This article can also be found in the Premium Editorial Download "Information Security magazine: How security pros can benefit from information sharing."
Download it now to read this article plus other related content.
Even in Maryland, with the power of the governor's office behind security information sharing, participants are wary of too much organization.
"As soon as you make them structured, people at the meeting have to represent the party line of their agency," Goff says. And that, he adds, hampers the exchange of information. Loose structure and zero bureaucracy help enable more cooperation between private industry and the public sector.
The federal Freedom of Information Act (FOIA) and equivalent state-level legislation only increase anxiety. Under these statutes, anyone can request documents on file with the government. If private industry cooperates with the government and commits anything to paper, those documents could become public.
Bailey, Hayden and their colleagues circumvent this risk of public disclosure by avoiding minutes, reports and, whenever possible, e-mails. "We don't have a nondisclosure agreement," says Gregory. "We don't have a Web site or officers. We just hang out. If we were [a formal organization], everything would be subject to the Freedom of Information Act."
But a lack of records risks making valuable information a victim of fallible human memory. A CISO would have to depend on stumbling across people who knew what he or she wanted to learn. While the Homeland Security Act of 2002 protects information voluntarily provided to certain federal agencies from federal
That's why there are growing attempts to share critical knowledge through this informal approach. For example, Agora, a low-profile regional network of infosecurity professionals formed in the mid-1990s, is one of these "nonentity" groups gaining a foothold.
"The reason it was formed was that a few security professionals realized we were failing in our attempt to protect our enterprises, and we needed to talk to our competitors," says Bailey, a founding Agora member.
Ultimately, what will drive these relationships and a new dynamic in cooperation are word of mouth and money. CISO networks are perfect examples of viral marketing, with referrals only coming from other trusted sources. Forget about waiting for a conference to hear the latest best practice; your friend across town will probably tell you about it at the next coffee klatch. And then there are the economics: Companies get help from experienced professionals when needed--for just returning the favor.
"Most professional associations reflect very tired practices," Bailey says. "Very tried and true, but tired when it comes to building symbiotic associations."
By taking this approach, Bailey, Hayden and their circle of trusted friends are finding that their approach is no longer lethargic--and that the only thing that keeps them awake at night is too much coffee.
This was first published in January 2005