Top 5 Challenges of Building a CTI Team (+ How to Overcome)

The challenges of building a CTI team are abundant. There are common challenges every project manager faces when creating a technical team, like budget constraints and talent acquisition. However, there are also unique challenges like managing data, operational integration, and ethical/legal considerations.

This breakdown of the top five challenges you will face when building a CTI team will highlight common obstacles you must overcome and potential solutions to these problems. You will see how careful planning, understanding CTI’s impact on the business, and open-source tools can help you build a successful CTI team.  

Before we discuss the challenges of building a CTI team, let’s review what a CTI does and looks like.

---

CTI Team Overview

Cyber threat intelligence (CTI) is a proactive approach to defending an organization against cyber threats. It involves collecting, analyzing, and disseminating intelligence about these threats and the risks they pose to the business.

It is just one piece of the puzzle for a business’s overall cyber security function. However, its potential impact on all business units distinguishes it from most other cyber security disciplines.

Threat intelligence can support technical security-focused operations like incident response, vulnerability management, and cyber defense. In addition to helping business executives reduce their digital footprint, the marketing department protects the brand’s identity, and the finance team minimizes fraud. 

This is because threat intelligence can include almost anything that impacts a business’s ability to operate in the cyber domain, from intelligence about real-time attacks to technological trends. If it poses a risk to the company, you need intelligence to make an informed decision and manage this risk.

Here are the three main types of threat intelligence.

To support the multiple business units and effectively collect, analyze, and share intelligence, a CTI team must have two roles:

• CTI Manager: They oversee the CTI function and ensure the intelligence produced aligns with business and security objectives. This work requires strong communication, management, and collaboration skills.
• CTI Analyst: They are involved in the day-to-day operations of the CTI team and drive intelligence production using the CTI lifecycle. This work requires strong technical and analytical skills.

As a CTI team matures and develops its capabilities, more specialist roles may be required to fulfill more complex intelligence requirements. You can learn about these roles in The CTI Team: Roles and Responsibilities You Need.

Now that you know what a CTI team looks like, let’s look at the five main challenges you must overcome to build a successful one.

---

5 Challenges of Building a CTI Team

Building a CTI team is challenging!

Creating any security team from scratch involves common challenges, such as talent acquisition and budget constraints. However, CTI also faces unique challenges, such as managing massive amounts of data, operational integration, and ensuring CTI operations align with the organization’s legal responsibilities and ethical policies.

Let’s explore the five main challenges of building a CTI team and some strategies for overcoming them.

#1 Talent Acquisition and Skill Gaps

It is no secret that there is a talent shortage in cyber security, with an estimated four million jobs needing to be filled worldwide. These positions tend to be more advanced roles in cyber security that require several years of experience and deep technical skills. Roles like CTI analysts and managers.

CTI requires candidates to have technical, analytical, and investigative skills. One day, you will perform threat analysis; the next, you could dissect malware or perform root cause analysis. This diverse range of activities requires your CTI team to have a broad skill set that covers forensics, malware analysis, threat analysis, technical report writing, and more!

Hiring a candidate with cross-disciplinary knowledge like this can be very difficult, especially in today’s highly competitive job market.

Solution

There are two approaches to addressing the shortage of talented CTI analysts.

1. Spend a lot of money buying the best talent. Big tech companies and cyber security vendors employ this strategy. They have money to throw at this problem, so they will invest heavily in scooping up all the talent they can find who are ready to hit the ground running.
2. Upskill your existing employees or new hires. Investing in CTI training and certifications (e.g., GCTI, CTIA, CRTIA) for your existing cyber employees is a great way to save the resources required to bring in top talent. It allows you to shape what your CTI team looks like and what skills and technologies they are trained in. It also makes your job offer attractive to prospective employees who are willing to sacrifice a higher salary for a better training budget.

#2 Drowning in Data and Intelligence

CTI is all about data. You collect it, process it, and try to make some sense of it by performing analysis. Your job is to take data in and spit intelligence out. This is not an easy task!

Organizations are often drowning in logs and security alerts, not to mention the vast quantities of external data floating on the Internet that impact the organization’s attack surface (e.g., leaked credentials, shadow IT, etc.). All this noise makes it hard to identify real threats and produce actionable intelligence in a timely manner.

Too much data is not a unique challenge to CTI; many operational cyber security teams struggle with this challenge. A unique aspect of CTI is missing data, which prevents the team from fulfilling an intelligence requirement. This could be missing due to a lack of access (e.g., a cybercrime forum) or because it was ephemeral (e.g., data on the malicious infrastructure being used to target your organization).

Solution

To avoid drowning in data, you need to invest in processes and technologies that will allow you to streamline the CTI lifecycle and optimize the efficiency of your CTI team.

To address the process piece, you must create a Collection Management Framework (CMF), sometimes called a collection plan. A CMF is a tool for identifying data sources and what information you can get from them. For instance, if an incident responder needs to identify malware quickly, they can consult their organization’s malware CMF to see what they can query for information using their malware-focused data sources.

CMFs are a fundamental pillar of all CTI teams. They allow you to map your intelligence requirements (and RFIs) to data sources that can help you fulfill them. This prevents you from data overload and helps you understand what questions you can ask about your data.

CMFs also allow you to identify intelligence gaps. These are intelligence requirements that cannot be fulfilled because you do not have the data available to answer them accurately. To fill these gaps, you must invest in additional collection capabilities.

The second piece of the puzzle is technology. Threat Intelligence Platforms (TIPs), like MISP and OpenCTI, streamline your data collection and processing using in-built filtering, machine learning, and automation. TIPs allow you to automatically ingest and process data to remove some of the burden from your CTI team.

For example, you could set a filter to only show data from a threat feed that is relevant to your geography, industry, and technology stack. This saves CTI analysts trawling through CTI reports irrelevant to your organization.

You can then take this a step further and use automation platforms, like Zapier or Make, to automate information analysis or intelligence dissemination by creating a processing pipeline that includes multiple SaaS technologies!

A great place to start your automation journey is by creating your own OSINT aggregator using a platform like Feedly or Inoreader. These news aggregation platforms allow you to see all your OSINT CTI sources on one screen, saving you time trawling through multiple sites to find intelligence relevant to your organization.

#3 Operational Integration

CTI teams often struggle to integrate with the wider cyber security function. It is clear how a malware analysis team or digital forensics and incident response (DFIR) team fits into day-to-day cyber security operations, but what about a CTI team?

CTI means different things to different people. The SOC analyst may see CTI as just a threat feed with IOCs; a manager may see it as a way of knowing who’s targeting the organization; and an executive could see it as a forecast of future cyber threats.

CTI can be used to fulfill all these use cases (and more). The trouble is that people often struggle to know how CTI can help them, so they don’t use it effectively. This usually leads to the CTI team doing intelligence work for the sake of doing intelligence work. They don’t bring value to the organization and produce a generic product that no one uses.

The CTI team becomes siloed.

Solution

Addressing operational integration is simple: talk to others in your organization’s cyber security function!

• Ask the SOC team what intelligence will help them do their jobs better. Is it a daily threat feed? Is it detection rules? Is it a list of the top malware targeting the telecoms industry monthly?
• Ask the DFIR team how you can help them. Can you create a process to enrich the IOCs they find? Can you collaborate on incidents to provide them with tactics, techniques, and procedures (TTPs) to search for infected machines?
• Ask the CISO what intelligence needs they have. Do they need a quarterly summary of major cyber threats? Do they need a rundown of the top ransomware actors to focus on? Do they want you to research the executive board’s digital footprint to find potentially compromising information adversaries could use?

You can even go outside of the cyber security function and ask other teams how you can help them. Can you use intelligence to help the fraud team identify fraudulent transactions, or perhaps the marketing team protect your organization’s brand identity?

Integrating the CTI team into the wider business requires strong collaboration with other business units. In return, it allows you to generate intelligence requirements that provide value and intelligence products that will make a difference.

#4 Budget Constraints

Another challenge all teams face is budget constraints. The cost of tools, technologies, and people with the expertise to perform CTI is high. CTI is a skilled job, and the cost of building a CTI team reflects this.

A commercial CTI feed could cost $270,000, a TIP to hold all this data could cost $130,000, and a single CTI analyst will cost $56K to $79K, minimum. You might also require investigation tools like Maltego (€5,000) or specialized data sources (e.g., dark web monitoring). These costs add up quickly, and demonstrating a return on investment (ROI) to the business is difficult.

The ROI of CTI, like cyber security in general, is challenging to demonstrate because it is difficult to quantify.

CTI is often measured by what doesn’t happen or what was potentially prevented (e.g., a data breach or ransomware attack). The goal of CTI is to manage risk. Most other business functions demonstrate their ROI with financial returns and what was gained. Hence, to show the value of CTI, you need to make its outcomes comparable to other business units.

In addition, unlike general cyber security, CTI provides insights that improve overall security posture over time (e.g., better risk management, improved SOC efficiency, stronger defenses). These long-term benefits are hard to quantify compared to immediate security investments (firewalls, EDR solutions), which have direct and measurable impacts.

Solution

There are two ways you can tackle the budget constraints your CTI team faces:

1. Lower costs by using free and open-source CTI tools. You can use free threat feeds like AlienVault OTX, open-source CTI TIPs like MISP or OpenCTI, and free versions of investigation tools like the Maltego community edition.
2. Better demonstrate CTI ROI.

To better demonstrate the ROI of your CTI team, you can use several strategies:

•  Utilize Metrics: Track intelligence reports generated, incidents proactively mitigated, time saved in investigations, and enhanced SOC efficiency.
• Compare Costs: Illustrate the expense of CTI versus the potential cost of a breach (data breaches often lead to millions in losses).
• Leverage Case Studies: Offer real-world examples of how CTI has safeguarded your organization with a compelling narrative.
• Align with Business Goals: Show how CTI minimizes risk to revenue, customer trust, and regulatory compliance.

#5 PR, Ethical, and Legal

Another unique challenge that CTI faces is the PR, ethical, and legal battles it must overcome. Unlike other cyber security functions, CTI is not always viewed well. The general public often feels uneasy when intelligence work is mentioned.

• Why does my bank need an intelligence team?
• What data is being collected about me?
• Am I being spied on?

These questions originate from the portrayal of spies in the media and the real-life (gun and bomb) spy work of nation-states, which is often ethically contentious. As such, a CTI team must navigate this baggage and ensure that their work complies with data privacy laws, such as GDPR, CCPA, and sector-specific regulations.

They also must ensure they stay within legal and ethical boundaries. CTI can involve directly or indirectly interacting with cybercriminals in messaging groups like Telegram, on dark web forums, or within criminal marketplaces.

For instance, is it legal to buy stolen employee credentials from a cybercriminal to see if your organization is affected? Does buying access to a cybercriminal forum break your organization’s ethics? Can you legally (and ethically) task a cybercriminal to gather information about your organization from what is available on the dark web?

Cybercriminals and the dark web are very useful collection sources, but using them imposes risk and raises ethical and legal questions.

Solution

To navigate the PR, ethical, and legal challenges your CTI faces, you need two key roles:

1. A technical writer who can clearly communicate the findings of your CTI team to a non-technical audience. This could be internal stakeholders like executives or external stakeholders like the general public. Taking control of the narrative and describing how a CTI positively impacts a business’s customers can be beneficial.
2. A gatekeeper to ensure the activities the CTI team conducts align with legal and ethical standards.

A gatekeeper is a specialized role in CTI that sits outside the day-to-day work of the CTI team and is usually only needed when the team engages with cybercriminals or performs dark web research. They ensure all operations align with the organization’s legal responsibilities and ethical policies by consulting with the business’s legal counsel and managing the risk associated with ethically ambiguous CTI operations.

Not all CTI teams will need a gatekeeper. Still, if you plan on using cybercriminals as a data source, it is wise to have one so your CTI team can operate with 100% certainty in the legality and ethicality of their actions.

It’s important to note that sometimes a visible CTI team is good, but you don’t want to document everything your team does. Revealing tradecraft or operations can negatively impact the intelligence product you produce. Be careful what you share!

---

Conclusion

There are some big obstacles to overcome to create a successful CTI team. This article highlighted five of them:

•  Talent Acquisition: Building a CTI team requires employees with strong analytical and technical skills. There is a shortage of these people in cyber security, making acquiring them a challenge.
• Data Overload: Various internal and external data sources produce an overwhelming amount of data for a CTI team to process and generate intelligence from.
• Operational Integration: CTI is a unique discipline within cyber security. Integrating it with other cyber security functions can be challenging.
• Budget Constraints: CTI people and technology are expensive, and demonstrating its ROI is difficult. This often leads to tight budget constraints for the CTI team.
• PR, Ethical, and Legal Issues: CTI operations can involve interacting with cybercriminals, which raises ethical and legal considerations.

It also discussed potential solutions you can use to overcome these challenges and ensure you have the right people, processes, and technology to produce actionable intelligence. Remember that careful planning and understanding CTI’s impact on the business are key to building your CTI team.

---

Frequently Asked Questions