Threat Intelligence has become the latest marketing buzzword, often abused and misused in an effort to impress a customer base. So, when do you need threat intelligence and when is the right time to hire someone to “provide customers” with threat intelligence? Well, you should never hire someone specifically to provide customers with threat intelligence, unless that is the product you are specifically in business to produce. You can read more about this in the blog “Three Myths about Threat Intelligence.“
Typically, you would be ready to hire a threat intelligence analyst once you’ve established mature security practices for your organization. This is not to say that a Threat Intelligence team cannot be set up and designed to grow as the company grows, however, it is typically a strategic investment where the Threat Intelligence team’s first role is to serve internally, supporting decision makers, it also serves to strengthen the security posture and proactively detect, deter, and destroy/avoid threats. While start-ups would benefit from understanding threats to their products, people, facilities, and customer data, they do not typically plan for the capital investment to support threat intelligence efforts. Additionally, Threat Intelligence teams do not normally generate products for revenue; rather, they serve to inform decision makers about potential threats on the horizon, protect the organization from internal and external threats to people, property, and assets, and in rare instances provide competitive advantage. In short, you are probably ready to hire once you are ready to make a strategic investment and take a proactive approach to security and threat detection, deterrence, and avoidance.
Below is a brief checklist of things an organization should achieve before being ready to hire a threat intelligence analyst.
- Mature security processes and culture in place
- Obtained CEO, CFO, CIO support and buy-in from Legal, Marketing, Physical & Information Security
- Structured the Director of Threat Intelligence and his/her team to report directly to a C-level officer, optimally the Chief Security Officer
- Completed a threat intelligence program charter and program outline
- Defined the immediate intelligence requirements
- Defined communications plans for intelligence dissemination internally and externally
ONE PERSON CANNOT EFFECTIVELY SERVE TWO MASTERS
Once you’ve completed the tasks above, you should be ready for the next phase – hiring in preparation for collection and analysis. You should not have started any intelligence collection aside of what may already be generating inside individual departments: network logs, market reports, incident reports, etc.
Your first hire should be a managerial role that will oversee the persons performing collection and analysis. While it will be immensely beneficial to hire someone who has experience within the intelligence community, it is not a requirement. Conversely, someone skilled in managing “geeks” or “nerds” is a minimal requirement.
When under tight budget constraints, companies often try to cut corners and hire someone skilled in both collection and analysis, having them perform both full-time roles, i.e. two masters. This does not scale and is not sustainable. While it may work initially, you will quickly learn that time spent serving the first master Collection & Processing (collecting intelligence, developing tools, and tuning collectors) is time that cannot be spent serving the second master Analysis and Reporting (doing robust analysis of the threat data that has been collected). The individual cannot serve two masters (do both jobs) indefinitely.
At a minimum, you should plan on having a developer to focus on developing, integrating, and tuning intelligence collection tools. This person will also work with analysts to develop tools and processes for converting the collected data into formats the analysts can use, a phase known as intelligence processing. The team/person responsible for developing the tools will have an intimate relationship with the analysts consuming the data/information that has been collected and processed. Whether you hire the threat intelligence analyst or the developer first is not important, however, them being able to effectively communicate with each other and having a solid understanding of what the other one does is important.
Know the traits you need in a threat intelligence analyst and realize a great analyst may not have “analyst” in their previous job titles. More importantly, a person’s mindset and character often make the difference between a good and great analyst, not their years on the job. A good threat intelligence analyst, while unique in their own way, shares many characteristics with analysts from other disciplines. So, what traits and skills should they possess?
First, they should be able to WRITE CONCISELY. This is a skill commonly found in journalists, historians, and researchers. Look for someone who has experience in public affairs, school newspapers, blogging. If an analyst cannot communicate the importance of the threat in a short, concise manner, decision makers will likely not find value in their reporting. If an analyst cannot show value, leaders can (and often quickly) form the opinion threat intelligence is a useless money pit.
Second, a good analyst is a professional tin-foil hat model, never trusting an analysis without knowing what methods and data were used to generate a report and how it was collected. They are skeptical, ask lots of questions, and think outside the box.
Third, they should be humble, admit their mistakes, and learn from them. Sometimes an analysis can go horribly wrong, and when it does, it makes front page news. This doesn’t necessarily mean the analyst is a bad analyst, at least as long as they learn from it. It may be they were pressured to provide a report based on insufficient or corrupted source data and didn’t push back for more time to consider other explanations of the data, or maybe they were unaware of their own bias. Whatever the cause, a good analyst can identify where the analysis went wrong and learn from the error(s).
Fourth, a threat intelligence analyst needs to have comprehensive knowledge on the subject or be able to quickly ramp up. For example, an analyst with one year of security experience who also has in-depth knowledge of religious and cultural practices from a geographic region where your biggest threats reside can be just as valuable to a threat intelligence team as someone with ten years of security experience and no relevant geographical or religious knowledge or experience.
Fifth, they know the tools and data resources available for collecting intelligence. Often, the hardest part of collecting intelligence is knowing where it is, how to get it, and the ability to find new sources.
Sixth, a good analyst has refined technical skills with respect to understanding how data is/was collected and processed, as well as knowing when data is missing and being able to explain why it is missing. This helps them know when to question the collection results and how to work with the collection team to tune the methods, techniques and processes. Additionally, they should have advanced skills when it comes to collating data points for analysis in order to identify relationships and trends.
Finally, they should have a solid understanding of and experience in developing and testing hypotheses, to include communicating the methods used, assumptions made, data that is missing, and potential biases.
GOOD TO GREAT
A great analyst is one who is willing to review someone else’s hypothesis, theory, model, etc. Then, if the data supports it, admit that while his/her assessment may differ, that they are both viable. Many times, the best analysis can be a hybrid of theories from different individuals who had very opposite starting points, combining the best of each analysis to create the final product. Additionally, when a theory or hypothesis is disproven, or the data doesn’t support it, they need to have a “no-quit” mentality in continuing to chip away at it until they have a theory that is supported by the data.
In addition to willfully accepting other’s evaluations and assessments, a great analyst is also cognizant of his/her own bias. For example, a 50-year old male analyst from Ohio who grew up in a Christian home and never traveled more than 250 miles from home is probably going to have a very different set of biases that influence his/her analyses than a 50-year old male analyst from Mississippi who spent 20 years in the military and is an atheist. The ability to admit one’s own bias is something that is often found in someone that is able to have academic discussions, being able to say, “I understand your argument, I just don’t agree with it.” Being self-aware and able to admit one’s own bias is a trait often overlooked in the interview process.
IT’S ALL ABOUT THE BIAS…
So, which of all of these things discussed above is the most critical characteristic of a threat intelligence analyst? Only the last one, the ability to admit one’s own bias. You definitely hope to find a threat intelligence analyst who embodies all of the listed traits that constitute a good and great analyst, however, at the end of it all, the ability to admit one’s own bias turns out to be the foundation upon which most of these other traits sits.
Finally, the most important, they are willing to admit when they are wrong, and even more importantly, when someone else is correct.