This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
|TIPS: Trading Success|
Breaking a Cloistered Culture
Cooperation in infosecurity is notable for its rarity. Consultant Ted Demopoulos recently asked 60 security professionals whether they or the hacker community was better at information sharing. "There was just laughter," he says.
The digital underground is a meritocracy; hackers rate themselves on their technical prowess and their capers' success. This means they must be open with information about their tools, targets and methodologies. In contrast, security professionals usually only share what most everyone already knows, not their actual experiences. But, keeping mum means missing out on useful intelligence and potential help.
"There are way more antagonists and players out there than there are keepers of the gate on our side," says Peter Garlock, CIO of the Port of Seattle and Hayden's boss, who likes the cooperation between his organization and the city. If CISOs can discuss problems safely, they can leverage all that experience--at no cost.
Hayden and Bailey have developed a mutual trust, which some security pros just don't get. "When we started raising the specter of CISO-to-CISO conversation, people gave us the look of 'What a concept' and 'What a brilliant idea,' but they didn't want to do that," Hayden says.
The ground Hayden and Bailey tread is perilous; they know they risk the possibility of having their problems appear instantly in a blog or in tomorrow's newspaper. Equally powerful is the fear of appearing vulnerable and weak. That's why building trust is critical. Time is the key ingredient.
The two infosecurity pros met years ago when Hayden was security director for a software company and Bailey, already CISO for Seattle, was running a vulnerability assessment exercise for the city. Over the years, they kept in touch and became friends. When Hayden became the Port of Seattle's first infosecurity chief, they couldn't have asked for better collaboration conditions. Not only did they know and trust each other, but the city and the port are inseparable business partners.
And Hayden and Bailey aren't just sharing their experiences, but also their contacts. If they don't know the answer to a problem, they can call upon their network of peers and acquaintances. "We use each other's black book," says Bailey. "This was a hyperjump to a whole new level of trust."
It's not unheard of for security professionals to consult colleagues and friends. Where their relationship differs is in the extension of trust. If Bailey can rely on what a given contact says, for example, Hayden can as well. The two also act as liaisons to their respective peer networks. If someone has relevant information--such as a warning of an attack or discovery of a new vulnerability--the news bubbles up in one of their networks. Hayden and Bailey share it, so it reaches the other's contacts. Because all the affiliations are informal, there is no bureaucracy to control how information travels. As a result, Hayden and Bailey say, intelligence is quickly communicated.
"The current cybersecurity practice has siloed reporting, where attacks are cross-jurisdictional," Bailey says. But industries and enterprises, regardless of their vertical category, are bound together. A problem in the electrical or telecommunications infrastructure ripples into problems for manufacturing and municipal operations. Hayden and Bailey argue that any truly effective cooperation must break down the walls between industries, even those between government and the private sector.
This was first published in January 2005