Since its passage in December 2015, the Cybersecurity and Information Sharing Act (CISA) has been the subject of controversy in cybersecurity and privacy communities. In a nutshell, CISA aims to facilitate the transfer of cybersecurity-related information between private companies and the federal government through online portals designed for this purpose.
In theory, it will help make companies more secure by allowing information on a cyber threat experienced by one company to be easily shared with the federal government and, in turn, with other similar companies, so that they can successfully defend against similar attacks.
That all sounds positive, right? Well, there are two sides to everything, and privacy advocates and activists would both agree they have their doubts about CISA.
Many opponents dismiss CISA as a “thinly-veiled government surveillance bill” since there’s a likelihood it would also encourage companies to share information about their customers with the federal government if there’s any chance the info could be related to a criminal threat.
Following a year of hacks highlighted by the massive OPM breach in June 2015, it’s not unreasonable for pundits to protest the federal government having more information than it already has. Potential participants can and should insist on robust protections for any information that is shared.
I suggest the security and privacy communities take a step back and focus on the fact that shared cybersecurity threat information is a good thing, for the more that’s known about threats, the better for everyone.
Learning about threats means companies can adapt to these threats without being impacted by them. In essence, we see this increased cybersecurity information sharing as enabling a truly adaptive cybersecurity management program.
According to NIST’s Cybersecurity Framework, adaptability is key in having a successful cybersecurity program. In fact, a Tier 4 Adaptive program has the following attributes, per NIST:
- Based on lessons learned and predictive indicators.
- Continuously improved via active adaptation to combat evolving threats.
- Part of the overall organizational culture.
Those first two bullets can be achieved based on what CISA intends to do. The more threat information that is shared, the better companies can adapt to these threats on an ongoing basis.
CISA is far from perfect, but I see appropriate information sharing on cybersecurity threats as the right step toward true adaptability for cybersecurity programs and awareness.
About the Author: Tom Pendergast is the chief architect of MediaPro’s Adaptive Architecture™ approach to analyze, plan, train, and reinforce to deliver comprehensive awareness programs in the areas of information security, privacy, and corporate compliance. Tom has a Ph.D. in American Studies from Purdue University and is the author or editor of 26 books and reference collections. Tom has devoted his entire career to content and curriculum design, first in print, as the founder of Full Circle Editorial, then in learning solutions with MediaPro.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock