Countless man-hours, enormous amounts of money, a lot of intelligence has gone into trying to stay ahead of the bad guys.
And, in many cases, it hasn’t gotten us anywhere.
Here’s something that might help: A formal network that shares security updates between CISOs to help each CISO more proactively defend their organization. Information on trends and counter-strategies in a dynamic scenario like cyber-security is important so that each network member can calibrate their response appropriately. It ensures that if one security fence goes down, the same trick isn’t going to bring down others.
“Collaboration during ongoing incidents and the sharing of learnings thereafter is another reason to build and operate such a network. These networks need to have secure infrastructure given the sensitive nature of the information being traded,” says Nandkumar Saravade, Independent Advisor on Security and Fraud (currently advising EY, ICICI Bank and Citi).
He says that government agencies and organizations are an important stakeholder group which can contribute to the security information stream and benefit from it. Hence, the need to have a formal structure and optimal governance.
Initiatives to share information have existed in the US and other advanced countries for many years. Saravade cites the example of the Financial Services Information Sharing and Analysis Centre (FS-ISAC) in the US, which has been in existence since 1999.
“Other sector ISACs are also well developed and enjoy more than 90 percent coverage. There is also a National Council of ISACs, which organizes an annual conference of member ISACs on critical infrastructure protection,” he says.
In India, initiatives to create such networks have been attempted from time to time. “I was a member of the Gopalakrishna Committee (in the fraud domain) which recommended creating state level bodies which could meet from time-to-time and review fraud trends and work on countermeasures,” says Saravade.
However, he laments that due to lack of sufficient ownership, the recommendation did not result in adequate resourcing and operationalization.
“Creating new institutions requires an ability to understand best practices elsewhere, an evangelical approach, and an ability to innovate and persist till a level of maturity is reached. In India, we will see results when these factors combine, with the onus clearly being on the government, to make things happen,” he says.
Saravade says that the primary goal of a formal network is to build a community of fellow professionals who can share information on risk mitigation, incident response and threat intelligence. The objective is to provide members with accurate, actionable, and relevant information.
“The activities could include access to a 24/7 security operations center, briefings, white papers, threat calls, webinars, and anonymous critical infrastructure reporting,” he says.