How I Moved from Journalism to Cyber Threat Intelligence
People often ask about my background in journalism. I give the same general response to everyone: Working in journalism is similar to cyber threat intelligence. It’s a lot of researching, reporting, writing, and talking to people. You develop sources, collection processes, and reporting methods, with the goal of communicating important information to readers.
At first this response was my way of saying I belong here. Now, it is my way of saying The community needs more people like me.
When I first transitioned from journalism to threat intelligence, people seemed curious about the move. I figured the novelty would wear off eventually — being defined by my previous career in a new one I was attempting to develop became frustrating. I wanted to build my skill set, dive head first into a technical role and shed my journalism identity like a snakeskin. Having a unique background seemed like a detriment. Everyone I knew and worked with seemed to come from similar worlds: computer science, network security, the military and intelligence services. I felt like I didn’t belong.
The transition was not easy. But the most difficult part for me was realizing my value. I thought I wanted to “fit in” to a community defined by the (mostly male) people who work in it. The loudest and most well-known voices are people with backgrounds that starkly contrast my own. I read the recommended handbooks, watched countless hours of YouTube, filled notebooks with lessons learned from my contemporaries. I began attending and speaking at conferences. I started to develop my own voice and engage with “customers,” that is, the people working tirelessly to protect their businesses from cyber threats. The people I wanted to help. The people reading what I wrote, and listening to what I had to say.
Eventually I realized a background in journalism is invaluable in cyber threat intelligence. Effectively communicating threats to all audiences — from defenders to operations engineers to CISOs — is a skill most people do not have. And effective communication that tells a reader what they need to know and what to do about it is a key piece of making threat intelligence useful. (I recently spoke at the SANS CTI Conference on this topic, and how journalism concepts and skills can be translated to produce clear, concise threat intelligence.)
I do not think all journalists should become threat intelligence analysts. Journalism is vital for an educated, thriving world, one where people in power are held accountable. And one where cybersecurity is better understood. However, I think the industry needs to change the way we think about effective threat intelligence reporting and analysis, and bring in more people like me who think differently, who have different backgrounds, and who bring unique voices to cybersecurity.
CJ, my director at Dragos, said I was the most creative analyst he’d ever worked with. I think this was due, in part, to taking a critical look at information, sources, and processes, and rigorously questioning them. Sometimes I would find information that had been overlooked. Sometimes I found patterns in data that no one else had. And sometimes I confirmed the hypotheses of my peers, but approached the conclusion differently. CJ helped me realize that creative thinking and different ways of approaching problems was important, and that “fitting in” was not necessary.
Dragos took a chance on me and helped me develop into a really great cyber threat intelligence analyst (if I do say so myself). And I’m so beyond stoked to continue my work at Proofpoint.
As I am on break between jobs, I thought it would be a good time to jot down some advice to journalists and other people with core skills beyond computer science or traditional intelligence. We need you in this field. And if I can help build a path for you, I’d like to be able to do it.
My friend Katie Nickels, the director of intelligence at Red Canary, has already done a lot of this work, and I highly recommend reading the following:
FAQs on Getting Started in Cyber Threat Intelligence
A Cyber Threat Intelligence Self-Study Plan: Part 1
Her work focuses on the practical elements, so I would like to provide the following things to consider to complement her existing work, specifically focusing on the transition from journalism to CTI.
Think about the reasons why you are a journalist. I cared about informing people of threats, playing a small part in making the world a bit more informed. Journalism to me meant constantly learning and helping others do the same. This dovetailed with the work I did at Dragos (and soon at Proofpoint!). What are your reasons? Will you find the same fulfillment in a role outside of journalism?
Remember you will not see your byline as often, if ever. You will not get the adrenaline rush of hitting publish on a scoop. You will be part of a team that works together, and the content you create will usually not have your name on it. Personally, this was a bit hard to get used to. Everyone has an ego and I think journalists sometimes have a larger one than others — we publish things with our name on it and like to get the credit. On a team of analysts, researchers, hunters, etc., CTI is a team sport. At least, it should be.
If you are lucky you will work with some of the smartest, nicest, friendliest people who know that CTI is a team sport. They will help you learn and grow as an analyst and as a person.
Working in the private sector means you are beholden to business interests, not the public who read your work. CTI is marketing. There are layers of interests your public work must go through before it sees the light of day, not just editors and fact-checkers with the occasional lawyer review.
You will learn that CTI is not magic; it is staring at a screen for hours and hours hoping you find something interesting and then dig until you do. Sometimes you won’t.
You will have to approach every customer differently. You will have to do sales work. You will have to massage the way you speak depending on the audience. But you probably know how to do this based on years of developing sources and knowing what people want to hear to get them to tell you things.
The cybersecurity and CTI communities in general still value “technical skills” over “soft skills.” I hate that term. Katie Nickels suggests calling it “core skills.” That is so much better.
The industry can be sexist. This will come as no surprise to female journalists who have to deal with it in the media industry, too. Women will need to fight harder to prove their value. Just something to think about.
Knowing you helped make an organization — and its people — more secure is very, very rewarding.
CTI pays better.
I love working in cyber threat intelligence. I love being an analyst. I am so blessed that life’s path took me in this direction. One day I might go back to journalism. And one day I would like to write a book. Until then, I will keep telling stories to help people protect themselves.