Cybersecurity - Sharing is Caring???
Steve's idea is simple but profound - companies deal with different threats, and in each case probably learn something new. If they are willing to share what they learned with others, it may prevent repeats from the same attack. Imagine what Sony, Target, Morgan Stanley, Chick Fil A, etc could teach us.
It seems that are adversaries are already doing a good job of this. According to Dell's recently-updated Underground Hacker's Markets , there is a full marketplace shared among hackers where they can share software, infected computers, stolen credit cards, and just about everything else you can imagine. It seems that their collaboration is much better than ours.
As much as I want to believe that Steve's approach could work, I am a bit pessimistic. Organizations never seem anxious to share internal information, particularly where a failure is involved. I just don't see this working in the enterprise world. The process would end up with a bunch of meetings for show, during which nothing of significance was actually shared.
I believe there is a greater chance that infosec information sharing could work however in the SMB world. In my experience, owners of SMBs are much more willing to learn from others, and to help others be successful. They are also less likely to have full-time staff devoted to infosec, risk management, and compliance. By pooling their resources, their collective risk management could exceed the sum of the parts.
The purpose of this entry is to suggest two approaches by which SMBs could take advantage of Steve's profound idea:
1) Form Risk Management Advisory Groups
In this approach, SMBs in the same general business area (ie manufacturing, medical, service, etc), but not in direct competition, could meet on a regular basis, and discuss their infosec issues, how they approach policies and procedures, and pose questions that they face in these areas. Others in the group who have faced similar issues can discuss their approach, offer suggestions, etc. By so doing, they could learn from each other.
It would take some form of mutual non-disclosure agreement to assure the participants that no competitive or confidential information would be shared. It would also be helpful to find some third party to facilitate the discussions, preferably someone with strong knowledge in the area, such as a CIO or CISO from a larger company. I would suggest that many of those holding a CISSP certification would be willing to help, as this is consistent with their canon of ethics which requires that they "Protect society, the common good, necessary public trust and confidence, and the infrastructure."
2) Use a Fractional Professional
For those not comfortable with sharing information directly, or unable to devote time to meetings on a regular basis, a fractional professional could be used. The idea here is that multiple SMBs, who individually could not afford a full time infosec/risk/compliance expert, could each pay for a fraction of a professional's time. The professional would bring strong knowledge to the table, but also learn generic information about how each customer handles certain situations, which could be applied generally to the others. Again, appropriate non-disclosure agreements would be required to provide assurance of confidentiality
There are already organizations in existence that offer such a service (by way of full disclosure, my company does offer this). They provide the opportunity to tap expertise that they otherwise could not afford.
My one caution in this area is to avoid a generalist for this role, Many IT service companies offer this service, but the risk/compliance portions are usually a bit out of their wheelhouse, and can easily get lost in the shuffle of the hands on things they are doing. In addition, the appropriate risk/compliance oversight will apply to them, so it is better to use someone independent.
Some internal people, such as the head of Accounting or IT, might feel threatened by this approach. It has been my experience however that the heads of IT and Accounting make a great team when combined with an independent risk/compliance person.
My bottom line for today is that SMBs could benefit in a significant way from information pooling, this allowing them to avoid the mistakes of larger enterprises. Anything those in the SMB world can do to be competitive with larger companies is of benefit.