What's a 'Cyber Intelligence Analyst'?

Adam Meyer, chief security strategist at SurfWatch Labs shares his views

This is a contributed piece by Adam Meyer, chief security strategist, SurfWatch Labs

“When I grow up, I want to be a cyber intelligence analyst,” said no kid anywhere, ever. But not because it isn’t cool… fighting off hackers is in fact increasingly cool and white hats’ reputations are growing. Instead, it’s more to do with lack of definition and clarification. What is it, exactly? How do you become one? And once you are one, how do you succeed? For the hiring organizations, where do you find one? And most importantly, what do you do with them once you have them?

While I don’t have all the answers, there are some pretty clear opinions out there. Last fall, the Intelligence and National Security Alliance (INSA) Cyber intelligence Task Force published an interesting whitepaper on the topic called Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats. The task force, made up of individuals from government, the private sector and academia claim an “interest in promoting the discipline of cyber intelligence as an emerging yet essential component of cybersecurity practices” and says it’s time the “nascent but increasingly critical intelligence discipline have its own professional development blueprint”. Throughout my career I’ve held various security positions, from my first job as an electronics technician to CISO, and I wholeheartedly agree with the need for formalizing the cyber threat intelligence discipline.

To ensure we are on the same page, at the highest level, cyber threat intelligence can be defined as a comprehensive understanding of threat actors (criminals or competitors), their motivations, and the tools and tactics they employ. Because it is strategic, operational and tactical, it is most-efficiently used to support and inform organizational cyber risk decisions.

Cyber intelligence analyst skill set

Using that definition, the function of threat intelligence best resides somewhere between IT and business operations. For truly valuable intelligence, the analyst needs a strong blend of technical knowledge and analytical prowess. The intel analyst should be proficient at how networks operate and subsequently, how they are and could be attacked. They must also know how to gather comprehensive technical threat information, distill what is often significant volumes of data, and effectively translate the risky circumstance(s) to organizational decision makers in a way that they can relate to and care about.

Cyber analyst or cyber analysts

Perhaps more practically than hiring an analyst who both understands the inner-workings of your network, all of the subsequent threats, and how that relates to business risk, you might build a small team of people. It would consist of junior level analysts focused on threats and technology and senior level analysts who align data with overall organizational risk and coordinate that information with other lines of business and executives. This scenario defines information flow and coincidentally, a career path for your hard-working individuals.

That prescription tells you to hire for strong technical knowledge with a bent toward analytical thinking. Or, train your already-in-place technical team to be more analytical in thought process, activity and output. And, it goes without saying but, educate your other lines of business to think about cyber risk and the impact a breach could have on their area of the business specifically, and the organization as a whole generally.

Training, or lack thereof

With a better understanding of skill set and possible career path, another question arises. Where do these professionals come from? As pointed out by the task force, there is a distinct shortage of formal training programs for these needed professionals. According to the report, “A recent review of academic cybersecurity programs in the US concluded that “[t]he training paths to become a qualified cyber-intelligence analyst are inconsistent or nonexistent in some cases. Currently, there are only about seven schools in the US known to offer a specific course in cyber intelligence, and only a couple that offer a specialization or concentration within a related master’s degree program.”

What’s missing overall, they say, from the cyber intelligence discipline is: a common body of knowledge, a competency-based framework, a dual-track development model, a training and education program and a prototypical career path. It’s a strong academic viewpoint on what needs to be done to put definition to an otherwise confusing career and again, I agree.

But, while academics debate the finer points of needed educational programs, industry will have to fend for itself, for the time being. This reality helps explain why you see such a diverse workforce as organizations attempt to hire the best talent today. Sometimes you see IT Security people transitioning to Threat intelligence and sometimes you see traditional intelligence analysts born out of government programs transitioning into the cyber world. Which is better? Training a cyber person on intelligence practices or training an Intel person on cyber?

There isn’t one clear-cut answer unfortunately; the best approach is to experiment. But what we can say now, definitively, is its well-past the time to think about staffing an analytically-talented individual or team to begin making sense of the swarm of cyber threats and then driving their efforts into organizational risk management decision-making.


Also read:

Fleeting strategic importance? 2016, the year of the CISO

Where are all the women in cybersecurity?