Growing a Threat Intelligence Program is like Growing a Beard

*Disclaimer: Limitations in beard growth do not correlate to actual ability to implement a threat intelligence program.

It was just after Thanksgiving dinner and my two-year-old daughter was sitting on my lap while I drowsily watched the Bears and Packers game. As she sat there patting my face and pinching my chin whiskers, she said “Daddy, I like your zebra.” Confused, it finally dawned on me what she was trying to say and I explained to her that my greying beard, while impressive, was not an exotic African species.  Maybe I was having one of those L-tryptophan overdoses, but the conversation triggered a synapse where a deep subliminal connection was made.

You see, I have been spending quite a bit of time looking at #BeardsofTI and thinking about how to help organizations mature their Threat Intelligence programs and get the most value out of their security investments by applying “process and platform.” Some of our customers are asking – Where do I get started with Threat Intelligence? Can you help us setup a Threat Intelligence Program? How can I take my Threat Intelligence Program to the next level?

brace-yourself-beard-threat-intelligence This is where things start to sound strange, please bear with me and settle into your seat for this ride to “crazy town”. I thought to myself that setting up and maturing a Threat Intelligence program was really no different than growing a sweet beard. Here is why:


Coming of Age:

I see the Threat Intelligence community as coming of age, “threat intel” is that snarky industry whipper snapper stepping up to the plate while the old school “rainbow series” is collecting dust in the corner. Like all coming of age stories, there’s a young hero or heroine who has been called to action, they, like all those before them, lack experience and understanding. Though they are not yet fully capable (perceived or realized), it is the journey, the process and the adventure in which they become more capable as they go. No different from when many young “shavers” look themselves in the mirror, and for the first time begin to see that the youthful peach fuzz has now become darker and more coarse – it is here that the first visible signal of an important transitional point in their life is finally seen. In conventional terms this call to action may be in the form of a breach or some sort of motivator that has signaled to an organization or industry that they need to take the next step in their journey in establishing a Threat Intelligence Program, a transition that will thrust them forward to take decisive action to counter specific risks in a more mature and efficient way.


Decide & Commit:

You will notice in the last sentence I used the term “decisive” to describe the type of action. Like growing a beard, establishing or maturing a Threat Intelligence program is going to require a decision, and that decision will require commitment to ensure that the investment of time, talent and treasure is well spent. Challenge yourself not to think about where you want your Threat Intelligence program to be in the short term, play the long game and think about the outyears. Where do we want to take this program? What are the investments that we need to make to ensure that we are not taking one step forward and two steps back? Are we building our program on rock or sand?

The higher up the corporate “food chain” you go you need to be prepared to speak in these terms and timelines to reinforce buy-in and obtain top level commitment. Be prepared to use process and routine metrics so that you can continue to promote the value of the Threat Intelligence Program or see where you can make process refinements as needed.

Just like all things in life, there is a right way and a wrong way to do something. There is no room for half-heartedness with Threat Intelligence or a beard, if you don’t decide you are going to do it the right way, you and others are going to be able to tell – and you are going to look stupid.


If it Hurts it’s Probably Worth It.

So you have made a decision – and you are going to do this thing. If you are setting up a Threat Intelligence Program or growing a beard you have to accept that things aren’t going to be perfect at first, in fact there is a point where things become uncomfortable and painful. When growing a beard there is that week 2-3 mark where things are scratchy, itchy, breakouts may even happen – but you have to work through the discomfort because you have something awesome waiting for you on the other side. When establishing and growing your Threat Intelligence program understand that you may be in this season of pain and discomfort for some time as you begin to understand what your organizational needs are. It’s important to not rush through this phase, you must work through the crucible of pain and discomfort because this is where you are going to learn the most. Know this is coming and your willingness and ability to embrace it will depend on the velocity in which you work through it. Your Threat Intelligence program is going to involve many opinions and stakeholders, where the processes you establish will require you to work cross functionally and support other teams. One key principle to understand is that Intelligence always supports Operations not the otherway around.


The Awkward Stage:

Congratulations, you have made it through the gauntlet, you have endured the discomfort and pain and made out to the other side. The good news is that things don’t feel too bad anymore, bad news is that they look…awkward. You wake up in the morning, you look at your beard in the mirror and you can see in it a few things that can be tightened up, much like when you get to work and you see how your Threat Intelligence Program also has things out of place, processes are uneven or some people just aren’t fitting in.

This new found awareness is an indicator of maturity. The fact that you can see things that would not be so obvious a few months ago should give you encouragement. You may even have an idea on how to correct many of the observed shortcomings. As you navigate the road of maturity, be mindful that you do not become complacent and settle in to the point that you are not challenging yourself or your Threat Intelligence Program. You may find yourself asking – do I keep things simple, short and clean, or do I go all in where things may get complicated? By challenging status quo one can usually achieve greater things, by keeping things “simple” you may not be achieving your full potential or delivering the full value to your organization.


Maintaining Mature Decisions

Either route you decide to go (easy or complicated), you are going to have to do some sort of maintenance to keep things in order for the long term. Like snowflakes, all beards (and enterprises) are different, but made out of the same “stuff” while maintaining unique shapes, sizes, structures and use cases. Beard maintenance and grooming (cutting, trimming, combing, oiling, waxing) requires work, it is a new creation after all. Like it or not – your Threat Intelligence Program is going to require similar processes and regimen if it is going to be a long term success.

It is also important to remember that just like beards, Threat Intelligence Programs are not “one size fits all” they are very unique and customized to the organization they support. So be very wary when you are told that Threat Intelligence is just aggregating post-processed indicator feeds. A mature Threat Intelligence Program will know the futility in spamming your SEIM, understanding how this complicates processes, creates more work and ultimately distracts the organization. For organizations who cut corners and seek what they perceive to be the easy button will ultimately learn things the hard way.

The future success of your Threat Intelligence Program will be wholly dependent on the maturity of the decisions that you make moving forward. Over time you will find that through process, structure and organization things actually become easier and more efficient.

Share What You Know


Whenever I see a beard or Threat Intelligence Program for that matter – I can appreciate either for what they are. One can quickly study (or admire) the fruit of the time and effort that was placed into creating either one.

Individuals both from within and external to your organization are going to look at you. Some may be inspired to achieve similar successes. In doing so they may seek to obtain insights into how certain things were done, at what time, what were the choices that were made along the way and why, what worked and what didn’t work. All of these examples are forms of a higher order of information sharing. You have been there and done that, now that you are a Jedi Master you are in a position to help others out, so share your insights and experiences. Give others the necessary tools and feedback that they can leverage in pruning and maintain the growth of their own legacies and works of art.

yesbeard1 If you are looking at setting up and maturing your Threat Intelligence Program, register for a FREE ThreatConnect account and a follow up discussion. We would love to help you wherever you are with your Threat Intelligence Program. Looking to show off your beard? Check out our Beards of Threat Intelligence contest. Whether you are growing a beard or a Threat Intelligence Program, connect with us, and you will find that we will grow with you…and on you.

About the Author
Rich Barger

Rich is a pioneer in threat intelligence analysis and is the Chief Intelligence Officer and Director of Threat Intelligence at ThreatConnect. In 2011, Rich sought likeminded security experts and together they founded ThreatConnect. Rich has more than 15 years supporting DC’s most elite cyber defense and intelligence organizations from within both public and private sector as former U.S. Army Intelligence Analyst and security consultant. Rich is an analyst at heart, and his technical and operational vision is truly what makes ThreatConnect a disruptive new technology for organizations worldwide. Rich leads the ThreatConnect Intelligence Research Team , a globally recognized threat research team. Rich maintains a variety of professional industry certifications, and a BS in Information System Security. Rich is married and is a proud father.