In my last post, I wrote about the value of Information Sharing and Analysis Centers, or ISACs. This time I want to talk about a slight twist on this topic – the use of an ISAC model internally.
A couple of weeks ago, I was talking with a couple of security leaders from two large, multinational oil companies and they have been building ISAC-like information sharing “practices” inside their own companies.
You see, they both work for widely distributed organizations. Each part of their organizations have differences – different requirements, different local capabilities, different management, etc. but they share common security goals and manage a lot of similar infrastructure.
Add the fact they they have grown over long periods of time (often by acquisition) and you have a lot of nuances to deal with.
Both organizations have created formal and informal methods to share information between groups, and are actively engaging to discuss threats, countermeasures, risks, and controls that are working for them. When I found out about this, I asked them about things they have learned along the way.
They said there were two key elements that had helped significantly:
- Spend time agreeing on ground rules and reach an agreement about how the information would be used. Apparently, there was a lot of fear of politics, such as one group learning something during information sharing and using it to cause problems for another group. They deal with this fear up front and agreed on a model similar to Chatham House Rules, which meant they avoided disclosing any embarrassing details outside the group in a way that identified any particular organization.
- They agreed that “tone at the top” was important. They needed commitment from the “higher ups” in the organization that they would fund these information sharing efforts, including allowing time for conference calls and periodic face-to-face information sharing meetings (they settled on face-to-face meetings once a year).
These organizations engage in web conferences, brown-bag sharing sessions, and brainstorming sessions over video conferencing. They document what they learn and share internally on Sharepoints and Wikis and keep the access to those involved in the ISAC community to help build a sense of responsibility.
Obviously, these folks didn’t have the competitive challenges that multi-company ISACs face, but the complexity within their global organizations was significant enough that they tended to operate like a bunch of separate companies.
Since adopting this ISAC-like model, both of these security leaders say that the sense of internal community has been a tremendous force in building momentum for information sharing. There is something powerful in knowing others are right there with you when things get rough.
What about your organization? Would an ISAC-like approach help you share information internally? Or, if you’re doing something like this already, do you have your own advice to share?
- Privacy, National Security and Mass Surveillance: The Role of Crypto
- Defensive Cyberspace Operations and Intelligence
- The Cyber Security Forum Initiative
- Cyber Security Information Exchange
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock