Let’s be honest; let’s talk about what’s happening

Today’s cyber security landscape is littered with regulations, best-practices, arms races and ever-increasingly complex technology tools. As technologies advance, so must the controls we use to secure them. To this end, companies do the obvious; they educate people in technologies and securities, they implement the myriad tools and processes required to keep up, to keep secure.

But there is an oft overlooked ingredient that, when combined with all of this hard work and development, can give not only your company, but many other companies, an upper hand. It’s often overlooked because it’s difficult.

What is it? Its open communication among organizations talking about real security breaches and incidents they’ve experienced. Until organizations share this information, setting up defenses against a force we don’t fully understand will be expensive with little to no payback.

We as security professionals are not doing a good job of “opening the kimono” and talking honestly about our security postures or our vulnerabilities. Ellyne Phneah talks about several reasons for non-collaboration in a ZDNet article March 9, 2012. Outside of regulatory reporting requirements, Phneah notes that one of the reasons for keeping hush-hush stems from the desire to protect our reputations. Other reasons are seated in a basic lack of expertise; knowing how and when to report and analyze security breaches.

Here are some initial steps organizations and individuals can take to start opening up conversations – to start collaborating:

1. Before you do anything, the management team within your organization has to agree that this type of collaboration is acceptable and allowable. Your company and its leaders have to be comfortable with discussing sensitive issues facing the organization with outsiders.
2. Look to partner and collaborate with similar companies. You can set up face-to-face meetings with peers in these organizations to talk about shared experiences. Of course, confidentiality must be maintained. A non-disclosure agreement (NDA) serves such a purpose.
3. Establish agreed upon methods to regularly share incident and event information with peer organizations. This information could become fodder for discussion in face-to-face meetings.
4. Encourage thought leaders within your organization to participate in external professional security organizations. With the right level of caution, this type of collaboration can yield great insight into new and innovative methods of countering cybercrime.
5. Encourage corporate leadership’s participation in thought-leadership forums and summits. With company leadership plugged into the heartbeat at a CXX level across corporations, lower level thought leaders within the company can form stronger, more trusting relationships with their peers in those same companies.

The importance in openly and honestly sharing breach, incident and event data with outside entities is growing. We can no longer plan our defenses in the vacuum of secrecy behind the walls of our organization. There is a wealth of shared knowledge that can make everyone stronger and wiser. Our job is to begin paving those door-opening roads with our peers.