(phone ringing) - You're listening to the Cyberwire Network, powered by N2K. (upbeat music) - Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try delete me. I have to say delete me is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind, knowing my data privacy is protected. Delete me's team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for delete me. Now at a special discount for our listeners, today get 20% off your delete me plan when you go to joindeleteme.com/N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/N2K and enter code N2K at checkout. That's joindeleteme.com/N2K code N2K. - This episode is brought to you by Microsoft Azure. Turn your ideas into reality with an Azure-free account. Get everything you need to develop apps across cloud and hybrid environments, scale workloads, create cloud-connected mobile experiences, and so much more. Discover what you can create with popular services free for 12 months. Learn more at azure.com. That's azure.com and sign up for a free account to start building in the cloud today. - Hey everybody. ♪ We're back, we're back in our own backyard ♪ - We are back. Welcome to season 15 of the CSO Perspectives podcast. And if I do say so myself, the interns down in the Sanctum Sanctorum have created something special for this season. And I think you're really gonna like it. You all know that this show has a stable of experts who graciously accept invitations to visit us here at the N2K Cyberwire Hashtable in order to provide us and you some clarity about the issues we are trying to understand. At least that's the official reason we have them on the show. In truth though, I bring them on to hip check me back into reality when I go on some of my more crazier rants. We've been doing it that way for almost four years now and it occurred to me that these regular visitors to the Hashtable were some of the smartest and well-respected thought leaders in the business. And in a podcast called CSO Perspectives, wouldn't it be interesting and thought-provoking to turn the mic over to them for an entire show to see what's on their mind? We might call the show other CSO Perspectives. So that's what we did. Over the break, the interns have been helping these Hashtable contributors get their thoughts together for an entire episode of this podcast. So, hold on to your butts. - Hold on to your butts, butts, butts, butts. - This is gonna be fun. (upbeat music) - My name is Rick Howard and I'm broadcasting from the Intookay Cyberwire's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland in the Goodall, U.S. of A. And you're listening to CSO Perspectives. My podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. (upbeat music) Arrow Weiss is an old friend and a colleague of mine. We've been working together and around each other for going on 20 years. For the last six years, he's been the chief security officer at the Health ISAC and has been one of the original contributors to the Intookay Cyberwire Hashtable from the very beginning. For this show, he's gonna make the business case for information sharing and there's nobody in the world more qualified to do it. He ran the SOC, the Security Operations Center for the original Financial Sector ISAC, the FS ISAC, immediately after President Clinton started the ISAC program in 1999 and then served as an FS ISAC board member for over five years and then later worked for Citibank and among other things, the Bank's Information Sharing Program. For those of you doing the math at home, that's almost 25 years of experience doing cybersecurity information sharing. Here's Arrow. - Thanks, Rick. It's really great to be here. In the quickly evolving cybersecurity threat landscape, sharing information between institutions is critical to improve defenses against increasingly sophisticated threats. Cooperation between organizations can strengthen everyone's defenses, but it's an approach that requires openness and transparency, something that many organizations might be reluctant to do. To a certain extent, the reluctance is understandable. The decision to share information about incidents, vulnerabilities, and best practices is often stymied by concerns over legal and compliance risks. In my experience, legal counsel has been cautious about sharing information on cybersecurity, advising those against sharing sensitive information because of the perceived risks. Typically lawyers only see the downsides of sharing such information. Hey, if you're a lawyer, I'm sorry for the overgeneralization, but that's what I see happening more often than not. However, this approach, the well intention, often fails to realize the bigger benefits that come from information sharing. I know that info sharing can ultimately improve the resilience of your organization and even improve security and resilience across the entire industry. Collectively, businesses need to formulate strategies to share information about cybersecurity risks and breaches. Sharing information about an incident helps people learn from others who experience similar attacks, enabling organizations to recover faster and more efficiently. Companies can share information that will help enhance the defense of other organizations, like information about angles of attack, prevention, and mitigation strategies, and a host of other things. Because in the long run, they'll be protecting themselves from future cyber threats. The info sharing process starts with support from top level management. The C-suite, your top executives, like the CEO, CFO, CIO, CSO, and others, they all play a critical role in shaping an organization's approach around cybersecurity. In the context of information sharing, the C-suite's role is pivotal in driving the cultural and operational changes needed to transition from a risk-averse stance to one that recognizes the strategic value of collaboration and information exchange. One of the most successful initiatives that C-suite leaders can champion is participation in an industry-specific information sharing and analysis center, or ISAC. ISACs were specifically designed to facilitate the trusted exchange of information among critical infrastructure sectors, and they offer a trusted way to share information. The ISAC concept is a proven model that has stood the test of time. In fact, the 25th anniversary of the first operational ISAC, the Financial Services ISAC, is coming up in October 2024. By opting into an ISAC, not only can organizations protect themselves, but they also contribute to the collective security of their entire industry. Through ISACs, the C-suite can lead the change in fostering a collaborative approach to cybersecurity, one that transcends individual organizational boundaries and builds a stronger, more resilient defense against the ever-evolving threat landscape. Cyber threats are not isolated incidents. They often follow patterns and repeatedly exploit common vulnerabilities across the internet. When one organization falls victim to an attack, the lessons learned there can be invaluable to others facing similar threats. Information sharing can preemptively strengthen defenses, improve incident response, and foster a collaborative approach to cybersecurity across sectors. Despite these benefits, many companies hesitate to share information due to the perceived legal risks. This reluctance stems from fears of liability, reputational damage, or inadvertently disclosing sensitive information that could be exploited against the firm. They also might view sharing information as giving away a competitive advantage, but at the end of the day in general, organizations don't compete against each other on security. Instead, the failure to share critical insights can have far-reaching consequences, not just for the individual companies, but for entire industries. Set another way, bad security for one organization is bad security for the entire sector. Just as an example, when I worked in the finance sector during the early days of online banking, we all realized that an incident at a major bank could erode public trust, so we had an incentive to protect each other. On the other hand, embracing information sharing within and across industries can provide compelling advantages, particularly in the context of cybersecurity and risk management. Number one, enhanced risk management. Sharing information about emerging threats and vulnerabilities allows organizations to stay ahead of potential attacks. By receiving early warnings and intelligence from peers and industry groups, companies can implement preventative measures before they become a target. How about that? Now, that's a protective approach that can reduce the likelihood of successful attacks and minimize damage. How cool! When organizations share information about cyber incidents and breaches, they also benefit from collective intelligence. The shared knowledge can lead to better incident response strategies, faster identification of attack patterns, and improved remediation efforts. A well-coordinated response, informed by real-time information, can significantly reduce the impact of an incident. Also, shared intelligence creates a broader perspective on the evolving threat landscape. By pooling resources and insights, organizations can identify trends and patterns that may not be apparent when operating alone in isolation. This collective understanding enables more accurate threat modeling and forecasting, allowing organizations to anticipate and prepare for future attacks much more effectively. Number two, cost savings and resource efficiency. Information sharing often involves exchanging not just threat intelligence, but also tools, techniques, and best practices. The shared knowledge can lead to cost savings as organizations can leverage community resources like security frameworks, automated detection rules, and incident response templates. By collaborating on the development and refinement of these items, you can avoid duplicating efforts and reduce the overall costs of maintaining robust cybersecurity defenses. When you work in isolation, you're more likely to duplicate efforts in threat research, vulnerability assessments, and mitigation strategies. What I mean by all of that is that when we learn about a new threat, the security teams at each company are working independently, coming up with their own threat analysis and mitigation plans. However, if we work together and crowdsource the solution as a whole, we're not only more efficient, but I'll bet we even have a better solution at the end. By sharing information, organizations can consolidate their efforts, focusing on addressing unique challenges and benefit from collective expertise. Number three, compliance and legal benefits. Many industries are subject to regulatory requirements related to information sharing and cybersecurity. Although some may perceive information sharing as a compliance risk, fearing that sharing sensitive information could expose them to legal liabilities, participating in information sharing initiatives is actually a way to ensure compliance. Regulations often require companies to stay up to date on the latest cyber threats and best practices, and sharing information helps organizations do exactly that. By staying informed and sharing insights with industry peers and regulators, organizations can better protect themselves from breaches that could lead to non-compliance. In fact, information sharing demonstrates a proactive approach to risk management, which can strengthen an organization's compliance posture and reduce the likelihood of regulatory penalties. A transparent, collaborative approach to cybersecurity can provide legal protection by showing that an organization is actively taking steps to meet its regulatory obligations. As a side note, being transparent during an incident and sharing with the community can also go a long way in improving public trust. Organizations with mature information sharing processes follow frameworks and guidelines that help them navigate legal complexities. By sticking to these established practices, organizations can mitigate legal risks and avoid potential pitfalls associated with information sharing. So what am I talking about? Here's an example of an information sharing governance structure. You define the types of information your organization will share. You decide who you'll share that information with, and then you determine who in their organization has the ability to release that information. Get the buy-in on this from senior leadership and your internal counsel and your golden. There's a great example of this governance model in the info sharing best practices white paper. I've included a link to the white paper in the show notes. This structure approach ensures that information is shared responsibly on behalf of your firm and in accordance with legal requirements that you've established with your own internal counsel. Number four, innovation. Collaboration and information sharing can drive innovation. Not only in cybersecurity tactics, but also in the development of novel products and services and best practices. When organizations exchange information about operational procedures, they often gain insights into more efficient ways of doing things. Plus, you can learn about emerging technologies and market trends that extend beyond cybersecurity. This new shared knowledge can lead to improved business processes and better buying decisions. It can even inspire new product ideas or service offerings. For example, a company might learn about new software tools or automation techniques through information sharing networks. These could lead to being adapted and repurposed to create innovative products or services that can enhance their market offerings. This blending of shared intelligence and resources accelerates the organization's ability to innovate, not just in how they protect their assets, but in how they grow their business and remain competitive in a dynamic market. And lastly, number five, professional development. Not only is there a benefit for organizations to improve cybersecurity by participating in information sharing networks, you as an individual can benefit too through personal and professional development and through the satisfaction of giving back to the community. There's so much to learn from others in the community. Technical knowledge, best practices, and even leadership techniques. And I'm talking about knowledge that helps improve you and it's something that you get to keep forever. So often I hear people say that they get much more out of information sharing than what they put into it. It becomes addictive and in a good way. As an example, when I was at Citibank, I was on the front lines when other banks were sharing information about serious incidents that they were experiencing. I saw good examples of how people behaved through an incident and some not so great examples. I admired those that remained cool and calm under pressure while leading the charge through the incident and I learned from them. I learned behaviors that I know helped me improve personally and professionally. Despite the clear business case for information sharing, there are unfortunately some real and perceived legal and compliance challenges that prevent sharing information about cybersecurity incidents. These challenges span various domains and include legal and regulatory complexities, risks of exposure and misuse, trust issues, technical barriers, and cultural and organizational obstacles. I'm gonna talk about each one of those. Here's the first one. For legal and regulatory complexities, one of the most significant challenges to information sharing are the legal and regulatory requirements. Organizations operate under a variety of laws, rules, or regulations that govern how they handle and share sensitive information. For instance, data protection regulations like the General Data Protection Regulation, or GDPR in Europe, imposes strict requirements on the sharing of personal data. Not all is lost though for info sharing and there are allowances within GDPR that provide for information sharing. In fact, the FSISAC published a white paper on this issue back in 2018. I've got a link to the paper in the show notes. In the US, closer to home, the Cyber Security Information Sharing Act of 2015 encourages public and private sector information sharing and provides for liability protection as well. Again, see the show notes for the link to that paper. It's really not that difficult. So long as you ensure that any information shared with others complies with these regulations. Anonymizing data is a powerful and effective way to avoid problems here, but in reality, the types of information shared to help protect the community often contain zero sensitive personal information. So we're really just talking about some edge cases that can be covered by a decent info sharing governance structure. I've talked about how to do that before. See the info sharing best practices paper. There's a link there in the show notes. So back to the legal perceptions. The failure to comply with the privacy regulations can result in severe penalties, making the lawyers and senior leadership hesitant to share information, even when it could benefit the broader community. The lack of harmonization between the laws and different jurisdictions further complicates cross border info sharing because what's allowed in one country may not be allowed in another. Regulatory bodies might impose restrictions on the types of information that companies can share, especially when it involves national security issues or the protection of intellectual property. These restrictions can create uncertainty and fear of non-compliance, again deterring organizations from participating in information sharing initiatives. The complexity of navigating these legal landscapes often requires organizations to invest dollars in legal counsel and compliance experts. That only adds to the cost and effort involved just to get started in information sharing. And there's still the fear that you might get into a legal snafu if the information shared is deemed inaccurate or misleading. Then come the potential lawsuits. This can be exacerbated in jurisdictions with strict liability laws where organizations can be held accountable for their consequences of the information that they share regardless of their intent. As a result, many organizations adopt an ultra conservative approach sharing nothing or the bare minimum that's required by law. And let's be honest, that level of sharing is not effective at all. (upbeat music) (upbeat music) Number two, risk of exposure and misuse. When organizations share sensitive information, they run the risk that the data could be leaked and worse yet used against them. The last thing anyone wants to see is their sensitive info published openly on the internet, social media sites, or even in the news. For example, sharing details about a recent cyber attack could inadvertently disclose the vulnerabilities that have not yet been fully mitigated. That risk is especially highlighted when companies are sharing information with third parties that may not have the same level. (upbeat music) - And that's our show. Well, part of it. There's actually a whole lot more and it's all pretty great. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to thecyberwire.com/pro and sign up for an account. That's thecyberwirealloneword.com/pro. Or less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus you get a whole bunch of other great stuff like ad-free podcasts, my favorite, exclusive content, newsletters, and personal level of resources like practice tests. With IntuK Pro, you get to help me and our team put food on the table for our families and you also get to be smarter and more informed than any of your friends. I'd say that's a win-win. So head on over to thecyberwire.com/pro and sign up today for less than a dollar a day. Now, if that's more than you can muster, that is totally fine. Shoot an email to pro@intuk.com and we'll figure something out. I'd love to see you on IntuK Pro. One last thing, here in IntuK we have a wonderful team of talented people doing insanely great things to make me and this show sound good. And I think it's only appropriate, you know who they are. - I'm Liz Stokes. I'm IntuK's cyberwires associate producer. - I'm Trey Hester, audio editor and sound engineer. - I'm Elliot Peltzman, executive director of Sound and Vision. - I'm Jennifer Ivan, executive producer. - I'm Brandon Karpf, executive editor. - I'm Simone Patrella, the president of IntuK. - I'm Peter Kilpe, the CEO and publisher at IntuK. - And I'm Rick Howard, thanks for your support everybody. - And thanks for listening. (upbeat music) (bell dings) (bell dings) (bell dings) (bell dings) (beeping) [BLANK_AUDIO]
