Tuesday, August 21, 2012

Do security like a start-up or get fired - Share

This is part of a blog series. For more details, start with the intro.

Share with competitors

Sharing information with competitors: the notion sounds counter-intuitive. But the bad guys do it. Security vendors do it. Of course, I'm not talking about sharing corporate secrets. The bad guys share exploits. Software, solution and technology providers share threats we hear about or come across that we need to deal with.

Essentially, this statement equates to the following:
"Share best practices with the community."
That's it. If you look at it this way, it's not so daunting. We need to remember that at the macro-level, IT security is an ecosystem, not just a silo within one company. Facebook, LinkedIn, Zynga and other start-ups talk to each other (although these companies are technically no longer start-ups, they maintain the mentality of one) all the time about security threats and how they are doing certain things.

A common question vendors get is:
"How are one of your customers in our industry doing this?"
I have news for you. More often than not, vendors are not allowed to tell you. Contracts and non-disclosure agreements (NDAs) prevent this. Vendors may be able to tell an organisation something vague about a similar organisation, but some information is suppressed, even if the organisation's name is not mentioned. Each of you working within an organisation (that is not in the business of providing IT security solutions or consulting services to others) is in a much better position to reach out and talk about issues you are facing and how you are addressing them. Sure, keep the competitive advantage initiatives a secret, but there are things you can share that won’t give the crown jewels away.

The immediate reaction from most will be:
"Yeah, sure but this is easier said than done."
That’s stating the obvious, but the IT security community is relatively small, especially when you look at the community within each country. Most know each other in some form or another. Add in the industry associations (e.g. AISA in Australia), the proliferation of social media like LinkedIn or Twitter and it’s easier than it's ever been to reach out, especially if you’re not trying to sell anyone anything. It’s more difficult from where vendors or consultants sit because everyone keeps wondering when we're going to come out with the "so, about this solution we have from _insert-vendor-name-here_" discussion and break out into the sales song and dance.

Next up - Manage risk.

No comments: