It struck me the other day while talking to a friend about their journey to purchase a house on how alike threat intel analysts are to realtors. Ultimately, people come to both for the same or nearly the same reasons. Consider for a moment, the competencies you want to see in a realtor. You would want them to have an in-depth understanding of the area of your interest. After all, a realtor without background in the area can’t really guide you to a well-formed decision. The same, of course, goes for experience. A new realtor has energy and will but rarely have the practical skills that allow them to sidestep issues, work efficiently and answer the questions that can break a deal. That ability only comes with time and going down that road with buyers and sellers repeatedly. The next is access. A realtor has to have access, not just to the home of interest, but also information – how it fits in the neighborhood, market changes, context around noise, local regulations, HOA issues, recent or past events and plenty more. Wielding that info – dare I say intelligence – well is what demonstrates competency and capability. Last, but probably most crucially, you want the realtor to be skilled in negotiation. Not just the ability to barter and horse trade on your behalf with the other party and their agent but also between them and you – if they can’t determine when to give and when to push with you they will not deliver the right work for the requirement you need filled. Any realtor with those skills is the one you want to work with to buy or sell a home. The same applies doubly for threat intelligence – the need for near identical capability is just as critical. In-depth understanding of threats and intelligence as they apply to your company, market and venue? Check. Experienced over green? Totally. Access? Equally critical. A threat researcher with years under their belt but without a network and methodology to get, process and fit the intelligence to its proper place fails in the access category. Negotiation? Oh yeah. It’s neat to watch a film where the main character is so smart and capable that they overshadow everyone and everything. Their inability makes a good picture, but no one wants to work with that kind of person. They lack communication skills that can bridge the gap between the highly technical and the executive. The negotiation capability provides knowledge transfer to the right people who are technical and enlightens those with more of a managerial role, via communication that conveys facts in the manner they require.
In the right light, you can easily see how the two occupations are not that far apart. The buyer, in this instance is the company that employs you. The seller is the invader; the enemy at the gate, the adversary entering in every vulnerability you leave open, willingly or unwittingly. As buyers, we are constantly looking at the landscape and the market or “the neighborhood”. Sellers put their homes, or “exploits”, “malware”, “campaigns”, “phishing”, etc. on the market, either willingly or unwillingly when they are outed or discovered by security vendors and researchers. We chase after the latest exploits, sleuth on vulnerabilities and dig up malware in the pile of debris that lands on the shores of our network, each-and-every day. It’s a non-stop business and a seller’s market. An indifferent realtor in that kind of market can provide terrible service and still make more than a living. After all, the drive of the market will put sales in their hands even without them truly trying. A qualified one, as we discussed above, can skillfully, efficiently and effectively do the same thing — usually with explosively more success, both for them and those they service. Threat intelligence moves to the same tempo. Care to measure true success in your team of Threat intelligence analysts? Gauge them with this rubric and see where they fall. If it’s not where you desire then consider the investment that is required to attain that level. Realtors are mandated to attend annual training — are your threat analysts doing so? They also network and attend seminars to expand their horizons. It’s a rare successful realtor that doesn’t constantly enhance their knowledge and tradecraft. When did your threat analysts last attend a luncheon, seminar or briefing on their skills? Last and probably more important, an engaged realtor is successful. The same applies to threat intelligence. Only in performance can skill rise. Make sure your threat analysts are actually performing their work. If too much of their day belongs to everything, but this work — no matter how important it might be — don’t expect them to attain the heights of skill possible in threat intelligence. They will never get the needed practice.