Why it’s Time to Adopt a CISO Code of Conduct

Whenever I need advice about how to handle a new security threat or want to swap a few ideas about the latest twists in cybersecurity, I can reach out to dozens of CISOs at some of Silicon Valley’s biggest companies. How about you? I ask that question facetiously. We know the answer.

Frankly, I'm quite frustrated with my profession’s historical reluctance to share information about what we see happening on our own networks. Suspicion gets in the way of the free flow of information and so we continue to default to individual, go-it-alone approaches.

Think back to the 2013 security breach at Target. It took months before we learned the entire story which began with an attack against a refrigeration, heating and air conditioning subcontractor that allowed the attackers to compromise Target’s network.

Maybe that desire to limit information was justified a decade ago, but we’ve since reached a point where companies only hurt themselves by narrowly thinking of themselves as separate entities in the fight against cybercrime.

Strength in Numbers 

The reality is that you can find postings on the dark web where criminal hackers as well as foreign government agents are exchanging tips about vulnerabilities and attack vectors.

Hackers understand the value of keeping the communications channels open and collaborate. If we fail to do the same on our end, the bad guys are going to win. This fight is totally asymmetric; for the bad guys, there is no cost of failure.

As a community, our charge should be to find a way to leverage the enormous security talent that we possess collectively through information sharing. 

Some of us are starting to do this on an ad-hoc basis.

I am part of an informal group of Silicon Valley CISOs that regularly meet to exchange information. Our interactions adhere to a strict code of conduct where we pledge confidentiality. Our goal is to learn how attacks occurred, so we can stop them in the future.  

Unfortunately, we’re still outliers and it's very rare to see companies sharing attack techniques uncovered during the course of repelling a breach. That needs to change.

Learning to Work with The Man

For a very long time, Silicon Valley hesitated to talk to the likes of the FBI, or any affiliated government authorities about cybersecurity.

I give the authorities credit for changing the atmosphere. It began by doing a better job reaching out to the private sector, starting with the creation of the CISO Academy at the FBI’s training center. I now meet on a regular basis with special agents in the agency’s San Jose, CA. branch. So, in the event of an incident, I know the person on the other end of the phone line.

Here’s something else we need to consider. Although the private industry and the FBI have somewhat different objectives, our interests still dovetail when it comes to cybercrime. Forensic analysis of incidents benefit both sides.

In the past, a CISO might have been reluctant to engage in those kinds of conversations due to the lingering suspicion about law enforcement. But these kinds of ongoing dialogues are needed to foster closer engagement in pursuit of a bigger, important goal.

Working Toward a Code of Conduct

I wish our industry was as organized as the aviation industry. When there is a crash or incident, the NTSB, which is a government agency, gets called in. They are independent from the FAA, the airlines, and the aircraft manufacturers. We can be sure they will carry out an independent analysis that will later get made public. 

The system has worked amazingly well. The aviation industry is one of the safest industries in the world because all the relevant parties collaborate to further the common goal of making flying as safe as possible.

If the cybersecurity industry wants to reach a similar level of excellence, it needs mechanisms in place that provide for a full accounting whenever there are breaches – along with recommendations on how to prevent future attacks.

But here’s where we run up against the challenge of convincing companies to share their coveted information. It’s clear that we can benefit from the experience of others and we need to get over the mutual suspicions. 

Coming up with a code of conduct where rival companies can figure out the rules of the road shouldn’t be hard. You can be a competitor but still be open and share.

Nearly 400 years ago, John Donne wrote that “no man is an island entire of itself.” The same might be said for an industry that we rely upon to protect some of our most precious assets. Let’s heed the warning. 

What’s Hot on Infosecurity Magazine?