The challenges facing security professionals certainly aren’t getting any easier – nor are they likely to do so anytime soon. Not only are the skills and knowledge that we need to operate evolving at an ever-relentless pace but also rapidly diversifying far beyond the familiar technical and governance areas we have been used to. When it seems that even the questions we need to be asking are changing on a near-daily basis, one thing is for sure: no single source of information, set of standards, vendor, organization, or individual can be expected to have all of the answers. If, of course, they ever could. Burdens can be lightened, however, and good things can happen through effective collaboration and information sharing from the macro- to micro-level.
Take for instance the diligence challenges presented by cloud computing and the fact that according to one 2016 report, security concerns are still topping the list of perceived barriers to cloud adoption. Some of these are valid concerns, while some are driven by pure FUD – fueling confusion about what does and does not still apply from traditional models of assurance and risk management. As the longest standing and most internationally recognised not-for-profit body of Information Security professionals, (ISC)² has demonstrated at a macro level the power of collaboration within the field of training and education.
By partnering with the (CSA) Cloud Security Alliance (itself another cross-industry, not-for-profit organization), (ISC)² has established a definitive, credible body of knowledge and an associated vendor-neutral security credential – the Certified Cloud Security Professional (CCSP). Whilst this alone cannot possibly provide ‘all the answers’ for such a broad and dynamically changing field, it does at least offer some common ground of best practice and a framework of considerations from which to start asking the right type of questions. Another not-for-profit organization that effectively utilizes its strong partnerships across industry, government and academia is the Center for Internet Security (CIS). Through its collaborative reach, it produces many helpful, often free resources, benchmarks and guidance, not the least of which is its essential baseline framework of clearly defined Critical security Controls for Effective Cyber defense. CIS even explicitly states the following as a core principle:
“Embody COLLABORATION – to be truly successful we must be inclusive; working together for a common purpose.”
Collaboration and information sharing within security can of itself introduce risk, however. Any such engagement has to, therefore, be built upon a sense of trust and shared purpose. Dependent on the levels of confidence required, that trust may be gained through real-world relationships and informal ‘Chatham House rules’ or via more formalized legally binding NDA arrangements. Outside of the more altruistic world of non-profit organizations, such factors are not always easy to establish, especially where protected IP, profit margins, livelihoods, kudos and commission may be at odds with such a notion.
Commercial competition is, of course, an essential and healthy driver for innovation and improvement across all aspects of security and information assurance. But when a supplier can only talk myopically and even dogmatically about their own company/solutions/services with little context or acknowledgment of the wider world, it often leaves an impression that they can’t see the bigger picture or aren't sharing it with you if they can. Indeed, the best suppliers I deal with talk frankly and knowledgeably about the wider industry picture, explaining where and how their pieces fit into the overall puzzle.
They also discuss current threats, market trends and in some cases, even a direct competitor in a fair, objective and factual way – all of which makes for a far greater sense of customer confidence and credibility around what it is that they themselves have to offer. It is fantastic when different vendors can work together for the greater good of the industry. This fascinating piece around one of the first documented attacks using steganography demonstrates just that. As threats become ever-more sophisticated, research is certainly an area that requires collaboration of the best and brightest minds. It’s also a reminder that we need to forge closer links between academia and industry. For this reason, another (ISC)² initiative seeks to ensure that cybersecurity becomes a core component of all UK computing degrees.
At a far more micro-level, the sharing of information and real-world experience is something we can all do every day. While there may be a few differences, there should be consistent themes and principles of practice across all sectors. Someone working to protect assets in the financial sector and someone working within the health service both have valuable and unique insights, especially the fact that good security is not necessarily a ‘one size fits all’ solution and that perhaps someone has approached something in a novel way. Here in the United Kingdom, CERT-UK has established the Cyber-Security Information Sharing Partnership, which is a joint industry-government initiative aspiring to encourage members across all sectors to share threat and vulnerability information. On a regional level, we in the South West of England are fortunate to benefit from an active security community of trust.
We even have a first-class event Secure South West that runs in cooperation with Plymouth University. Even within the untrusted online realm, we can all take advantage of and contribute to useful and rapid information sharing. For all the negatives we are used to hearing about through its misuse, social media provides most of us with a daily feast of news and other publicly disseminated security related information. The challenge here can be to discern ‘the wheat from the chaff’ and then find the time to watch/listen/read the most useful and relevant items. I am always grateful to those that do take the time to share whatever it is they have benefited from finding. The decent thing to do, of course, is to then share it on yourself to benefit someone else. And on it hopefully goes again. Isolate, hoard, divide and fall or collaborate, share, unite, and win.
The choice is ours. Your adversaries know this only too well and will often collaborate where there is some mutually beneficial nefarious gain to be had. They are also adept at the art of spreading misinformation of course, but that is an altogether different consideration for another post.
About the Author:
Angus Macrae is a CISSP (Certified Information Systems Security Professional) in good standing, a CCP (NCSC Certified Professional for the IT Security Officer role at Senior Practitioner level) and PCIP (PCI SSC Payment Card Industry Professional.) He is currently the IT security lead for King’s Service Centre supporting the services of King's College London, one of the worlds' top 20 universities
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
