As CISOs, we’re trained that when things happen to our organizations, it’s supposed to stay inside, close to the vest.
I say we need to be more open about what’s happening on our turfs. I think our industry would dramatically benefit by the creation of information-sharing networks that enable CISOs to work together and form a unified defense around their organizations.
Informally, CISOs should be reaching out to one another, building networks so they can find backchannel ways to share digital information related to attack vectors, bad IPs and bad actors. This is the sort of thing that should be formalized inside the organization so other executives know it’s happening. I think it makes sense for companies to create multiparty NDAs that allow their CISOs to work together.
The idea behind it should be information-sharing for the common good.
Take the medical community as a model. If you have an odd patient outcome, or even death, there would be a case study on that. There would be a conversation among doctors on how to prevent that from happening again. We do not do that in the cybersecurity industry, But I think that sort of information sharing would go a long way to reducing the effectiveness of attacks that do occur, and making it harder for cybercriminals to be successful.
Obviously we have to be mindful of risk and liability issues, but I would compare this to how intelligence agencies and governments share information. They formulate memorandums of understanding that delineate what sort of information will be shared, who’s allowed to have access to it, who’s allowed to action it, and so on.
With CISOs, it should be pretty simple. It should be the CISOs and maybe their deputies. The group could set up a secured space where information is shared. Perhaps the information that’s shared is anonymized data that consists of IP addresses and other information that shows where those attackers are originating. Or maybe it’s a dossier on how an attack was executed and your team’s response, or how an attack was averted. It could also include reviews of products or services, or a recommendation of a candidate for a job.
You’re not sharing company secrets, but presenting an opportunity for your companies to work together in thwarting different types of attack vectors. Sharing that kind of information is invaluable for an industry that is under constant attack.
Work with your competitors and your partners, too. CISOs often buy software and services, but don’t align themselves with the vendors. I think that’s a missed opportunity to network and gain deeper insights into the operations of some of these organizations for the purposes of information sharing.
CISOs also have to do a better job of collaborating with government and law enforcement – no matter how small or big your shop is.
If an attack shuts down your organization, law enforcement would get involved. But if you don’t have relationships upfront, it’s hard to figure out a process. So take the time to align yourself with local and federal resources. Reach out to their computer science groups to figure out who would be your key contact if something goes wrong, and develop a rapport. Understand the numbers to call, how information ingestion proceeds, and what details they’ll be looking for.
Another key point is the ability to align teams. Companies, even of equal size, won’t necessarily have the same level of security staffing. The proactive thing to do is to develop relationships so that in times of crisis, you can use the assistance of other people in your network. It really is a team sport.
The one thing that we know is that the criminals are working together. I think it’s time that CISOs start to do the same thing.