Collective resilience: Why CISOs are embracing a new culture of openness

Security exec Chad Kliewer had heard the initial reports of the SolarWinds attack as news about it broke in December 2020, sympathetic to those companies first named as victims of the hack.

Soon after, he started getting messages from colleagues wanting to make sure he saw the latest news: His company, Pioneer Telephone Cooperative Inc., a small telecommunications company headquartered in Kingfisher, Okla., was listed, too.

For Kliewer, those early tip-offs from fellow security leaders alerting him to take action definitively proved the value of building information-sharing communities within the profession.

Kliewer is a member of CyberShare, an Information Sharing and Analysis Center (ISAC) for small broadband providers. He also belongs to InfraGard Oklahoma and the Communications Sector Coordinating Council (CSCC). And he has developed informal communities with other security leaders.

He admits that he once dismissed the importance of such groups, thinking he was too busy to engage with them and seeing little value in what they could provide.

But as he started to participate and experienced firsthand the help they could offer—as was the case in the SolarWinds event—Kliewer became a convert and an advocate.

“Now I have been preaching for years to share information, to get this stuff out in the open,” he says. “We all have the same pains. It’s just a matter of whether we’re willing to share those pains and share some of the shortcomings in a trusted group to save others from those same kind of things.”

Getting ahead, together

The trend toward more information-sharing among cybersecurity practitioners is hard to quantify, with figures measuring willingness to engage in such activities not readily available.

But Kliewer and other veteran security leaders say they have seen an evolution of thought among CISOs, who were once reticent to discuss much, if anything, about their operations, the threat activity within them or even the overall threat landscape.

That reticence has softened in recent years. Now many CISOs are part of multiple information-sharing groups and today advocate for their peers to do the same, saying it’s one of the strategies to help everyone get ahead of the bad actors who are menacing them all.

“The realization that all industries are vulnerable has led to broader efforts to share knowledge,” Deloitte declared in its 2021 Future of Cyber Survey report, adding that “learning what works in other industries will become increasingly relevant.”

It continued: “While there isn’t a single simple solution to managing cybersecurity, many of the threats facing organizations on the road of digital transformation are shared. With cyberattacks becoming more prevalent, no industry or geography is immune from them, but we can learn from each other how to effectively handle an incident when one does occur. To this end, sharing experiences and knowledge with peers is an essential element of improving the security environment all round.”

More openness, but hurdles remain

Of course, CISOs, like other executives, for many years have had networking opportunities and other engagements that allowed them to trade notes and seek advice.

It’s important to note, too, that ISACs aren’t new. The concept of ISACs comes from a presidential directive issued in 1998 that prompted each critical infrastructure sector to establish organizations to share information about threats and vulnerabilities.

However, more recent years have seen both an increased willingness to share and the growing need to do so, says Aviation ISAC president and CEO Jeffrey Troy.

“It’s taken a long time for that to happen,” Troy says.

The Aviation ISAC, founded in 2014, has grown from seven founding member companies to include 88 member companies on five continents. Its membership is open to airlines, airports, industry manufacturers and other companies servicing the sector.

In its 2021 Making the Business Case report, it notes that “aviation remains a highly visible target for cyber threat actors” and that the industry had seen in 2020 “an increase in ransomware attacks, network intrusions, business email compromises, DDoS attacks, fraud, and more.”

Even so, Troy says hurdles to consistent, widescale cooperation remain.

“We find there’s a lot more comfort to share, but there is some hesitancy with [discussing] significant breaches,” he notes.

He acknowledges that some organizations are reluctant to share information even within trusted networks such as ISACs. Some hesitate due to the potential of lawsuits following hacks; others who settled ransomware without alerting government or law officials don’t want to then tell anyone about what happened.

Troy, however, says he doesn’t fully support such perspectives; he compares such actions to mugging victims failing to report the crime, which leaves others vulnerable to being attacked.

“But if you had told someone, that would help everyone else protect themselves,” he says. “It’s the same thing with cybersecurity; every bit of cyber intelligence is going to help.”

No one can succeed alone

That reasoning comes up again and again in conversations about ISACs and other information-sharing channels. Proponents agree that the increasing volume and velocity of threats and the growing sophistication of attacks make it impossible for CISOs to succeed in their work if they’re isolated from their colleagues and other security industry officials such as vendor executives and government officials.

“It’s critical because the problem has gotten so large that there’s really no way for an organization, not even the largest organization, to stand alone as an island,” says David O’Berry, head of Capgemini’s Cybersecurity Center of Excellence for North America. “ISACs create this great web of information-sharing that you can participate in to make your organization stronger without having to do all the work yourself, which is nearly impossible.”

Denise Anderson, president and CEO of the Health ISAC, has seen that value in action.

When the Petya/Not Petya attacks first surfaced in June 2017, the organization had within 48 hours 60-plus individuals from more than 30 organizations collaborating to figure out what the attack vector was, how the attack spread across networks and how to stop it.

“We shared it not only within the membership but on our website so that everyone could benefit from this great work,” Anderson says. “It was especially important because there was a lot of incorrect information being shared at that time and we were able to deliver ground truth and actionable mitigation. We are currently doing much of the same with the Log4j vulnerability.”

Trusted data, straightforward answers

Marc Vael, platform CISO for Packaging & Color Management at the global conglomerate Danaher and past board director for governance association ISACA, has a similar perspective.

Vael says he, too, has seen CISOs, including himself, become more willing to participate in ISACs and other such groups. He sees it as a way to bolster their abilities to protect their own organizations.

His company belongs to an ISAC, where he is an active participant, and he is a member of a local CISOs-only group that regularly trades information and advice over a secure communications platform.

Vael says he has seen value in his participation. He likes that he can ask others about their experience with specific solutions, hear details on their strategies for certain challenges, and get straightforward answers quickly.

He says their communication around the recent Log4j vulnerability further demonstrated the worth of information-sharing, as both the ISAC and the CISO group delivered a slew of trusted data about the security flaw that was pertinent to him and his company.

Moreover, Vael says he’s comfortable asking questions and sharing ideas because his ISAC, like others, has nondisclosure agreements in place while the informal CISO group is governed by the Chatham House Rules that safeguard participants and what they disclose.

Furthermore, he knows the information being shared among members comes from trusted, vetted sources.

“If you want to be a successful CISO, you have to have multiple good-quality channels in front of you where you can reach out. It’s part of the gear that we have,” he adds.

Maximizing the value of information-sharing

Indeed, security leaders across the board say the best way for CISOs to get value from ISACs and similar groups is simply to join and actively participate in them; CISOs should contribute details on the tactics, techniques, and procedures (TTPs) that they’re using; the threat activities they’re seeing; the challenges they’re encountering; and which strategies and solutions are delivering the most success.

Furthermore, security leaders say CISOs should participate in not only their industry ISAC but other groups as well, such as those organized by regional entities, government agencies, vendors and technical communities.

Then CISOs must find a way to bring the information they’re gaining back to their teams and their own operations.

“So you’re taking actual actions,” O’Berry says.

That means automatically ingesting the threat intelligence feeds that many of the ISACs produce, disseminating talking points to team members, adjusting strategies based on new information and the like.

“We can put out all the information in the world but unless folks put it into practice it doesn’t do a lot of good,” says Jill Canfield, general counsel and vice president of policy at NTCA–The Rural Broadband Association, which administers CyberShare. “The point is to take the information and operationalize it. It’s taking the information you learn and applying it.”