External Partnerships

Abstract

Chance favors the connected mind.

Chance favors the connected mind.

—Steven Johnson

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

After spending a day at a conference, I was having dinner with a dozen or so peers when a debate began about the dangers and benefits of sharing security information with other companies. One person turned to me and asked if I had information about a specific new threat, would I share it with him.

“You bet,” I said.

“But what if I was your competitor—would you still share?” he asked.

“Our companies might compete for business,” I replied, “but in the security arena, my real competitors are the malicious actors who want to harm my company’s information systems. Those are my competitors, and they’re your competitors, too.”

As soon as I’d said this, several people at the table agreed. This agreement was gratifying—and not just because I felt that I had support for my views. The bigger implication was that my peers saw the value of sharing information outside their companies.

This hasn’t always been the case. In fact, many organizations still frown on the idea of sharing security information externally, and some have policies that forbid it.

There are two primary reasons why organizations are afraid to share. First, they have concerns about the legal implications of revealing security information. A second, related concern is the public-relations aspect. Both of these fears have a valid basis. Information security has become an enterprise risk management issue of board-level interest because of the potential effects. Information leaks revealing potential intrusions and data breaches can have legal consequences: the organization may be required to report the problems in order to comply with financial and privacy regulations, for example. If security issues become public, they may also damage the way the organization is perceived by customers and by the business community, potentially affecting a company’s profitability and its stock price.

Despite these concerns, I believe that it is becoming increasingly important to partner with other organizations to share information about security-related issues such as threats and best practices. As I’ll explain in this chapter, sharing security information can provide considerable benefits in managing the risk of moving into new business relationships and adopting new technologies. We just need to find ways to reduce the risk of sharing. The solution lies in creating trusted information-sharing relationships with other organizations. The more we trust the relationship, the more sensitive the information that can be shared.

The need to share security information is being driven by rapidly changing business, technology, and threat landscapes. Increasingly, companies are collaborating with a broad variety of business partners. We share business information, and often we also use the same information technology. As we do so, we also share risks. Understanding the risks faced by our partners, and the way they manage those risks, can help us protect our own organizations.

Looking more broadly across the technology landscape, all systems and devices are to some extent connected—whether they are owned by enterprises, individuals, or service providers. Almost every aspect of society depends on a worldwide, rapidly evolving, highly complex network of devices and services. This provides the central nervous system that supports innovation, economic development, and social interaction worldwide. But because we are all inherently interconnected, we share common risks. The threat landscape is dynamic, global, and increasingly complex. Threats may originate in any country and then spread rapidly across national and enterprise boundaries, causing extensive damage to organizations and individuals worldwide.

Because threats spread so quickly and the threat landscape is so complex, it is hard for any single organization to gain a clear view of all potential vulnerabilities, threats, and attacks. External partnerships can help. They provide additional intelligence that we can use to improve our own security posture. By exchanging information with other organizations, we gain what I call outsight, or a better understanding of what happens outside our own environment. We learn about new threats before they hit us directly. We see how other organizations are managing those threats. We learn about best practices for managing security operations. Using the information we gather from external relationships, we can increase the organization’s ability to sense, interpret, and act on risk.

The Value of External Partnerships

Sharing security-related information can require initiative and courage. The idea of sharing information externally may run counter to the culture of the organization overall, including the culture within the security group. Organizations may view security information as proprietary and confidential, like intellectual property. Many still have policies against sharing information.

It’s true that much security information is sensitive, and sharing it can introduce risks. Because of this, we need to be careful about what we share and with whom.

But think about the broader context of how organizations are increasingly sharing information. Most organizations have already recognized they need to share sensitive business information with partners in order to develop, manufacture, and market new products. Collaboration with other companies is becoming an integral part of many other business processes, too. As organizations share information, they benefit from their partners’ insights and expertise. As noted by Steven Johnson, author of Where Good Ideas Come From: The Natural History of Innovation (Riverhead Books, 2010), many of the best ideas have emerged not through the inspiration of a single mind, but through the exchange of ideas. “You have half of an idea, somebody else has the other half, and if you’re in the right environment, they turn into something larger than the sum of their parts,” Johnson said in a speech at the 2010 TEDGlobal conference (Johnson 2010). “We often talk about the value of protecting intellectual property—building barricades, having secretive R&D labs, patenting everything that we have, so that those ideas will remain valuable . . . but I think there’s a case to be made that we should spend at least as much time, if not more, valuing the premise of connecting ideas and not just protecting them.”

I believe that there’s similar value in sharing security information. As we collaborate with business partners, we need to understand the threats to their environment, and how they manage risk, in order to determine what we need to do to protect our own organizations. Each partner in a value chain needs to protect information to a level that is adequate to protect the other partners; the weakest link in the chain can impact everyone. Note that throughout this chapter, I use the terms “partner” and “partnership” in the colloquial sense, not to imply any specific type of formal legal relationship.

There are many other examples of how sharing information can benefit all organizations involved. If we are entering new markets through business partnerships, we need to understand the nature of the threats in those markets from the companies currently operating there. The same logic applies to using new technologies. Organizations are extending their environment to customers and becoming suppliers of mobile apps and web services in the process. As they do, they can learn from other companies’ experience how to manage the risks. Companies are increasingly sharing cloud capacity or other data-center infrastructure supplied by external providers, and can all benefit by sharing feedback with the provider about risks within the environment.

Despite these trends, some organizations still have policies stipulating that employees shouldn’t share internal information about risks and threats with anyone outside the company. This is sometimes the case even when the same organization willingly shares other IT-related information such as helpdesk or e-mail management best practices.

Without wishing to discount the real fears driving these policies, the value of sharing information often outweighs the risk of doing so. Let’s imagine that a CISO learns of a new threat affecting companies in his industry sector. He shares information about the threat with a peer at another company and, by doing so, gains insight that helps the organization mitigate an attack that has caused massive damage at other companies. By sharing information against company policy, the CISO took a personal risk. Yet by doing so, he averted the bigger risk of business disruption and damage to the organization’s reputation.

Failure to share information with others introduces its own risks. If we don’t share with peers, they won’t share with us, so we won’t benefit from their information and insights. I’ve seen cases in which information security professionals wanted to participate in communities, but weren’t allowed by their companies to share any internal security-related information. So they attended meetings but couldn’t contribute. Ultimately, their peers wouldn’t tolerate a situation in which these people were receiving information but giving nothing in return, and they were effectively voted off the island.

External Partnerships: Types and Tiers

Much of the publicity about information-sharing initiatives has focused on public-private partnerships related to critical infrastructure and national security. However, there are many other types of formal and informal external information-sharing relationships, including 1:1 partnerships and groups comprised solely of private-sector organizations.

External partnerships are most often used to share information about specific threats and best security practices. But some partnerships focus on other types of information. For example, security specialists within the high-tech sector share information in order to develop security standards, which are then implemented in various products.

Much of this security information is sensitive. Because of this, we need to be able to trust that the partners with whom we share information will treat it appropriately. The more sensitive the information, the greater the level of trust required. In general, the level of trust can be higher in relationships with fewer people, allowing more-sensitive information to be shared. As the number of people increases, there’s a greater chance that information will leak, so the level of trust tends to decrease and only less-sensitive information is shared.

Relationships therefore naturally tend to fall into a tiered pyramid model, as shown in Figure 4-1 and described further in Table 4-1 (Willis 2012). At the top of the pyramid are the most-trusted relationships with the fewest partners—1:1 partnerships between two individuals at different organizations, or between two security teams.

Figure 4-1.

Tiered pyramid model for trusted information-sharing partnerships and communities (Adapted from Willis 2012). Source: Intel Corporation, 2012

Table 4-1. Characteristics of Security Information-Sharing Partnerships and Communities (Adapted from Willis 2012)

Information-sharing relationships between more than two partners are often referred to as communities. Because more people are involved, a legal or peer-enforced agreement is usually needed to define the level of trust and confidentiality expected among community members.

The two middle tiers of the pyramid include groups with intermediate levels of trust, sharing information with varying levels of sensitivity. The Targeted tier typically consists of public-private partnerships aimed at protecting critical infrastructure. The Confidential tier includes many private-sector communities, including regional communities and those focused on specific industry sectors.

At the bottom of the pyramid is the Public tier, comprised of the largest communities with the lowest level of trust. At this level, information is often public and may be broadcast via the Internet. This tier might include groups that develop educational information about threats for public distribution, or CISOs who share their insights via public webcasts.

How can you get involved in information-sharing partnerships? One good method is to start by participating in communities in the Public tier, where the information shared has a relatively low level of sensitivity and therefore involves little risk. In these communities, you’re likely to meet peers with whom you can begin to engage in 1:1 partnerships. As you become more knowledgeable about the communities that reflect your organization’s key interests, you may then become involved in communities in the middle tiers of the pyramid, where more confidential information is exchanged. At Intel’s Information Risk and Security group, we participate in partnerships in all the tiers of the pyramid.

1:1 Partnerships

In my experience, 1:1 partnerships are some of the most valuable security relationships. They may be formal or informal, established at a corporate level or between individuals.

As I explained, a key advantage of a trusted 1:1 partnership is that we can more safely share highly confidential information. We can often create a stronger bond with a single individual than with a larger group. As a result, the shared information often has a depth and richness that’s lacking in information shared within larger communities.

Another advantage is speed. Communication is often fastest in 1:1 partnerships, partly due to logistics. It’s much easier to set up a meeting between two people than it is to organize a meeting with a dozen people. To exchange information about the latest developments, a CISO may be able to simply pick up the phone and have a conversation with his or her peer. Quickly sharing information enables a faster response to threats—and in the security arena, timeliness is often critical.

Here’s an example showing how 1:1 partnerships can develop and benefit both partners. Through my participation in a larger security community, I got to know the CISO at a fast-growing e-commerce company whose customers were primarily consumers. We both would contact each other periodically for advice and information as we puzzled over the latest security challenges. Over time, these conversations evolved into open dialogues about best practices and benchmarking.

The relationship eventually evolved to a point where we both realized we could learn a great deal more by bringing our teams together in a face-to-face meeting. The resulting half-day meeting proved incredibly valuable to both teams. Our team was able to provide insights and experiences about managing security in a large, complex enterprise environment. This was helpful to the security team at the fast-growing e-commerce company, which was in the process of building an enterprise environment to support its fast-growing business. In return, the team at the e-commerce company was able to share the security challenges and experiences of operating a large consumer business with millions of online customers. This was extremely valuable to us at Intel, because we were in the process of expanding our external online presence and were beginning to encounter some of the same challenges.

The partnership thus expanded from ad hoc conversations to a productive relationship between teams sharing experiences and best practices at multiple levels. It’s hard to imagine that this extensive information exchange could have occurred within a larger community.

Another example: I met the CISO of a large manufacturing company at an industry event, and we stayed in touch through occasional e-mails. Then, during a period of especially large-scale industry attacks, our communications suddenly became much more frequent and detailed. It was extremely valuable to be able to pick up the phone and simply call a peer to share the latest knowledge about the attacks and responses.

As Intel’s CISO, I have frequent 1:1 meetings with peers at other companies, sometimes as often as several times a week. These meetings can serve several purposes. Recently, I met with a team from a key supplier to discuss our strategy for securing employees’ personal (bring-your-own) devices. I shared our best practices with this team, and during the question-and-answer discussion, team members also provided information about how they were addressing the same problem. The meeting served as a helpful benchmarking exercise for all of us.

At the same time, the discussion clearly demonstrated each company’s commitment to protecting its partner’s business information. It showed the depth of each company’s strategy for protecting information—revealing a commitment that extended far beyond the desire to comply with contract confidentiality clauses. I felt more confident that if a security issue ever arose, I could talk directly to my counterparts at the supplier company because their commitment to protecting information would enable a productive approach to resolving problems.

Communities

Participating in larger communities may not provide information that’s quite as rich and deep as the information you’d obtain from a 1:1 partnership with a peer. But communities provide value in other ways.

Because they contain more people, communities provide breadth and diversity of perspective that help us make balanced risk decisions. With a larger number of participants, there’s a better chance that one of them will have developed a solution to a problem, or provide valuable new information about an industry attack.

Some communities focus on sharing threat-related information; others on benchmarking and best practices, influencing legislation, developing security standards, or public education.

Communities can also present great networking opportunities. Through participation in communities, I’ve met several people with whom I’ve subsequently developed closer 1:1 partnerships.

Community Characteristics

Like all groups, communities require a structure and set of ground rules to be effective. Successful communities typically have the following characteristics:

• Clear goals. The community shares clearly defined common goals that benefit members, such as mitigating an industry-wide threat. A community may have several goals.

• A strong framework of trust, such as a legal or peer-enforced agreement, that addresses risks related to information sharing among community members. For example, the Industry Consortium for the Advancement of Security on the Internet (ICASI) has a strong multilateral nondisclosure agreement, while other communities, such as the Bay Area CSO Council, rely on a peer-enforced trust framework.

• Trusted communications channels. Members can safely contribute and access shared information using an effective trusted communications channel or mechanism, such as a secure web site. These channels are not always electronic; some regional groups conduct face-to-face meetings to further reduce the risk of compromise.

An organization is most likely to benefit from joining communities if those communities align with the organization’s security goals. This means it’s important to first clearly define those organizational security goals. To do this, some organizations have found it helpful to use a structured approach—they can more clearly categorize their goals by mapping them to a standard risk management model, such as the “defense in depth” model. Once an organization clearly understands its own security goals, it can identify communities whose objectives align with these goals.

Because there is such a diverse range of organizations, security threats, and goals, it is unlikely that any single information-sharing community structure meets all the needs of a large organization. For example, a company might participate in one community for benchmarking and another to tackle industry-specific threats.

Information-sharing communities thrive only when the participating organizations feel they’re receiving valuable information, creating incentives to continue to share information with others.

What constitutes valuable information? A common definition is that information should be timely and specific, relevant to participants’ concerns, and providing a suitable level of detail while protecting individual privacy (ENISA 2010). In practice, “valuable” usually means the information helps you achieve your security goals, whether those goals are long-term and strategic, or short-term and operational. Information useful for strategic goals might include an early warning that attackers are expected to target a specific industry. This helps members of the community plan their defenses. Information useful for operational goals typically includes more specific details, such as an attack signature. This helps organizations more quickly identify an attack and respond when it occurs.

As shown in Figure 4-1 and Table 4-1 (the Targeted tier), some communities consist of government agencies working alongside industry in what are usually known as public-private partnerships (PPPs). These PPPs can be particularly important for protecting critical information infrastructure. Internationally and within many nations, this infrastructure is largely owned and operated by the private sector, including carriers and network service providers. Sharing information about threats and attacks among public and private agencies therefore can help ensure security and resiliency of this infrastructure. Because the shared information is highly sensitive, these PPPs usually have strong trust frameworks including national security clearances.

Other communities primarily include private-sector organizations. Members of an industry may get together to share best practices, helping to reduce risk for each company while enhancing the industry’s reputation overall.

Some communities are regional, aimed at security professionals from private and public-sector organizations located within a specific area. These regional communities offer the advantage of convenience. It takes less time, effort, and expense to attend a regional event, which makes participation more attractive.

Examples of regional groups and forums include the San Francisco Bay Area CSO Council, described shortly. Other useful regional events include the CISO Executive Summits organized by Evanta. These are invitation-only gatherings at which CISOs and other industry experts share insights and information about a wide range of areas, including legal, policy, and security issues.

New communities arise frequently. A community may form in response to a specific threat because companies are strongly motivated to share information about the threat in order to develop effective defenses. For example, the Conficker Work Group was formed specifically to address the risk posed by the Conficker worm.

Community Goals

Communities may focus on narrowly defined goals, such as mitigating a specific threat, or they may have broader information-sharing goals, such as benchmarking security techniques. A single community may pursue several goals. The most well-known types of goal are sharing information about threats (to help member organizations mitigate those threats) and sharing best practices (to improve efficiency). I’ll describe the main categories of information-sharing goals next.

Sharing Information About Threats and Vulnerabilities

Perhaps the best-known function of communities is to provide a trusted mechanism for sharing information about threats and vulnerabilities. Members of the community can use this information to improve their tactical and strategic situational awareness.

I’m often asked by peers how I measure the value of the information obtained from external partnerships. A key metric is whether the early threat information has helped enable us to reduce risk. A single piece of information might make participation worthwhile if it helps us better mitigate risk and protect the company.

Information from the community can also be useful for corroborating evidence that we’ve already identified internally. If we observe a potential new threat within our environment, we may not feel that we have enough evidence to justify taking action. But we can often discuss the issue within a community. If others are experiencing the same problem, we can be more confident that it’s a real issue. This gives us enough reason to act.

Some examples of communities that share threat information include:

• Bay Area CSO Council. This is a regional community that focuses on improving the sharing of intelligence and best practices among CISOs in the San Francisco Bay Area. The Council serves as a vehicle for CISOs to safely and securely share their attack experiences. Members may share artifacts, such as attack signatures, that they can then build into their organizations’ detection and defense mechanisms (Jackson Higgins 2010). The forum uses a peer-enforced trust model rather than a formal legal framework. The group also creates subgroups to work on more highly classified information.

• Information Sharing and Analysis Centers (ISACs ). ISACs are trusted industry-specific communities established by owners and operators of critical infrastructure resources. ISACs exist for a number of industry sectors, including communications, electrical utility, health, and public transit. Services provided by ISACs include risk mitigation, incident response, and alert and information sharing. Intel is a member of the IT sector ISAC (IT-ISAC), which focuses on sharing cyber situational awareness information between IT industry members in the United States. The IT-ISAC has a legal framework of trust characterized by a memorandum of understanding among members.

Sharing Best Practices and Benchmarking

Many communities also serve as a forum for exchanging best practices and for benchmarking operations. By sharing security best practices, we may be able to increase the efficiency and effectiveness of our own operations.

Tapping into the expertise of others can help us avoid reinventing the wheel. A typical example: A CISO is trying to create a bring-your-own device policy for her own organization. So she sends a message to community members and receives detailed advice from others who have already been through the process. This gives the CISO a head start in creating a policy that meets her organization’s needs.

Besides enabling informal exchanges, communities may also operate formal benchmarking exercises. One of the best-known examples is the Information Risk Executive Council, which conducts studies and generates reports that compare companies in a variety of areas, from user security awareness to controls maturity (Corporate Executive Board 2012). Benchmarking information generated by communities can also be useful for demonstrating the efficiency of security operations to other internal groups within your organization, such as an audit committee.

Some benchmarking information is sensitive and closely held because organizations feel that it could reveal too much information about their security operations. Other information is more general and is sometimes publicly available, such as the webinars and presentations published online by Intel and others. Even this general benchmarking information may yield risk insights. Observing what other companies are focusing on, and how they are allocating resources, can help security professionals think about how they need to manage risk within their own organizations.

One of the most established communities is the Forum for Incident Response and Security Teams (FIRST). This international group focuses on sharing best practices among computer security incident response teams. Trust relationships are peer-enforced. The group publishes a series of detailed best-practices guides and other documents for public use. Other activities involve the exchange of information for cooperative incident management.

Benchmarking: Who Should you Compare Yourself With?

Many years ago, I was asked to manage Intel’s first major IT benchmarking activity. It was a big task that entailed analyzing cost, quality, and other aspects of operations across our entire IT environment.

One of the first challenges was determining which organizations we should benchmark ourselves against. At the time, the conventional wisdom at most organizations, including Intel, was that you should compare yourself with similar businesses. The logic was that because these businesses were the most directly comparable, this approach would yield the most meaningful results. So the expectation was that I’d benchmark our operations against a collection of other big high-tech companies.

But I didn’t want to benchmark our operations against only high-tech companies. Instead, I wanted to benchmark against a broad base of companies in industries such as retail, banking, manufacturing, consumer goods, and utilities.

The time came to present my selection of peer groups in a meeting with senior IT management. By this time, I’d already started the benchmarking process, and as I described the diversity of the companies included in the benchmark comparison, I could sense the atmosphere becoming increasingly hostile. Practically everyone felt that my approach was completely wrong. In fact, if there had been rotten tomatoes in the room, a few people would have been throwing them at me.

So I asked for a moment of quiet so that I could explain. “If we were an airline that wanted to benchmark operations, who would we compare ourselves with?” I asked. Several people said they’d benchmark against other airlines.

“What do you think we would learn from that comparison?” I continued. “My guess is not much. We’d all have grown up in the same industry, and we’d probably have similar business processes. Many of our employees would have worked for the other companies and vice versa, so they’d probably implement similar practices. We might learn about minor efficiency improvements, but I wouldn’t expect any breakthroughs.

“If I really wanted to dramatically improve the way I manage airline gate operations, I’d benchmark against a Formula 1 pit crew. Those crews can service a car and get it back on the road in 20 seconds or less. I’d think about what we could learn from studying their processes, their technologies, and their ability to communicate and organize, and I’d try to figure out which aspects could cross over into airline data operations. If we want to make dramatic improvements, we need to look at people who operate in an extreme operational environment—not at other airlines.”

I’m happy to say that the managers in the room recognized that there might be value in the approach I was suggesting, even if many of them still disagreed with it. Ultimately, benchmarking against companies in a broad range of industries did help us achieve some dramatic improvements, and I received an internal award for the initiative. The lesson is that sometimes we can learn more by looking outside a narrowly defined, traditional peer group. People in the same industry may be facing the same problems as we are and dealing with them the same way. For a fresh perspective, it can be worth looking farther afield.

Influencing Regulations and Standards

All of us operate within an increasingly complex regulatory environment, and we’re all affected by evolving technology standards.

It’s important to stay abreast of legislative developments. That can be a difficult and time-consuming job for any single organization, and so it may be helpful to become involved in a community whose goals include tracking regulatory activity.

In addition, communities can sometimes help influence public policy more effectively than a single organization can do alone. There’s strength in numbers, and communities often include some of the biggest companies in an industry.

An example of a community that focuses on policy is BITS (www.bits.org), the technology policy division of The Financial Services Roundtable, which represents 100 of the largest integrated providers of consumer financial services. Members of BITS cooperate on issues such as critical infrastructure protection, fraud prevention, and the safety of financial services. The organization works to influence public policy by communicating with public agencies. It also publishes reports for use across the industry, including a financial services security assessment. Thus, communities that focus on policy may help all participating companies and the reputation of the industry overall.

Businesses who offer services in multiple countries have a particular interest in the international regulatory environment. These include multinationals, of course, which are directly affected by the complex web of regulations at international, national, and local levels.

However, these regulations affect a surprisingly large number of other companies, too—including many that don’t have employees or facilities physically located in other countries. Today, almost any business with a web-based service consumed in multiple countries is effectively operating in a multinational environment. Regulations in those countries have impacts that stretch beyond geographical boundaries. For example, regional and local regulations such as the California data breach bill (SB1386) and European privacy guidelines require compliance by any company that stores information about residents of those areas, no matter where the company is located.

Corporate Citizenship

At many companies, including Intel, a large number of employees volunteer in ways that benefit their neighborhood or a wide variety of worthy causes. Businesses often provide support to help employees do this. There’s a growing trend to leverage the organization’s talent and expertise in volunteer corporate citizenship initiatives that are more closely related to the organization’s goals and employees’ technical expertise. Examples might include offering expert security advice to nonprofits or helping security initiatives in other countries.

Security-related corporate citizenship initiatives include the National Cyber Security Alliance, whose mission is to educate and empower society to use the Internet safely and securely (see staysafeonline.org). The sponsors of the alliance include large high-tech companies such as Intel. Senior managers at those companies also are among the directors of the organization.

Conclusion

The knowledge we acquire via external partnerships can help us protect our own organizations. The security landscape has become increasingly complex and dynamic, and it’s difficult to track and manage the risks without help from others. Sharing security information is also becoming more important as organizations increasingly collaborate with business partners and adopt new technologies. Understanding the risks faced by our partners, and the way they manage those risks, can help us protect our own organizations. As businesses move into new markets and use technology in new ways, we need to understand our biggest exposures and how to allocate resources most effectively to minimize business risk. Therefore, sharing information can help businesses remain competitive and successful.

Organizations have often been reluctant to share security information, but if we want help from other people, we have to be prepared to share information ourselves. By carefully using trusted partnerships that align with our security goals, we can increase the organization’s ability to sense, interpret, and act on risk.