Sharing is caring: Take advantage of ISAC
Risk lessons over beer and bratwurst
Sharing is an important part of life. No one should ever have to go it alone. The wild success of social networks such as Facebook, Twitter and LinkedIn provide daily proof of the importance of sharing to the human mind and spirit. The economic, professional and social advantages of having a good support network are also not to be underestimated.
Information security is a field that may not naturally lend itself to sharing. We are sometimes a secretive lot. We need to change that point of view and recognize that information sharing, within a structured framework, is especially important to security professionals. What I refer to here is the sharing of hard information among trusted peers within your chosen industry. This may make some of you uncomfortable, because what I'm recommending is that you get into the habit of sharing information about security events and observations even with competitors in your sector. Should Macy's tell Gimbels? In this case, yes.
A structure for this type of sharing has been developed within multiple sectors. If you haven't heard, the Information Sharing and Analysis Center, or ISAC, is that structure. An ISAC provides members with a private community for dispensing information about security threats, incidents and response, and critical infrastructure protection.
If one bank, government agency or a utility company is being attacked from a certain location or using a particular methodology, it is strategically helpful to know if others are being targeted as well.
Membership is normally open only to those organizations within that vertical sector that have agreed to contribute to and receive information from their peers, and that are willing to operate under strict confidentiality guidelines.
Some ISACs further information sharing by providing monitoring services and aggregating threat data within their sector, thus offering a holistic view. A 24/7 watch desk, an alerting function, and developmental programs and projects also can be found within a typical ISAC.
ISACs are an effective method of sharing your information without direct attribution. If your site is under cyber attack or you become aware of an imminent threat to your sector, details can be exchanged without ever revealing your identity, thereby facilitating sharing, but maintaining confidentiality.
As a CISO of a large city, I have been engaged with the Multi-State ISAC (MS-ISAC) for a number of years. The MS-ISAC promotes information sharing among 50 state governments, participating local governments, territories of the United States and tribal governments. It operates a 24/7 cyber security operations center and is a significant intelligence source for its members.
Can I substantiate the benefits of ISAC participation? Absolutely! The MS-ISAC has facilitated direct conversations among me and my peers in a number of cities. We have had the opportunity to exchange information about cyber attack experiences and strategies.
Does your industry have an ISAC? Likely it does. For more details, there is a National Council of ISACs. You can visit its website at http://www.isaccouncil.org.
As proof of its importance, look for information sharing to be one of the cornerstones of any upcoming presidential executive order or congressional legislation dealing with cyber security. One of the key issues needing resolution is how to share classified information in a useful way with those who need it most – generally those without security clearances.
Dan Srebnick is the CISO of the city of New York. Opinions expressed are his own and do not necessarily reflect those of his employer.