BOSTON—At two data security conferences in the Hub this fall, speakers kept coming back to the theme of collaboration as a critical part of effective cybersecurity planning and response.
The annual conference of the Advanced Cyber Security Center (ACSC) emphasized that message right from the get-go. Delivering the opening address at the conference, Ken Montgomery, First Vice President and COO of the Federal Reserve Bank of Boston, explained that in addition to the roles of regulator and service provider, the Federal Reserve prides itself on a third role: that of “a convener and a collaborator…on security standards[.]”
Separately, at the NRS Technology and Communication Compliance Forum, K&L Gates partner Sean Mahoney kicked off Day Two of the three-day event with a call for teamwork.
“[W]e all suffer from…myopia[;] we see [data security issues] through our own lens,” Mahoney told the NRS audience. “The IT person is going to look at it one way, the compliance person is going to be looking at it another.”
Piecing together the information security puzzle
Indeed, the major obstacle that cybersecurity collaboration helps overcome is the limited situational awareness each individual actor has, according to William Guenther, ACSC’s founder and chairman. Guenther told ACSC attendees that each person can see “only a piece of the puzzle,” and not the whole.
Without collaborative groups, the narrow, individualized viewpoints found throughout the enterprise can lead to very different responses within the enterprise in case of a data breach or other information security event. This can lead to confusion and lost value as well as prolong and exacerbate damages caused by the event.
Michael Chertoff, former US Secretary of Homeland Security, illustrated this point in his keynote address at the ACSC conference by describing to audience members a particular Department of Homeland Security exercise. DHS would interview families and ask them if they had a plan in case of a given emergency; the families would respond affirmatively. Then DHS would take each individual family member aside and interview them on their own, asking each what the plan was. Inevitably, all of the answers were different. One family member would say that they would go to “grandma’s house.” Another would say that they would run “into the woods.” Another would indicate that they would go to a shelter. And so on.
“It [is] remarkable how many people d[o]n’t know what the plan is,” Chertoff said. Bringing people together enables the organization to overcome individual limitations.
But the myopia of siloed teams can lead to communication issues when disparate players attempt to collaborate. Ed McNicholas, a partner at Sidley Austin, calls this a “failure of the IT people [and] the business people…to speak a common language[.]
Enter the NIST Cybersecurity Framework, which takes dense legal and compliance concepts and helps connect them directly to technology, using five core cybersecurity functions (“Identify, Protect, Detect, Respond, Recover”) and tying them to specific recognized compliance standards.
“I think that this was an effort by [the Department of] Commerce to help that translation process,” McNicholas told NRS Forum attendees. “I think it actually is…a useful document [because] you have to be willing to correlate[.]”
Reach beyond the organization for maximum cybersecurity
External collaboration is just as important to enterprise information security as internal collaboration. This notion, in fact, is a big part of the reason ACSC exists. Charlie Benway, ACSC’s Executive Director, told ACSC conference attendees that through the ACSC’s threat-sharing program and bi-weekly meetings, member organizations collaborate on “risk management…the Internet of Things, the supply chain, and all of these [information security] issues.”
Boasting a membership that includes heavyweights from both the public and private sectors, such as the MITRE Corporation, the National Guard, Facebook, and the Federal Reserve itself, the ACSC can play a significant role in improving enterprise cybersecurity. According to ACSC data, 87 percent of its membership reports having gained “actionable intelligence” through ACSC. Moreover, 71 percent of ACSC members “report that participation in ACSC has driven changes to their defense posture.”
ACSC is also working to establish the New England Cyber Security Research Consortium. The Consortium would be an information security research partnership between top New England universities, including Northeastern, UMass, and MIT, and local public- and private-sector organizations.
Welcome friendly hackers to your information security table
Still, effective cybersecurity collaboration goes beyond this trifecta of government, business, and academia.
“We’ve got a giant pool of untapped resources [in] hackers,” said Katie Moussouris, Chief Policy Officer of HackerOne and a former security strategist at Microsoft, during an ACSC conference panel discussion. “[B]e prepared to receive a notification from a friendly hacker [about] anything your…processes may have missed[.]”
Moussouris went on to relate a story from her days at Microsoft, when the company traveled to Poland to recruit the Last Stage of Delirium: a hacking group that had discovered a serious vulnerability that led to the Blaster worm.
“That was a really progressive move on Microsoft’s part,” said Moussouris.
How far beyond the IT silo do your information security efforts reach?
Photo courtesy of Shutterstock.
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.