CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Breaking the barriers in information sharing: Changing the discussion from legal risk to C-suite opportunity.
In the evolving landscape of cybersecurity, sharing information among institutions is critical to bolster defenses against increasingly sophisticated threats. Cooperation between organizations can strengthen everyone’s defenses, but such an approach requires openness and transparency, something that many organizations have been reluctant to do.
To a certain extent, the reluctance is understandable. The decision to share information about incidents, vulnerabilities, and best practices is often hindered by concerns over legal and compliance risks. Traditionally, legal advisors have been cautious about sharing information on cybersecurity, advising against sharing sensitive information because of the perceived risk of exposing such information. However, this approach, though well-intentioned, often fails to recognize the broader benefits from information sharing, including the resilience of organizations and industry-wide security.
Collectively, businesses must formulate strategies to share information about cybersecurity risks and breaches. Sharing information about an incident has the possibility of learning from others who have experienced similar incidents – enabling organizations to recover quicker and more efficiently. Companies should share information that can enhance the defense of other organizations – information about angles of attack, success prevention and mitigation strategies, etc. – because in the long run they’ll be protecting themselves from future cyber threats. This process starts with decisions from top level management.
The C-suite – comprising top executives such as the CEO, CFO, CIO, CISO, and others – plays a critical role in shaping an organization's approach to cybersecurity. In the context of information sharing, the C-suite's role is pivotal in driving the cultural and operational changes necessary to transition from a risk-averse stance to one that recognizes the strategic value of collaboration and information exchange.
One of the most successful initiatives that C-suite leaders can champion is participation in industry-specific Information Sharing and Analysis Centers (ISACs). ISACs were specifically designed to facilitate the trusted exchange of information among critical infrastructure sectors and offer a proven model for how information sharing can be managed effectively and securely. The ISAC concept is a proven model with a long line of proven experience. In fact, the 25th anniversary of the first operational ISAC – the Financial Services ISAC – is coming up in October 2024.
By opting into ISACs, organizations not only protect themselves but also contribute to the collective security of their entire industry. Through ISACs, the C-suite can lead the charge in fostering a collaborative approach to cybersecurity, one that transcends individual organizational boundaries and builds a stronger, more resilient defense against the ever-evolving threat landscape.
The business case for information sharing.
Cyber threats are not isolated incidents; they often follow patterns and repeatedly exploit common vulnerabilities across industries. Consequently, when one organization falls victim to an attack, the lessons learned can be invaluable to others facing similar threats. Information sharing can preemptively strengthen defenses, improve incident response, and foster a collaborative approach to cybersecurity across sectors.
Despite these benefits, many companies hesitate to share information due to perceived legal risks. This reluctance stems from fears of liability, reputational damage, or inadvertently disclosing sensitive information that could be exploited. They also may view sharing information as giving away a competitive advantage, but, at the end of the day, organizations don’t compete on security. Instead, the failure to share critical insights can have far-reaching consequences, not just for individual companies but for entire industries. Said another way, bad security for one organization is bad security for the entire sector.
On the other hand, embracing information sharing within and across industries can provide several compelling advantages, particularly in the context of cybersecurity and risk management.
Enhanced risk management.
Sharing information about emerging threats and vulnerabilities allows organizations to stay ahead of potential attacks. By receiving early warnings and intelligence from peers and industry groups, companies can implement preventive measures before they become targets. This proactive approach reduces the likelihood of successful attacks and minimizes potential damage.
When organizations share information about cyber incidents and breaches, they also benefit from collective intelligence. This shared knowledge can lead to more effective incident response strategies, faster identification of attack patterns, and improved containment and remediation efforts. A well-coordinated response, informed by real-time information, can significantly reduce the impact of an incident.
Furthermore, shared intelligence creates a broader perspective on the evolving threat landscape. By pooling resources and insights, organizations can identify trends and patterns that may not be apparent when operating in isolation. This collective understanding enables more accurate threat modeling and forecasting, allowing organizations to anticipate and prepare for future attacks more effectively.
Cost savings and resource efficiency.
Information sharing often involves exchanging not just threat intelligence, but also tools, techniques, and best practices. This can lead to cost savings as organizations can leverage shared resources, such as security frameworks, automated detection rules, and incident response templates. By collaborating on the development and refinement of these resources, companies can avoid duplicating efforts and reduce the overall costs of maintaining robust cybersecurity defenses.
When organizations work in isolation, they may duplicate efforts in threat research, vulnerability assessments, and mitigation strategies. By sharing information, organizations can consolidate their efforts, focus on addressing unique challenges, and benefit from collective expertise. This streamlined approach leads to more efficient use of resources and avoids unnecessary expenditures.
Compliance and legal benefits.
Many industries are subject to regulatory requirements related to information sharing and cybersecurity. Although some may perceive information sharing as a compliance risk – fearing that sharing sensitive information could expose them to legal liabilities – participating in information-sharing initiatives is actually a key way to ensure compliance. Regulations often require companies to stay up to date on the latest cyber threats and best practices, and sharing information helps organizations do exactly that. By staying informed and sharing insights with industry peers and regulators, organizations can better protect themselves from breaches that could lead to non-compliance.
In fact, information sharing demonstrates a proactive approach to risk management, which can strengthen an organization’s compliance posture and reduce the likelihood of regulatory penalties. Additionally, a transparent, collaborative approach to cybersecurity can provide legal protection by showing that the organization is actively taking steps to meet its regulatory obligations.
information-sharing organizations often provide frameworks and guidelines that help members navigate legal complexities. By adhering to these established practices, organizations can mitigate legal risks and avoid potential pitfalls associated with information sharing. This structured approach ensures that information is shared responsibly and in accordance with legal requirements.
Innovation.
Collaboration and information sharing can drive innovation not only in cybersecurity tactics but also in the development of novel products and services. When organizations exchange information about operational procedures, they often gain insights into more efficient ways of doing things, emerging technologies, and market trends that extend beyond cybersecurity. This knowledge can lead to improved business processes, which, in turn, may inspire new product ideas or service offerings that address unmet customer needs.
For example, a company might learn about new software tools or automation techniques through information-sharing networks, which could then be adapted or repurposed to create innovative products or services that enhance their market offerings. This blending of shared intelligence and resources accelerates the organization’s ability to innovate, not just in how they protect their assets, but in how they grow their business and remain competitive in a dynamic market.
Professional Development.
Not only is there a benefit to organizations that participate in information sharing, the individual can benefit too through personal and professional development and through the satisfaction of giving back to the community. There's so much to learn from others in the community – technical knowledge, best practices, and even leadership techniques. Knowledge that helps improve the individual and it's something they keep forever. So often I hear people say you get much more out of information sharing than what you put into it.
Challenges to information sharing
Despite the clear business case for information sharing, there are both real and perceived legal and compliance challenges that might prevent organizations from sharing information about cybersecurity incidents. These challenges span various domains, including legal and regulatory complexities, risks of exposure and misuse, trust issues, technical barriers, and cultural and organizational obstacles.
Legal and regulatory complexities.
One of the most significant challenges to information sharing is the legal and regulatory landscape. Organizations operate under a variety of laws and regulations that govern how they handle and share sensitive information. For instance, data protection regulations like the General Data Protection Regulation (GDPR) in Europe impose strict requirements on the sharing of personal data. There are allowances within GDPR, for example, that provide for information sharing – in fact the FS-ISAC published a whitepaper on this issue. In the US, the Cybersecurity Information Sharing Act of 2015 encourages public and private sector information sharing and provides for liability protection as well.
Organizations must ensure that any information shared with third parties complies with these regulations, which often requires anonymizing data or obtaining explicit consent from data subjects. Failure to comply can result in severe penalties, making organizations hesitant to share information, even when it could be beneficial to the broader community. Additionally, the lack of harmonization between the laws in different jurisdictions further complicates cross-border information sharing, as what is permissible in one country may be illegal in another.
Regulatory bodies may impose restrictions on the types of information that companies can share, especially when it involves national security or intellectual property. These restrictions can create uncertainty and fear of non-compliance, deterring organizations from participating in information-sharing initiatives. The complexity of navigating these legal landscapes often requires organizations to invest in legal counsel and compliance experts, adding to the cost and effort involved in information sharing.
Furthermore, organizations may face legal challenges if the information they share is later deemed inaccurate or misleading, leading to potential lawsuits from affected parties. This risk can be exacerbated in jurisdictions with strict liability laws, where organizations can be held accountable for the consequences of their shared information, regardless of intent. As a result, many organizations adopt a conservative approach, sharing only the bare minimum required by law, thereby limiting the effectiveness of information-sharing efforts.
Risk of exposure and misuse.
Another challenge is the inherent risk of exposure and the potential for information misuse. When organizations share sensitive information, they run the risk that this data could be intercepted, leaked, or used against them. For example, sharing details about a recent cyberattack could inadvertently disclose vulnerabilities that have not yet been fully mitigated. This risk is particularly pronounced when companies are sharing information with third parties that may not have the same level of security controls in place. The fear of such exposure often leads organizations to withhold information, undermining the potential collective defense benefits that could be achieved through more open collaboration.
Additionally, the risk of exposure is compounded by the increasing sophistication of cyber threats. Advanced persistent threats (APTs) and nation-state actors may actively target information-sharing platforms to gain access to sensitive data, to hold data for ransom, or to merely interfere with the operations of a particular organization. This risk requires organizations to implement stringent security measures, such as encryption, access controls, and continuous monitoring, to protect shared information. However, these measures can be costly and resource-intensive, further deterring organizations from participating in information-sharing initiatives.
Organizations must consider the potential reputational damage that could result from a data leak or misuse of shared information. Reputational damage can manifest in various forms and impact several key stakeholders: When an organization suffers a data breach or is involved in the misuse of shared information, it can erode customer trust, especially if personal data is exposed. Customers may perceive the organization as careless or incapable of safeguarding their information, leading to a loss of confidence in the organization’s services or products. This can result in customer churn, reduced loyalty, and a tarnished brand image that takes years to rebuild. The more personal the data at risk (such as financial information or health records), the deeper the potential harm to the organization's reputation.
For publicly traded companies, reputational damage from a data leak can directly affect shareholder confidence. News of a breach or misuse of information can lead to stock price drops, as investors react to the perceived increased risk and potential financial fallout, such as lawsuits, regulatory fines, or the loss of key customers. Additionally, investors may begin questioning the organization's governance, risk management practices, and ability to prevent future incidents, further destabilizing the company's financial standing.
Reputational damage extends to business-to-business relationships as well. Partners, suppliers, and industry peers who rely on the organization’s security and integrity may lose trust in the company, making them hesitant to collaborate or share their own sensitive information. This can isolate the organization within its industry, reducing opportunities for future partnerships and weakening its competitive position.
Furthermore, in industries where information sharing is crucial, like cybersecurity, a poor reputation could result in exclusion from key collaborative networks, further hampering the organization’s ability to defend itself and innovate. Regulatory scrutiny tends to increase following high-profile data breaches or misuse of information. An organization's reputation with regulators can suffer, leading to more stringent oversight, increased audits, and harsher penalties in the event of future violations. This heightened scrutiny can not only drain resources but also signal to the market and the public that the organization is not operating in full compliance, further harming its standing.
Reputational damage can also embolden competitors, who may capitalize on the affected organization's misfortune by marketing their own security measures as more robust. Competitors can attract both customers and partners who seek greater security and reliability, further eroding the troubled company’s market position. Negative press coverage surrounding a breach can give rivals the opportunity to position themselves as more trustworthy and secure alternatives in the eyes of stakeholders.
This fear of reputational damage often leads organizations to adopt a cautious approach to information sharing, limiting the scope and detail of the information they share. While this may reduce immediate risks, it also curtails the organization's ability to contribute to collective industry defenses, leaving the broader ecosystem more vulnerable to attacks. Finding a balance between cautious sharing and responsible openness is crucial for maintaining trust and security across all levels of stakeholder engagement.
Trust issues among organizations.
Trust between organizations is another critical barrier. Effective information sharing relies on a foundation of trust, where all parties believe that the shared information will be used responsibly and that their contributions will not be exploited for competitive advantage. However, building this trust is challenging, especially in competitive industries where organizations may be reluctant to share information with potential rivals. The fear of losing a competitive edge or inadvertently aiding a competitor can lead to a reluctance to participate in information-sharing initiatives.
Additionally, the lack of transparency and clear governance structures within information-sharing networks can further erode trust, as organizations may be uncertain about how their information will be used and who will have access to it.
Trust issues can be exacerbated by past experiences where shared information was mishandled or misused. For example, organizations that have previously participated in information-sharing initiatives only to have their sensitive data leaked or exploited may be hesitant to engage in future collaborations. This lack of trust can create a vicious cycle, in which organizations withdraw from information-sharing efforts, leading to reduced participation and effectiveness of the network as a whole.
Furthermore, the absence of clear legal and contractual frameworks governing information sharing can contribute to trust issues. Organizations may be concerned about the lack of legal recourse if shared information is misused or if partners fail to uphold their obligations. This uncertainty can deter organizations from entering into information-sharing agreements, as they may perceive the risks as outweighing the potential benefits.
Technical barriers.
The complexity of integrating different systems, ensuring data security, and maintaining the integrity of shared information can be daunting. Many organizations have proprietary systems and tools that are not easily compatible with those used by others. This lack of standardization can create significant technical challenges, as organizations must invest time and resources into developing custom integrations, data formats, and protocols to facilitate information sharing. Additionally, the rapid pace of technological change means that organizations must continuously update and adapt their systems to remain compatible with emerging standards and practices.
The volume and complexity of data involved in cybersecurity can be overwhelming. Organizations must process and analyze vast amounts of data to extract meaningful insights, which can strain their existing infrastructure and resources. The challenge is further compounded by the need to share this information in real-time or near real-time, requiring robust data transmission and processing capabilities. Organizations may need to invest in advanced technologies, such as artificial intelligence and machine learning, to automate and streamline the information-sharing process, which can be costly and resource-intensive.
Additionally, organizations must ensure that shared information is protected against unauthorized access, tampering, and other security threats. This requires implementing strong encryption, access controls, and monitoring mechanisms, which can add complexity and cost to the information-sharing process. The need to balance security with ease of access can create significant technical challenges, as organizations must find ways to protect their data while ensuring that authorized partners can access and use it effectively.
Cultural and organizational obstacles.
Finally, cultural and organizational factors can also play a significant role in hindering information sharing. Many organizations have a deeply ingrained culture of secrecy and risk aversion, particularly when it comes to cybersecurity. This cultural mindset can be difficult to change, as it is often reinforced by organizational structures, policies, and leadership attitudes. For example, if an organization's leadership prioritizes secrecy and risk minimization over collaboration and transparency, it can create an environment in which employees are reluctant to share information, even when it could be beneficial.
Organizational silos can further exacerbate the challenge. In many organizations, different departments or teams may have their own cybersecurity protocols, tools, and practices, leading to fragmented and disjointed information-sharing efforts. This lack of coordination can create barriers to effective information sharing, as different parts of the organization may not be aware of or aligned with each other's efforts. Overcoming these silos requires strong leadership and a commitment to fostering a culture of collaboration and open communication.
Additionally, organizations may face resistance to change from employees who are accustomed to the status quo. Implementing new information-sharing practices often requires changes to established workflows, processes, and systems, which can be met with resistance from employees who are reluctant to adopt new ways of working. Overcoming this resistance requires effective change management strategies, including clear communication, training, and incentives to encourage employees to embrace new practices.
Sharing information.
Sharing information in cybersecurity is a delicate and complex process that requires a methodical approach to ensure that the data exchanged is both useful and secure. At the core of this process is the need to protect sensitive information while simultaneously enabling the effective dissemination of threat intelligence. Organizations can achieve this balance by implementing a series of best practices that guide the information-sharing process, from the initial evaluation of data to its final distribution.
There is also a misconception that compliance with data protection laws prohibits any form of information sharing. However, many regulations allow for the sharing of anonymized or aggregated data, which can still be valuable for threat intelligence purposes.
Categorize information by sensitivity.
The first step in sharing information is the assessment of its sensitivity and relevance. Organizations must categorize data based on its level of sensitivity, considering factors such as the potential impact on the organization if the information were to be disclosed improperly, and whether the data contains personally identifiable information (PII), protected health information (PHI), or proprietary details.
Organizations should use extreme caution when sharing any threat indicators that reveal specific vulnerabilities within the organization's network. It’s important that such details not inadvertently expose the organization to additional risks. One effective method for categorizing information is the traffic light protocol (TLP), a standardized system that assigns colors to data based on how widely it can be shared and with whom.
The TLP uses four colors: red, amber, green, and clear (or white). Red indicates that the information is highly sensitive and can only be shared with specific individuals within the organization. The data should not be shared externally under any circumstances. Amber means that the information is somewhat sensitive and can be shared within the organization and with trusted partners who need to know, but it should not be publicly disclosed. Green allows for broader sharing. The information can be distributed within the organization and to external parties, provided it is relevant, but it should not be made publicly available. Clear/White indicates that the information can be freely shared with anyone, including the general public.
This protocol helps prevent unauthorized dissemination and ensures that recipients clearly understand the level of confidentiality required, protecting both the organization and those with whom they share the information.
Assess recipients.
Once you establish the sensitivity of the information, the next step is to consider the trustworthiness and suitability of the recipients. Not all stakeholders require the same level of detail, and not all are equally equipped to handle sensitive data. For example, sharing detailed technical indicators with a peer organization that lacks the necessary security infrastructure could expose both parties to greater risks. To mitigate this, organizations should establish clear guidelines on who is authorized to receive certain types of information. This often involves setting up formal agreements or non-disclosure agreements (NDAs) with trusted partners and vendors to legally bind them to confidentiality obligations.
Vet the data.
Quality and clarity of the shared information are also critical to its effectiveness. Analysts should include confidence levels in their intelligence reports, which indicate the reliability of the data and the degree of certainty associated with their analysis.
This is particularly important when the information is derived from multiple sources, where some may be more credible than others. Including detailed source information, when permissible, allows recipients to trace the origin of the data and evaluate its credibility. Additionally, context and analysis should accompany raw data to help recipients understand its significance and how it relates to their specific environment. Without this context, even the most accurate data may be misinterpreted or undervalued.
Monitoring and oversight.
To streamline the sharing process, organizations can leverage threat intelligence platforms (TIPs), which automate the collection, analysis, and distribution of threat intelligence. TIPs can automatically categorize information according to predefined rules, tag it with appropriate TLP levels, and distribute it to authorized parties without manual intervention. This automation reduces the workload on cybersecurity teams and ensures that information is shared in a timely and consistent manner.
However, the implementation of TIPs requires careful configuration to avoid oversharing or under-sharing critical information. Fine-tuning these systems to balance automation with human oversight is essential to maintaining both efficiency and security.
Robust governance models must be in place to oversee the entire information-sharing process. This includes establishing a dedicated team or committee responsible for managing the flow of information, setting policies for data sharing, and regularly reviewing these policies to adapt to evolving threats and regulatory requirements. These governance models should also include incident response plans that detail how to handle situations in which some party leaks or misuses the shared data. Such plans ensure that there are protocols in place to mitigate any potential damage swiftly.
Engaging in industry-wide collaboration.
The concept of Information Sharing and Analysis Centers (ISACs) is a prime example of successful information sharing in cybersecurity, particularly within critical infrastructure sectors. The idea for ISACs was introduced in the US through Presidential Decision Directive-63 (PDD-63), signed on May 22, 1998. This directive recognized the growing threat landscape and emphasized the need for enhanced collaboration among critical infrastructure sectors. The federal government tasked each sector to establish an ISAC to share information about threats and vulnerabilities. The goal was to foster a cooperative environment in which organizations could work together to protect their facilities, personnel, and customers from cyber and physical security threats.
ISACs now play a pivotal role in facilitating cybersecurity collaboration across industries. These organizations are designed to foster information sharing among companies within a particular sector, providing a platform in which members can share threat intelligence, best practices, and mitigation strategies in a secure and trusted environment. ISACs operate across various industries, including financial services, health care, energy, and transportation, among others.
The C-suite should actively participate in industry-wide information-sharing initiatives such as ISACs and other collaborative platforms. ISACs serve as a central hub for gathering, analyzing, and disseminating critical information related to cybersecurity threats and incidents. By participating in an ISAC, organizations can gain access to timely and relevant threat intelligence that may not be available through other channels. This access to collective knowledge enables organizations to enhance their situational awareness, improve their ability to detect and respond to threats, and reduce the likelihood of successful cyberattacks.
ISACs provide a forum for members to discuss emerging threats and vulnerabilities, share insights from their experiences, and collaborate on developing industry-specific solutions. This collaborative approach is particularly valuable in industries where the cybersecurity landscape is constantly evolving, as it allows organizations to stay ahead of emerging threats and adapt their defenses accordingly.
Additionally, ISACs play a critical role in fostering public-private partnerships. Many ISACs work closely with government agencies, law enforcement, and regulatory bodies to share information and coordinate responses to large-scale cyber threats. This collaboration helps bridge the gap between the private sector and government, ensuring that both sides can benefit from shared intelligence and resources.
To maintain and grow their membership base, ISACs will need to focus on enhancing member engagement and providing education and training opportunities. This could include offering webinars, workshops, and certifications on cybersecurity topics, as well as creating opportunities for members to network and share experiences. By providing value-added services, ISACs can encourage greater participation and foster a more engaged and informed membership. Moreover, participating in an ISAC is also a building opportunity for the institution. You get out more than what you put in.
Real world examples - Health-ISAC and the faulty CrowdStrike update.
On July 19, 2024, a sudden and widespread IT issue caused Microsoft Windows systems across the globe to enter repeated reboot loops, creating a crisis for healthcare organizations worldwide. Initially detected in the Asia Pacific region, the problem quickly spread to systems in the U.S., sparking a wave of urgency. Within hours, a global network of Health-ISAC members, alerted by their counterparts, began collaborating in real-time. Through shared communication platforms, they pooled their knowledge to identify the root cause—a faulty update from CrowdStrike—and, more importantly, to develop effective mitigation strategies.
By the time morning arrived in the U.S., hundreds of Health-ISAC members were actively engaged in discussions, sharing insights, and updating each other on their progress. The swift, coordinated response not only helped contain the incident's impact but also thwarted cybercriminals who attempted to exploit the confusion by launching phishing campaigns disguised as "CrowdStrike support." This incident highlighted the power of collective problem-solving in the healthcare sector, where timely collaboration can mean the difference between minor disruptions and significant operational crises.
The path forward.
To overcome the challenges to information sharing, a shift in perspective is necessary, one that views the practice not as a legal risk but as a strategic business imperative. This shift must be driven from the top, with the C-suite playing a pivotal role in fostering a more secure, resilient, and collaborative cybersecurity environment.
When members of the C-suite change the discussion around information sharing from a narrow focus on legal risks to a broader understanding of business benefits, organizations can unlock the full potential of collaborative cybersecurity efforts. This approach not only strengthens individual companies but also enhances the security and resilience of entire industries.
In an interconnected world, the strength of one organization’s defenses depends on the collective knowledge and vigilance of the entire community. It’s time to break the barriers and embrace a future in which information sharing is not a risk to be avoided, but a strategic advantage to be leveraged. By doing so, C-suite members can protect themselves, their organizations, and the customers they serve in an increasingly complex and dangerous cyber landscape.
To read more information on information sharing best practices, read Health-ISAC’s whitepaper here.