< Back
Episode #
117

DTCC’s Scott Scher on Why CTI Teams Forecast Instead of Predict

Show notes: 

Scott Scher, Cyber Threat Intelligence Lead, makes a distinction that reframes how intel teams should think about their own value: they are forecasters, not predictors. That shift in framing has concrete consequences for how CTI programs justify themselves internally, and Scott argues that the most meaningful metric isn't alert volume or report count, but the decisions intel has actually influenced. 

Scott also addresses where he sees the threat landscape heading, and his read on ransomware cuts against how many teams are still oriented. He argues that encryption-focused ransomware has largely peaked in value for attackers; the real shift is toward pure data exfiltration. He also touches on AI in CTI with a grounded take; it’s useful for accelerating manual analyst tasks like data gathering and link analysis, but only if intelligence teams define how it gets used before the organization does it for them.

Topics discussed:
  • Why CTI teams operate in the forecasting space rather than the prediction space
  • The practical implications for how assessments are communicated to stakeholders and leadership
  • The challenge of quantifying CTI value through decision-driven metrics rather than output volume
  • Mapping each stakeholder's workflow outputs and the triggers that drive them, then injecting intelligence at the right point in that chain
  • The evolution of ransomware toward exfiltration-only models, and why this reframes the defensive priority from backup to data loss prevention 
  • How CTI teams can use strategic intelligence to drive organizational decisions on edge device hardening and third-party risk
  • The role of AI in intel workflows as a force multiplier for manual analyst tasks, and why teams need to define that use case proactively
  • The collective defense model emerging at the state and local government level
  • Why making analytic assessments scientifically defensible is what separates credible CTI from noise

Key Takeaways: 
  • Reframe your team's value proposition around decisions influenced, not products delivered. 
  • Map each stakeholder's workflow before defining your intelligence requirements. 
  • Conduct monthly stakeholder cadences specifically to capture feedback on delivered products. 
  • Ask stakeholders about their biggest obstacles, not just their intel requirements. 
  • Reorient ransomware defensive priorities toward data loss prevention.
  • Use sustained trend analysis to build strategic intelligence cases for resource allocation. 
  • Get ahead of how AI is used in your CTI workflows before organizational pressure defines it for you.
  • Treat qualitative stakeholder feedback as a scientific input, not an afterthought. 
  • Document the reasoning behind every intelligence assessment, not just the conclusion. 
  • Pursue an interdisciplinary lens when building CTI programs and hiring. 

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website