Image

“Embody COLLABORATION – to be truly successful we must be inclusive; working together for a common purpose.”Collaboration and information sharing within security can of itself introduce risk, however. Any such engagement has to, therefore, be built upon a sense of trust and shared purpose. Dependent on the levels of confidence required, that trust may be gained through real-world relationships and informal ‘Chatham House rules’ or via more formalized legally binding NDA arrangements. Outside of the more altruistic world of non-profit organizations, such factors are not always easy to establish, especially where protected IP, profit margins, livelihoods, kudos and commission may be at odds with such a notion. Commercial competition is, of course, an essential and healthy driver for innovation and improvement across all aspects of security and information assurance. But when a supplier can only talk myopically and even dogmatically about their own company/solutions/services with little context or acknowledgment of the wider world, it often leaves an impression that they can’t see the bigger picture or aren't sharing it with you if they can. Indeed, the best suppliers I deal with talk frankly and knowledgeably about the wider industry picture, explaining where and how their pieces fit into the overall puzzle. They also discuss current threats, market trends and in some cases, even a direct competitor in a fair, objective and factual way – all of which makes for a far greater sense of customer confidence and credibility around what it is that they themselves have to offer. It is fantastic when different vendors can work together for the greater good of the industry. This fascinating piece around one of the first documented attacks using steganography demonstrates just that. As threats become ever-more sophisticated, research is certainly an area that requires collaboration of the best and brightest minds. It’s also a reminder that we need to forge closer links between academia and industry. For this reason, another (ISC)² initiative seeks to ensure that cybersecurity becomes a core component of all UK computing degrees. At a far more micro-level, the sharing of information and real-world experience is something we can all do every day. While there may be a few differences, there should be consistent themes and principles of practice across all sectors. Someone working to protect assets in the financial sector and someone working within the health service both have valuable and unique insights, especially the fact that good security is not necessarily a ‘one size fits all’ solution and that perhaps someone has approached something in a novel way. Here in the United Kingdom, CERT-UK has established the Cyber-Security Information Sharing Partnership, which is a joint industry-government initiative aspiring to encourage members across all sectors to share threat and vulnerability information. On a regional level, we in the South West of England are fortunate to benefit from an active security community of trust. We even have a first-class event Secure South West that runs in cooperation with Plymouth University. Even within the untrusted online realm, we can all take advantage of and contribute to useful and rapid information sharing. For all the negatives we are used to hearing about through its misuse, social media provides most of us with a daily feast of news and other publicly disseminated security related information. The challenge here can be to discern ‘the wheat from the chaff’ and then find the time to watch/listen/read the most useful and relevant items. I am always grateful to those that do take the time to share whatever it is they have benefited from finding. The decent thing to do, of course, is to then share it on yourself to benefit someone else. And on it hopefully goes again. Isolate, hoard, divide and fall or collaborate, share, unite, and win. The choice is ours. Your adversaries know this only too well and will often collaborate where there is some mutually beneficial nefarious gain to be had. They are also adept at the art of spreading misinformation of course, but that is an altogether different consideration for another post.
Image
