Guide to Careers in Cyber Operations and Collections Management
As part of an integrated cyber defense strategy, large companies, government agencies, and cybersecurity consultants commonly maintain internal cyber intelligence operations and/or contract out for cyber intelligence support services. Cyber intelligence operations involve collecting, processing, and disseminating information about actual and potential cyber threats in order to identify threats, address vulnerabilities, mitigate risk, and reduce the ultimate impact of potential incursions and attacks.
Cyber operations professionals are responsible for managing intelligence, counterintelligence, threat assessment, and harm mitigation efforts for organizations. Therefore, cyber operations and collections management is an area of specialization within the field of cybersecurity that requires organizational management and leadership skills, in addition to technical knowledge and proficiencies.
Employment Opportunities in Cyber Operations and Collections Management
Professionals who work in cyber operations and collection management typically oversee the activities of cyber intelligence gathering and analysis teams, coordinate those activities with broader cybersecurity and IT management concerns, and/or conduct independent threat assessment analyses for employers or clients. In addition, cyber operations and collection management professionals are commonly tasked with communicating cyber intelligence operational needs, concerns, and findings to other relevant parties within an organization and, when appropriate, writing reports that may be circulated internally and/or shared with external partners.
While cyber intelligence has long been integral to military and governmental intelligence efforts, investment in and deployment of cyber intelligence personnel and resources, and the reliance on cyber intelligence operations, have spread to many enterprises in the private sector. Large companies in fields such as banking and finance, healthcare, manufacturing, and technology, as well as in other sectors of the economy where cybersecurity is a pressing concern, commonly maintain internal cyber intelligence operations and/or contract out to cybersecurity consultants for their intelligence needs. State and local law enforcement and government agencies may also conduct cyber intelligence collections and analyses as part of their larger IT and data security operations or use outside contractors to meet their cyber intelligence needs.
Cyber operations and collections management professionals may find work in the areas mentioned above, typically after several years of cybersecurity experience and/or formal training in cyber intelligence, IT management, and/or information security. Common titles for those working in this field include but are not limited to the following:
- Cyber Intelligence Officer
- Cyber Operations Planner
- Cybersecurity Collections Lead Investigator
- Cyber Vulnerability Assessment Manager
- Senior Threat Intelligence Manager
Knowledge, Skills, and Abilities (KSAs) for Cyber Operations and Collections Management Professionals
Cyber intelligence collections and management draws on acquired knowledge and practical skills in technical areas of cybersecurity, as well as in administrative areas, including professional communication, personnel management, team leadership, and organizational science. Thus, the knowledge, skills, and abilities (KSAs) generally required for work in this field can be broken down into two categories: technical knowledge of computer networks, operating systems, and major information technology (IT) and mobile infrastructure components; and the ability to apply managerial and organizational leadership concepts.
The functions associated with cyber operations management include overseeing, coordinating, and/or participating in the analysis, interpretation, evaluation, classification, and validation of raw data and other information collected via cyber intelligence and counterintelligence operations, as well as planning and mounting cyber intelligence and counterintelligence operations. Performing these tasks effectively requires up-to-date knowledge of common cyber threats, malware, viruses, and other vectors and modes of attack, as well as an understanding of the social, political, and/or economic factors that may motivate or incite potential incursions. Planning and overseeing cyber collections and operations in the intelligence sphere also requires familiarity with privacy laws and other legal statutes pertaining to information access, regulatory compliance, and reporting procedures in cybersecurity.
Cyber operations and collections teams vary in size, depending on the type of organization, and the nature, complexity, and scope of the operations. The management needs and the managerial responsibilities tasked to the individual or individuals coordinating and overseeing these operations vary accordingly. However, in general, cyber intelligence operations managers must have the interpersonal communication and organizational management skills to effectively direct intelligence operations and report the findings to relevant parties across an organization and between organizations. They must also be capable of providing leadership and direction to teams comprised of specialists in various areas of intelligence operations, including data analysts, ethical hackers, systems auditors, threat analysts, and others.
There are dozens of individual KSAs identified by the National Initiative for Cybersecurity Education (NICE) for cyber operations and collections management in its NICE Workforce Framework for Cybersecurity. Using the NICE Framework as a foundation and drawing on actual job listings for professionals in the field, the sections below provide an overview of some of the key areas of knowledge and proficiencies required to advance to a career in cyber intelligence collections and operations management.
General Technical Knowledge
- Computer and network security concepts
- Computer applications and operating systems (Unix/Linux, IOS, Android, and Windows)
- Computer assembly languages
- Data communications terminology (networking protocols, ethernet, IP, encryption, optical devices, removable media)
- Database systems and SQL
- Data mining
- Digital media formats
- Global Systems for Mobile Communications (GSM)
- Mobile and wireless network operations
- Object oriented programming languages (C++, Java, Python)
- Physical computer components
- Virtualization products (VMware, Virtual PC)
Cyber Operations Knowledge and Skills
- Application security risk vectors (the Open Web Application Security Projects Top Ten list)
- Classification and control markings standards, policies, and procedures
- Common cyber engagement strategies, policies, and activities to meet operational objectives
- Cyberattack methods and techniques (DDoS, brute force, spoofing)
- Cyberattack stages (reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks)
- Cyber operations concepts and terminology
- Data collection tactics, techniques, and procedures
- Encryption algorithms and decryption techniques
- Expertise in cyber policy and governance protocols and staffing needs
- Exploitation tools and techniques, including sniffers, keyloggers, and methods for collecting/exfiltrating data, conducting vulnerability analyses, and gaining backdoor access to computer networks
- Graphic User Interface (GUI) tool usage
- Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
- Malware analysis tools (IDA Pro, Ghidra, WinDbg, HIEW)
- Methods for analyzing memory dumps to extract information
- Methods for collecting and analyzing of wireless local area network (LAN) metadata
- Network-based and host-based intrusion detection software (NIDS, HIDS)
- Organizational hierarchy in cyber decision-making processes
- Protocols for auditing firewalls, perimeters, routers, and intrusion detection systems
- Reverse engineering methodologies, including hex editing, binary packaging utilities, debugging, and strings analysis
- Software and methodologies for computer network defense and system hardening
- TOR network navigation of the dark web
- Methods for communicating complex information, concepts, and ideas via verbal, written, and/or visual means
- Methods for evaluating information for reliability, validity, and relevance
- Methods for processing exfiltrated data for analysis and/or dissemination to employers/clients
- Technical writing skills and the ability to prepare and present briefings
Training and Credentials in Cyber Operations and Collections Management
Due to the level of responsibility inherent in cyber intelligence operations management and the security clearances that may be required, cyber intelligence collections and operations management positions are generally staffed by professionals who have significant prior experience in cybersecurity, cyber intelligence operations, cyber threat analysis, cyber policy and governance, or a related field in cybersecurity. However, for those who are newer to the field, there are cybersecurity degree programs at the bachelor’s and master’s levels and graduate certificate programs that provide formal training and instruction in general and specialized cybersecurity proficiencies.
In addition to academic degree and certificate programs, there are professional certification programs offered by industry groups that are designed for individuals who have experience in cybersecurity and/or cyber operations and collections management and who wish to further hone their KSAs in the field. These types of certifications provide credentials that some employers may prefer or even require, depending on the position.
Bachelor’s, Master’s, and Graduate Certificate Programs in Cyber Operations and Collections Management
Bachelor’s degree programs in cybersecurity are typically designed to prepare students for entry- and mid-level positions in the field. These programs, which are offered in online, campus-based, and hybrid formats by a growing number of accredited colleges and universities, are like bachelor’s program in other fields and disciplines in that they require students to complete general education coursework as well as specified courses within a cybersecurity major.
Majoring in cybersecurity can be a good way for students who have not yet completed a four-year undergraduate degree to cultivate computer science, information technology, and cybersecurity proficiencies while learning general and technical communication skills and developing the kind of critical reasoning skills that are highly valued in the field of cyber intelligence. Some bachelor’s in cybersecurity programs may also offer advanced and/or elective courses in cyber intelligence topics.
There is more opportunity for specialization at the master’s degree level and there are a growing number of schools that offer master’s programs in cyber intelligence and master’s in cybersecurity programs with a designated specialization in cyber intelligence. The coursework offered as part of a cyber intelligence specialization typically addresses topics in cyber counterintelligence, open-source cyber surveillance, critical incident command and response, homeland security, digital forensics, and/or international cyber threats. This specialized coursework may also be offered as part of a stand-alone graduate certificate program in cyber intelligence, which is another way for bachelor’s program graduates to gain training in cyber operations and intelligence.
Professional Credentials and Certifications in Cyber Operations and Collections Management
Finally, there are private for-profit and nonprofit industry groups that provide training in various cyber intelligence and cyber intelligence operations management knowledge and skill areas. One example of an organization of this type is the SANS Institute, a private, for-profit cybersecurity training and credentialing company that offers a training program in Cyber Threat Intelligence as well as a Global Information Assurance Certification (GIAC) credential in Cyber Threat Intelligence (GCTI). The list below provides an overview of the some of the non-academic credentials that are available in cyber intelligence:
- GIAC Cyber Threat Intelligence (GCTI), offered by the SANS Institute
- Certified Cyber Intelligence Professional (CCIP), offered by the McAfee Institute
- Certified Threat Intelligence Analyst (CTIA), offered by the International Council of Electronic Commerce Consultant (EC-Council)
- CSFI Certified Collections Analyst, offered by Global Knowledge’s Cyber Security Forum Initiative
- CREST Certified Threat Intelligence Manager (CCTIM), offered by the Council for Registered Ethical Security Testers
Examples of Jobs in Cyber Operations and Collections Management
The jobs detailed below provide representative examples of the types of employment available in the field of cyber operations and collections management. These example jobs are based on research into actual jobs in the field.
Cyber Intelligence Collection Manager
- Primary Responsibilities: Conduct and manage cyber intelligence operations, including the collection and analysis of relevant cyber intelligence, for various clients.
- Education: Bachelor’s degree required; master’s degree preferred.
- Credentials: None specified.
- Prior Experience: At least eight years of experience as a collection manager supporting military intelligence or cyberspace operations and/or collaborating with Department of Defense collection management operations.
- Technical Proficiencies: Experience with all-source collection management systems, databases, and processes, and knowledge of industry-standard intelligence collection and requirements tools and databases.
- Other Attributes: Communicate technical intelligence findings to clients with varying degrees of technical knowledge and expertise.
All-Source Collection Manager
- Primary Responsibilities: Provide senior-level support to US Cyber Command’s Directorate of Intelligence using intelligence and information from multiple sources to assess, interpret, forecast, and explain a range of national security issues and developments.
- Education and Prior Experience: Bachelor’s degree and eight years of relevant technical experience or, in lieu of a bachelor’s degree, twelve years of relevant technical experience.
- Credentials: None specified.
- Technical Proficiencies: Knowledge of and experience with all-source intelligence collection management systems, databases, and processes.
- Other Attributes: Familiarity with the workings of US Cyber Command and its subordinate organizations.
Cyber Threat Intelligence Analyst
- Primary Responsibilities: Perform cybersecurity analytics to uncover patterns, trends, and insights from global datasets; work to develop practical threat intelligence; transform data into actionable intelligence; and communicate insights to peers and customers.
- Education: Bachelor’s degree.
- Prior Experience: Four or more years of relevant work experience.
- Credentials: None specified.
- Technical Proficiencies: Data visualization tools such as Tableau; telecommunications infrastructure systems; Microsoft Excel; command-line interfaces (Unix and DOS shells); interpreted programming languages (Perl, Python) and relational databases (SQL); big data platforms such as Hadoop, Splunk, SAS, and R; and experience with packet analysis, network forensics, and reverse engineering.
- Other Attributes: Strong communication and presentation skills; organizational leadership skills; and the ability to work independently.
Senior Manager of Cyber Security Operations
- Primary Responsibilities: Maintain the readiness of corporate security operations center (SOC); anticipate potential cyber threats; and prepare responses to cyber incidents.
- Education: Bachelor’s degree in computer science, computer engineering, information systems, or a related field.
- Prior Experience: At least seven years of experience in management security operations centers.
- Credentials: One or more relevant security certifications, such as the GCTI credential.
- Technical Proficiencies: In-depth understanding of Microsoft Windows and Linux/Unix operating systems, TCP/IP networking, and information security protocols.
- Other Attributes: Interdisciplinary team leadership; interpersonal communication and writing skills; crisis management skills; and the ability to explain technical threats to both technical and non-technical audiences.