Collaborative Defense panel: Moving beyond threat sharing
November 16, 2016
The Advanced Cyber Security Center's Annual Conference held a panel November 3 at the Boston Federal Reserve Bank on Beyond Threat Sharing: The Case for 'Collaborative Defense'
William Guenther, Chairman, Chief Executive Officer and Founder, Mass Insight Global Partnerships and Chair, ACSC
Mike Darling, Director, Cybersecurity and Privacy, PwC
Mike Papay, Vice President and Chief Information Security Officer, Northrop Grumman
Richard Puckett, Vice President, Cybersecurity, Product and Commercial Security, GE Digital
We have to work together to build collaborative defense through both formal and informal networks.
“That means we have to be very open with each other. “More than you think we’re tied at the hip. Because of the business I’m in at any given moment there’s a high probability that a lot of my information is on one of my peer’s networks. And a lot of their information is on one of my networks.” – Mike Papay
“Everyone lives in a bad neighborhood. So the partnerships become much more important.” – Mike Darling
ISAOs hold promise but need to move beyond immediate, tactical information.
“The immediate often drowns out the important… The next piece is how do you take joint actions, how can you do things together … where we’re actually having an effect.” – Mike Darling
ISACs are helpful, but deliver varying value depending on the industry.
“The dilemma we see with broad information sharing is the loss of clarity of outcome. The ISACs can be great training grounds for small entities, they can be great to make connections.” – Richard Puckett
ISACs are valuable to employees sent into the meetings. The sharing of the information makes them “empowered.” “It makes our people motivated to work harder.” — Mike Papay
The ‘social responsibility’ of larger, sophisticated companies have to engage their supply chains on cyber defense.
“There is a social responsibility of the bigger organizations to give back, lending knowledge, experience, or expertise. Teaching them how gets them out of the compliance mindset.” — Richard Puckett
Universities need to teach “consequence-based” engineering.
“In some cases, security classes are optional, they’re not required. … Most of the critical infrastructure we have is not 18 months, but 18 years, and it’s not going anywhere soon.” – Richard Puckett
Looping in other departments, including legal, can help lead to better intelligence sharing.
There also are opportunities to engage HR professionals on cyber. “It’s got to be a broad community as well, not just a thin layer of information security professionals.” – Mike Papay
Use highly publicized breaches as “opportunities to talk about your own defenses.”
Getting to the “how” side of it is important, not “the no, that would never happen to us” mentality. –Richard Puckett
Working with the supply chain: Standardizing compliance checklists for suppliers is an important start.
“I don’t have a relationship with my tier three suppliers, my tier two does. So do I trust my tier two subs to go out and evaluate the tier three suppliers?” –Mike Papay