The increased emphasis on cyber threat intelligence

The information provided to you is motivated by the increased emphasis on cyber threat intelligence (TI) we have noted within the security market. This, in turn, has led to rising demand for TI specialists within a firm’s security profile.

In this article, we provide:

  • An overview of wider market conditions;
  • The business case for hiring in this space;
  • The recruitment challenges our clients have faced; and
  • An ‘ideal candidate’ profile.

Barclay Simpson is an international recruitment consultancy that specialises in recruiting professionals for the interrelated disciplines of governance, namely Information/IT Security, Risk, Resilience, Audit, Compliance, Legal and Treasury.

Why the increase in TI?

Traditionally, corporations have relied upon their SOC and Incident Response teams as the 1st line of defence against Threat Actors. While red/blue team activities have been the usual priority for a SOC, this, by definition, has always included TI responsibilities. Due to the increasing sophistication and ever-evolving TTPs of potential threat actors, a realisation has developed that a dedicated ‘Threat Intelligence Unit’ (TIU) is needed in addition to SOC.

This emerging model of a TIU is focused on the threat management team acting as a bridge between the SOC and wider security teams. The TIU’s central task is to proactively identify, understand and relate emerging TTPs primarily to the SOC, as well as the security and business functions. This is to ensure potential threats are understood, accounted for and neutralised at all levels.

The importance of a dedicated TI resource can be demonstrated by multiple attacks since 2017. The WannaCry breaches of 2017/18 and the recent March 2019 ‘Shadow Hammer’ attack on the PC firm ASUS are estimated to have cost hundreds of millions of dollars to affected parties. With such incidents increasing in frequency, firms can no longer afford to wait for threats to affect their industry before acting; these threats must be understood and mitigated against at earlier stages.

What are the challenges in recruiting for TI?

One of the biggest challenges encountered when recruiting in the cyber TI space is that the role remains largely undefined. Actors’ relevant TTPs vary substantially according to the size and type of organisation targeted, aided by progressively evolving technology, which increases the level and sophistication of attacks. This gives hiring managers few defined skillsets/experience to look for when recruiting a TI specialist.

Technical

The ongoing evolution of technology and TTPs means that candidates must constantly look to improve their knowledge in the TI space. An intelligence-savvy candidate today may be behind the curve tomorrow if they fall behind on attack trends. Finding individuals that have a forward-thinking mindset and a passion for the latest attack vectors presents a challenge – quite simply, a good intelligence professional’s work is never done.

Balance

Along with key traits of individuals, there is a range of skillsets needed within TI from a deep technical understanding (often from a Security Operations / SOC background) through to high-level stakeholder management that requires strong interpersonal skills. A central component to TI is working with the wider security teams and relevant business units to educate staff of all levels on how to recognise potential attacks on a regular basis. This mix of technical nous and interpersonal capabilities is a rare combination to find.

Executive buy-in

The final challenge is how to gain buy-in from board-level into the increasing value of TI. By its very definition, TI aims to prevent potential security issues from developing at source, leading to a ‘quietening’ of reported attacks. Furthermore, when the executive-level look to combat their cyber-risk, this is usually at a level where remediation can be ‘seen’ to take place. Historically, this has happened at SOC/IR level, as corporations tend to see a tangible result in recruiting here. For CISOs/Head of Security Ops, the main challenge may well be educating executives about the important role cyber TI plays in a modern security function.

 

The ideal candidate

  • CREST Certified Threat Intelligence Manager (CCTIM)
  • Certified Information Systems Security Professional (CISSP)
  • SANS Certified – specifically FOR578 Cyber Threat Intelligence Course
  • Demonstrable understanding of mechanics/technical aspects of IT security teams (SOC/IR/Forensics)
  • Ideally an IR, SOC, or deep technical security background, but not necessary.
  • A real interest and passion for cyber threats and associated technology, evidenced by industry or academic engagement in the subject
  • High-level stakeholder management and engagement experience
  • Ideally, experience in using various open sources and tools to research external threat actors and threat actor groups

Would you like to know more? Please contact me today on 0207 936 8946 or via email at hw@barclaysimpson.com