In 2016, my CIO colleagues and I in the Big Ten Academic Alliance realized the game was quickly changing in cybersecurity. Each of us is responsible for protecting the data and technology assets of large, multi-billion dollar universities, and we each had already developed highly skilled cyber security operations. We are also all members of the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) that collects threat intelligence and shares among 580 college and university CISOs, so we already had a good flow of human-paced security intelligence. The REN-ISAC is one of twenty sector-specific ISACs, ranging from financial services to aviation, that are members of the National Council of ISACs.
"It is fair to observe that cyber risks are universal and don’t respect geographic or industry sector barrier"
We understood the new frontier was about accelerating the pace of mitigation for dynamic threats. How could we “minimize the time from first awareness of a threat anywhere to mitigation everywhere” among us? As we looked into the future, we knew we would each have to further build out and staff a local cybersecurity operations center, hire additional security personnel from a highly competitive marketplace, and buy more security services from various vendors. We concluded that pouring more money into our current model would not materially address the changed cyber-threat landscape. We needed a different approach that could grow efficiency in scale and accelerate the pace.
In 2017, five of our institutions founded a 24x7x365 shared cyber Security Operations Center (SOC) as the OmniSOC. The OmniSOC will support our local security teams by abstracting some of the analysis and risk assessment work among our member institutions. The OmniSOC will have real-time security information data feeds from each campus, and its assessment and analysis work are built on the Elastic stack. Through real-time security feeds from each member, governmental and corporate security subscriptions, and 24-hour staff, the OmniSOC will provide rapid interaction with local campus security professionals, and eventually, even automated threat mitigation.
The OmniSOC is but one example of the need for sector-specific approaches to cyber security. In 2016, the eight largest banks formed their own SOC with a goal to significantly accelerate information sharing and threat mitigation. Again, these banks are all members of the Financial Services ISAC, but given the risks they saw as the eight largest banks, they chose to integrate information sharing even more tightly through a shared operation.
It is fair to observe that cyber risks are universal and don’t respect geographic or industry sector barriers. The 2017 WannaCry exploit and its many derivatives posed similar threats to hospitals, universities, governments, and individuals (if they had not patched their devices). While threats may not vary greatly by sector, responses most certainly do. An exploit that closes a grade school computer lab for an afternoon is certainly a pain, but the same exploit that disables hospital equipment or puts critical data at risk is another matter. This is why I am highly skeptical of “horizontal” approaches that span many different industry sectors. I have sat in many very well-intended cybersecurity meetings where participants work in completely different schemes of risk tolerance, regulation, and aptitude to share possibly embarrassing information.
In contrast, sectors—whether hospitals, K-12 education, research-intensive universities, utilities, or a range of corporate sectors—often have a more homogeneous view of risk, regulation, and response. While they may compete in a variety of ways, rapid information sharing of cyber incidents and mitigations has a desirable, common good value. This means to accelerate, requires trust and more real-time information flows that can otherwise be vetted by legal counsel with each occurrence.
What to Do?
To boards, senior executives, and CISOs, I strongly encourage you to assess the pace of information sharing within your sector or subsector of an industry. If it is measured in days, then you are on the wrong unit of measurement for the pace of the cybersecurity risks we all confront. While a shared SOC may be too large of a step in the near-term, ask how quick is the human-paced, person-to-person sharing of vulnerability detection or incident reporting among even the CISOs of your two or three most similar peers? Has legal counsel and executive management signed off on sharing and receiving rapid threat information and handling it with proper care?
When I speak with senior executives who are often befuddled with the overwhelming, daily drumbeat of yet another cyber horror story presented in some technical babble, I try to drive three understandable points: 1) The machine (Internet + devices) is broken and no fix is on the horizon; 2) Humans do human things (our greatest vulnerability); and 3) the Nefarious actors are organized, industrialized, and growing in sophistication.
It is against this reality that we must act on approaches to cybersecurity that dramatically accelerates our pace of risk mitigation. Investments in core cybersecurity capabilities and staff will always remain important, but the game has shifted to scale and pace. Sector-specific cybersecurity holds great promise to accelerate both within a common risk framework.