With the Ever-Changing Threat Landscape, Knowledge is Power.
It is unlikely to surprise anyone that a successful information sharing program is an integral part of a mature security operations program. Simply put, the combined knowledge of many organizations is greater than the individual knowledge of just one.
Organizations that don’t already have an information sharing program in place are likely either building one, or planning to build one.
While everyone approaches the effort of information sharing with the best intentions, the results vary widely from organization to organization. Some organizations end up with wildly successful information sharing programs, while others struggle.
Understanding the challenges up front can help organizations learn from the mistakes of others and build a more successful information sharing program.
Vision: Before a successful information sharing program can be put in place, leadership within the security organization needs to embrace the concept. Further, leadership needs to outline and articulate a strong vision and a high level process for information sharing. This lends the information sharing program credibility within the organization and empowers security operations personnel to accomplish the information sharing goals set for them by leadership. If leadership does not understand the task at hand, it will be difficult for the remainder of the security operations team to make progress in the endeavor. It is difficult to build a program without understanding what one has set out to build.
People: Ultimately, it is people that build and leverage information sharing bridges and relationships. People who excel at information sharing tend to be highly analytical, have a good understanding of what information is of value and interest to others, build relationships well (both inter-organizational and interpersonal), and have good attention to detail. People with these qualities will fare better than others when assigned the information sharing responsibility.
It is important to consider these traits in order to assign the proper individuals to the information sharing challenge at hand. Working with the right people can mean a world of difference to an information sharing program, and quite literally. The people who share information on your behalf represent you globally.
Technology: Information sharing is already a difficult enough challenge. The last thing an organization needs is to fight with its technology. Ensure that technology that facilitates, rather than fights, information sharing and the analysis that goes with it is deployed and in use. It may require a bit more of an investment than less-capable or less-usable technology, but a successful information sharing effort usually results in earlier detection and response to attacks This has the potential to save the organization millions of dollars in the long run.
Workflow: The bottom line is that, all else aside, if it is easy enough to share information, people will. Integrating information sharing processes into the operational workflow makes it easier to share information, which results in more efficient and effective information sharing. Additionally, new standards and technologies to automate information sharing should be evaluated as they become available and mature. Additional, tangential processes should be minimized or avoided altogether, as they tend to be overlooked or skipped. That obviously inhibits the desired information sharing behaviors.
Inertia: Inertia is an incredibly powerful force. It sometimes amazes me just how powerful it can be. For whatever reason, it is difficult for people and organizations to modify their behaviors and embrace something new, even something as important as information sharing. The will of the organization needs to be stronger than inertia. As far as I know, this is the only way to overcome this challenge. Where there is a will, there is a way.
Legal/Privacy: This is often the elephant in the room. Legal and privacy concerns are often used, sometimes as a crutch, to explain why more information is not shared. There are certainly legitimate concerns and issues here, and I don’t mean to trivialize those. That being said, there are also concerns and issues that arise from misunderstandings and lack of communication.
The number of lawyers and privacy professionals that understand technology and, specifically, information security is unfortunately small. That being said, lawyers and privacy professionals are intelligent people. The onus is on us as security professionals to explain to them, in clear and concise language, what it is we would like to do and why it is important for the organization.
Having explained information sharing to legal and privacy professionals in the past, I have learned that it is helpful to explain what is to be shared and then to explain how it is not privileged, private, or protected information. Further, a documented process should exist to both determine what is shareable, as well as what should be done in the event that something was shared that should not have been. Expect to go into detail here — the details are important. Is it fun writing this process? No way. But, it is necessary.
Street Cred: Sometimes, being remembered helps. People are most likely to share information with those people that are in their thoughts. And the people most likely to be in someone else’s thoughts are the people that have street credibility. Street cred comes from a variety of factors, but among them are professional reputation and the balance between giving and receiving. It is easy enough to receive, but don’t forget to give. Those who give the most, receive the most.
Information sharing is not easy, but then again, neither are most things worth doing. Information sharing involves the coordination of many details, and often incurs the challenges I’ve listed above and other. After all is said and done, organizations that share information effectively will be better able to defend themselves than those that do not. Collectively, we can know more than we can individually, and with the ever-changing threat landscape, knowledge is power.