This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Two Seattle CISOs, Kirk Bailey and Ernie Hayden, are pioneering a new level of trust and cooperation to secure their enterprises.
Over the clatter of an auto body shop where he was retrieving his car, Ernie Hayden received a disturbing cellphone call. "I'm sending you a warning about the latest MyDoom attack," the voice said.
No introductions were necessary. Hayden, the manager of enterprise information security for the Port of Seattle, immediately recognized the voice as his counterpart at the city of Seattle, CISO Kirk Bailey.
Usually, the pair meets once a week at a local coffeehouse to talk shop. They share their problems, insights, solutions and questions. Nothing is out of bounds, and there's no fear of compromise. Their trust in each other is unquestioned.
While the urgent warning of a MyDoom variant wasn't the norm, it was hardly unusual. When something serious breaks, they call each other immediately. They know implicitly that one always has the other's back.
By the time Hayden rolled into the office, he had the details of the worm that Bailey promised. The variant used an e-mail to instruct recipients to click an embedded URL and confirm an online purchase. The malicious Web site then downloads a virus that damages the host and mails itself to everyone on the person's contact list. With that intelligence in hand, Hayden sent an urgent message to his staff and began working on countermeasures.
It was yet another
While the security practitioner's mind-set is usually wrapped around secrecy, Hayden and Bailey say they're proof that extending a little trust and putting two--or sometimes more--heads together is a better way to solve pressing security problems. This kind of cooperation practiced by Hayden and Bailey, as well as other Northwestern security professionals, could become a CISO best practice.
This was first published in January 2005