There are few things that everyone in the information security industry agrees upon, but the need to share threat and risk mitigation information is certainly one area where there is majority agreement. Everyone concurs that it’s essential for security professionals to share security related intelligence about their industries, about what defenses and controls work, and what controls don’t, and information about the daily changing nature of the threats out there.
With those goals in mind, the International Association of Certified ISAOs (IACI) just launched. The new international association will help to connect governments, private businesses, and regional organizations so that they can better protect, detect, respond, and recover from digital attacks, the group said.
Government, the private sector, and global organizations in partnership for the protection, detection, response, and recovery from cyber incidents both in the United States and across the world. The subject of information sharing has heated up this year. Earlier this year, U.S. President Barack Obama signed executive order 13691 Promoting Private-Sector Cybersecurity Information Sharing. EO 13691 provides a way for enterprises to (hopefully) work more easily with the U.S. federal government when it comes to protecting against attacks. One of the central pieces of the order was to fund the creation of an organization to develop a common set of voluntary standards for ISAOs.
While the IACI isn’t associated with EO 13691 funding, IACI will use the draft ISAO Standards Organization (what EO 13691 funded) guidance coming out next month as the first framework for IACI membership to consider certification against, Chris Blask, Chairman of the IACI said. “There will likely by other sets of standards and guidance developed by other sources [nations', regions, etc], the IACI membership will consider all such frameworks as foundations for differing types of ISAO certification, and will seek to harmonize such standards and certifications globally so ISAOs in different jurisdictions can determine how to best serve their own memberships and how to interact with other ISAOs,” Blask said.
“With the proliferation of ISAOs, it is time they had their own international industry association,” said Blask said in a statement. “Information sharing organizations need to have a unified voice in guiding the development of the critical space they occupy. The community of ISAOs contains much of the expertise and experience in information sharing and is therefore best positioned to determine how to coordinate efforts, validate certifications as they are developed in different jurisdictions, and help each other successfully fulfill their missions."
To help facilitate security information sharing across the globe, IACI developed initiatives that will help organizations understand and use information sharing standards and legal frameworks that will vary from region to region. "We believe that by clearly defining what makes for a good ISAO, that will make tying liability protection to sectoral organizations easier and more accessible to the public and to privacy and civil liberties advocates," said Michael Daniel, President Obama's Cyber Coordinator.
IACI’s member ISAOs receive assistance to understand and participate in information security risk mitigation efforts, and the IACI says it will provide assistance to members on how to form ISAOs, meeting ISAO standards, successfully certify themselves, manage memberships, and provide technical support in managing cyber threat intelligence indicator sharing programs and technologies, and access to IACI’s global threat intelligence and incident response platforms.
“Certifications will show that ISAOs meet given levels of function,” said Blask. “This could be as simple as your ISAO adheres to all or some of the ISOA SO guidelines, for example. IACI's role is not to develop certifications or to necessarily perform certification compliance reviews, but to provide ISAOs a unified voice in accepting, rejecting, or influencing standards and certifications. IACI also, like many industry associations, allows members to perform group functions and provides mutual support. Sharing information among ISAOs, sharing practices, working collaboratively with common partners,” said Blask.
Many small, or new, ISAOs, don’t have the scale or the ability to provide for themselves a lot of those core ISAO functions, explained Blask, so the internationally focused IACI can do these tasks on the behalf of ISAOs so the ISAO’s can focus on the security needs specific to their membership. “Running intelligence infrastructures, building community collaboration platforms, and nonprofit administration are things that trip up ISAOs all the time,” he says.
Another interesting aspect here is helping industry associations to become ISAOs. “Industry associations can be ISAOs, and IACI can help them. They already exist and have the membership and the organizational infrastructure in place, all they need is to layer on the ISAO capabilities. This accelerates the creation and maturation of ISAOs broadly,” he said.
Gene Fredriksen, National Credit Union ISAO Executive Director/CEO said the IACI was crucial in the formation of the National Credit Union ISAO. “Without IACI support it would have taken us much more time and resources to start serving our members. We have benefitted from those who have come before us and haven’t had to reinvent the wheel. We now feel like we are part of a worldwide community leveraging the expertise of our peers to accelerate the maturity and growth of the NCU-ISAO,” said Fredriksen, director and CEO of the National Credit Union ISAO.