Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Implementation Framework – Workforce Development and Management

Background

The Software Engineering Institute (SEI) Emerging Technology Center at Carnegie Mellon University studied the state of cyber intelligence across government, industry, and academia to advance the analytical capabilities of organizations by using best practices to implement solutions for shared challenges. The study, known as the Cyber Intelligence Tradecraft Project (CITP), defined cyber intelligence as the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities to offer courses of action that enhance decision making.

The characteristics of organizations and cyber intelligence capabilities varied among Cyber Intelligence Tradecraft Project (CITP) participants. The SEI team worked with organizations just starting a cyber intelligence program, organizations with a robust, or advanced program, and others that were somewhere in between. An organization’s cyber intelligence workforce – who to hire in leadership and analyst roles – merged as a common struggle, regardless of the organizations size. 

During CITP, the SEI team learned of the differing demands of cyber intelligence analysts, typically based on the size of the organization or the maturity of their cyber intelligence program. Often, organizations did not have clear expectations for what the analyst’s skills or competencies should be to best fit within their intelligence functions. Generally, organizations hired their cyber intelligence analysts by taking a nontechnical analyst and providing them with training in cyber security, or by taking a technical practitioner and teaching them to look at the bigger picture and analyze technical data through a strategic lens. 

The team also learned of the varied responsibilities of cyber intelligence leadership. Leadership was generally hired based on past intelligence experience, often from government positions. While these individuals have a vast amount of knowledge and experience, organizations need to be cautious and hire based on the maturity of their cyber intelligence function. Leadership requirements will differ for organizations just starting a cyber intelligence initiative versus organizations with an advanced function. 

The Workforce Development and Management Implementation Framework provides organizations with a guide to acquire the leadership, analysts, and tools appropriate for their cyber intelligence function.

Implementation

Here’s how an organization can leverage the Workforce Development and Management Implementation Framework to develop and improve their cyber intelligence function:

  1. Determine the profile that best describes your organization. The table below characterizes three different organizations by indications of targeted attacks and cyber footprint (comprised of environment and network size).
    Organization Profile Indications of Targeted Attacks Cyber Footprint
    Organization A

    This organization has no indications of targeted attacks and is not in one of the government identified critical infrastructure sectors.

    The organization utilizes cyber intelligence to predict and defend against attacks to its cyber footprint, comprised of a network with 25,000 nodes or less, and an external web and social media presence. The network does not contain third party connections and provides very limited external capabilities (i.e., no VPN, telnet, remote access, IDP).

    Organization B

    This organization has received some indications of targeted attacks and may be in one of the government identified critical infrastructure sectors.

    The organization utilizes cyber intelligence to predict and defend against attacks to its cyber footprint, comprised of a network of 25,000 – 150,000 nodes, and an external web and social media presence. The external web presence does include some interactions with customers. Third party network connections are required for business operations, most notably, customer transactions and PII data. This organization may have an international network presence and allows its employees external network access - VPN, telnet, remote access, IDP).

    Organization C

    This organization has received indications of persistent targeted attacks and is in one of the government identified critical infrastructure sectors.

    The organization utilizes cyber intelligence to predict and defend against attacks to its cyber footprint, comprised of a network with more than 150,000 nodes, and a substantial external web and social media presence. The external web presence includes interactions and transactions with customers, and the organization hosts customers PII data. Third party network connections are required for business operations and are heavily integrated into the organization’s network. This organization has a multinational presence and allows its employees external network access - VPN, telnet, remote access, IDP).

  2. Use the graphic below to establish and/or improve your organization’s cyber intelligence function.
    • Identify the current state of your organization’s cyber intelligence function
    • Identify the progression path for your organization’s cyber intelligence function
    • Use the graphic below to determine the leadership and analyst experience, tools, and technical proficiencies needed to establish and best grow your organization’s function

The team recommends that companies fitting the “Organization A” description should be operating minimally at the Startup Cyber Intelligence Function. “Organization B” operating at the Established, or Advanced Cyber Intelligence Functions, and “Organization C” operating at the Advanced Cyber Intelligence Function.

Startup Cyber Intelligence Function

 

Established Cyber Intelligence FunctionAdvanced Cyber Intelligence Function

Indicators of Success

  • Organizations are able to determine a profile that best describes them, either by indications of targeted attacks or by cyber footprint.
  • Organizations starting a new cyber intelligence function are able to identify/craft the objective for the function.
  • Organizations are able to utilize the guidance on key competencies, skills, and traits of an intelligence analyst to craft job descriptions and hire analysts needed to support the cyber intelligence function.
  • Organizations are able to utilize the guidance on leadership to identify and hire the best person to lead the cyber intelligence function.
  • Organizations are able to utilize the guidance on analyst experience and tools and technical proficiencies to identify the most competent staff and the tools needed to support successful analysis.
  • Organizations are able to determine the progression path of their cyber intelligence function and use the guidance provided to identify the leadership experience, analyst experience, tools, and technical proficiencies to advance their cyber intelligence capabilities.