“Now that the incident is done, how does one member’s response become everyone else’s protection? What led to the incident and how can we share information and intelligence to help protect others?” Puckett said.
Taking the opportunity to discuss major headline breaches can be enormously fruitful, but the barriers to information sharing often result in security teams getting stuck in ‘no’, instead of ‘how’, the panel said.
Asking, “'What would happen if that happened to us?’ while walking through more publicized breaches helps them get to the ‘how’,” said Puckett. The focus then shifts from resistance to active engagement of internal and external partners across organizations and supply chains.
“Information sharing doesn’t just happen within the people at the company. They can have forums of human resources professionals around a breach. Open it up to the broad community,” said Michael Papay, vice president and CISO, Northrop Grumman.
The broader community, which extends far beyond the four walls of the corporation, is often the weakest link that sits beyond the control of even the most sophisticated defenses. Plunkett asked rhetorically, “What do we do about everybody else? How do we think about mid-sized firms in terms of collaboration?”
Where the digital world is interconnected in the most complex and sometimes convoluted ways, determining the trajectory that data travels, with whom it is shared, and how it is stored can be cumbersome at best. That’s why the big guys have to be sharing with the little guys. They have to strengthen what is often their weakest link.
Enterprises have a duty, not only to others but to themselves, to help out the little guys. “The bigger organizations are plowing away, and there is a corporate and social responsibility to give back by lending either knowledge experience or expertise,” Plunkett said.
As the larger organizations have a duty, so too do those SMBs, who need to actively look for guidance and instruction rather than run ahead toward things like cyber intelligence that will likely result in alert overload and yield little actionable intelligence.
“The only thing we can do is look for things that scale,” said Papay. “A synchronous teaching tool that we can record once and push out many times. We have to get smarter by levels,” Papay continued.
While there is indeed a need to look at defense from a compliance perspective, “The DOD can’t go in and say, show me that you are compliant. They don’t have a contractual relationship with those second tier, so larger organizations worked to put together a single compliance checklist at the top level,” said Papay.
But what happens as they move down to the next tier of suppliers? In order for them to trust that the second tier suppliers are able to effectively evaluate the third or even fourth tier suppliers, there need to be some clear regimes about role responsibility.
Sign up for CIO Asia eNewsletters.