Collaborative Defense panel: Moving beyond threat sharing

November 16, 2016

The Advanced Cyber Security Center's Annual Conference held a panel November 3 at the Boston Federal Reserve Bank on Beyond Threat Sharing: The Case for 'Collaborative Defense'

Moderator:
William Guenther, Chairman, Chief Executive Officer and Founder, Mass Insight Global Partnerships and Chair, ACSC

Panelists:
Mike Darling, Director, Cybersecurity and Privacy, PwC
Mike Papay, Vice President and Chief Information Security Officer, Northrop Grumman
Richard Puckett, Vice President, Cybersecurity, Product and Commercial Security, GE Digital

Key Themes:

We have to work together to build collaborative defense through both formal and informal networks.
“That means we have to be very open with each other. “More than you think we’re tied at the hip. Because of the business I’m in at any given moment there’s a high probability that a lot of my information is on one of my peer’s networks. And a lot of their information is on one of my networks.” – Mike Papay

“Everyone lives in a bad neighborhood. So the partnerships become much more important.” – Mike Darling

ISAOs hold promise but need to move beyond immediate, tactical information.
“The immediate often drowns out the important… The next piece is how do you take joint actions, how can you do things together … where we’re actually having an effect.” – Mike Darling

ISACs are helpful, but deliver varying value depending on the industry.
“The dilemma we see with broad information sharing is the loss of clarity of outcome. The ISACs can be great training grounds for small entities, they can be great to make connections.” – Richard Puckett

ISACs are valuable to employees sent into the meetings. The sharing of the information makes them “empowered.” “It makes our people motivated to work harder.” — Mike Papay

The ‘social responsibility’ of larger, sophisticated companies have to engage their supply chains on cyber defense.
 “There is a social responsibility of the bigger organizations to give back, lending knowledge, experience, or expertise. Teaching them how gets them out of the compliance mindset.” — Richard Puckett

Universities need to teach “consequence-based” engineering.
“In some cases, security classes are optional, they’re not required. … Most of the critical infrastructure we have is not 18 months, but 18 years, and it’s not going anywhere soon.” – Richard Puckett

Looping in other departments, including legal, can help lead to better intelligence sharing.
There also are opportunities to engage HR professionals on cyber. “It’s got to be a broad community as well, not just a thin layer of information security professionals.” – Mike Papay

Use highly publicized breaches as “opportunities to talk about your own defenses.”
 Getting to the “how” side of it is important, not “the no, that would never happen to us” mentality. –Richard Puckett

Working with the supply chain: Standardizing compliance checklists for suppliers is an important start.
“I don’t have a relationship with my tier three suppliers, my tier two does. So do I trust my tier two subs to go out and evaluate the tier three suppliers?” –Mike Papay