What CISOs Can Learn from ER Doctors

By Working Together and Sharing Missteps, Defenders Can Gain Crucial Security Insights and Prevent the Spread of Attacks

One of the areas that is still a major sore point in the security industry is cross-organization knowledge sharing. Most organizations operate in silos, unwilling to discuss their approach to security with any others for a variety of reasons. Part of this is to maintain security in itself – if others know what they are doing to protect themselves, potentially that knowledge could be exploited. But more often, it’s a fear of judgment or retribution that prevents companies from openly discussing their security tactics with others.

When a company faces a breach or another form of security failure, they are often vilified and “breach-shamed” by others, many of whom either claim they could have stopped such an attack or dissect the targeted organization’s supposedly poor security tactics or procedures. To avoid this potential criticism, too often these failures are whispered about in corners or hidden from broader view because organizations are worried about the repercussions to their financial performance or public perception, or worse, a legal ramification.

The fact is, every organization will be the target of an attack at some point. Instead of pointing fingers at one another when this happens, the best approach would be for security organizations to come together to discuss their learnings and move forward, to prevent the same thing from happen to others.

A great example of this in another industry is in healthcare. Doctors hold Morbidity and Mortality (M&M) conferences to learn from complications and errors, modify behavior based on previous experiences and prevent repetition of errors. The goal is to improve patient care and discuss learnings without fear of punishment or legal ramifications, and the meetings are held on a regular basis, often weekly or monthly.

M&M conferences are generally moderated by a senior physician and attended by all hospital residents, select attendees and other staff who may have intimate knowledge of the case, such as nurses, other physicians or lab personnel. The resident in charge of the patient will spend thirty minutes to an hour discussing the case, including the process, outcome, any potential errors that occurred and anything unique that they learned from the experience. Their peers then ask questions, discuss the case and decide on alternate approaches moving forward.

In addition to being a valuable way for physicians to understand cases other than their own and receive learnings from other doctors, these conferences benefit the healthcare industry and future patients. By sharing their learnings broadly, doctors can help ensure these mistakes aren’t made in the future.

These peer review conferences are effective largely because their proceedings are kept confidential by law. Certain states provide protection which prevents compelled disclosure of a peer review committee’s records or proceedings in a court case. So, in the event that a court case arises over the medical care discussed at one of these meetings, none of the meeting attendees can be forced to disclose any of the information that was discussed in court. This protects the physicians and allows them to speak freely about their cases, mistakes and learnings, without fear of legal ramifications.

In the security industry, we could do well to adopt our own version of M&M conferences. Rather than protecting our own security practices to a fault or targeting other organizations who have been breached, we should be working collaboratively in a similar way to better benefit the security industry as a whole. If we took a page from our physicians and worked together to share our missteps and move forward, we could provide crucial security learnings and prevent the spread of attacks.

Learn More at SecurityWeek’s CISO Forum