partners. Otherwise, even big spending organizations can find themselves on a treadmill of changing personnel and vendors that give the appearance of progress while getting no closer to the stated cybersecurity goals.

Editor’s Note: This article first appeared in SecurityWeek.

See ZeroFox in action