Despite the session’s name, “Two Points of View: Collaboration and Disclosure: Balancing Openness About Cyber Security with Managing Risk and Reputation,” panelists at today’s Infosecurity North America conference were actually in agreement about sharing threat intelligence.
Moderated by Joseph Gittens, director, standards, Security Industry Association, the panelists explored the different channels by which information can and should be shared. Participating in the talk were Andrew Conte, AVP security leadership team, at The Guardian Life Insurance Company of America, and James O’Shea, head of re-engineering, cybersecurity and IT infrastructure, at RBC Capital Markets. Both participants noted that their comments were their own and not representative of the thoughts or policies of their employers.
“This is just for fun,” O’Shea said, which Conte echoed.
Of great concern is how threat vectors are expanding in recognized brands, but with the value of personally identifiable information (PII) these days, protecting the customers PII is critical. To do that, companies need to understand new and emerging threats, so being a member of an information-sharing organization is a great opportunity to learn about those threats. "They are good at de-anonymizing where the threats came from and sharing that information,” Conte said.
As you mature as an organization, you should be thinking about the other information channels by which you can come to understand threats. "Criminals are criminals and they are going to try to convert something that you have into something of value that they can use for something else. Those sorts of things happen in other industries all the time,” O’Shea said.
Including law enforcement in cyber war-gaming is incredibly useful as well, and depending on the type of organization, you may naturally have a relationship with law enforcement already. Sectors that are regulated, such as critical infrastructure, are examples of the types of organizations that have those front-line partnerships on call.
For non-critical infrastructure organizations, there are professional organizations across the country, whether it’s ISACA or (ISC)2 or other types of member groups.
“People are never going to turn away people who want to join together and work on the problem,” O’Shea said. Additional good sources of information are within the legal industry, whether its in-house counsel or outside of the organization. “Look laterally,” O’Shea said.
Gittens asked whether the security industry ought to have a general good neighbor policy, and the panel then hypothesized about the likelihood that there could someday be legislation that imposes liability for failure to share threat intelligence.
“It’s something to think about,” O’Shea said.