While the Defense Transportation ISAO is still taking form, our discussions highlighted several issues that may be of interest to other emerging information sharing and analysis organizations:
1. Clearly communicate the value propositions. (No, the plural wasn’t a typo.) This requires open discussion among key stakeholders to determine what their core issues and concerns are. Some will be shared and some will be unique. It also requires a champion who can articulate the values of an ISAO generally (improved security of members, protection of core mission/business operations, dramatic leverage of limited cybersecurity resources/sensing/analysis, etc.), as well as the proposed ISAO in particular.
2. Establish trust relationships among participants. The coin of the realm and a necessary precursor to effective sharing and collaboration.
3. Start small, then scale. A smaller group can focus more easily and will develop trust among members more easily. That said, think about possible future states and whether a single organization will grow in scope/scale, or if the community is better served through segmentation.
4. Face-to-face interactions. Yes, we live in a virtual world, but we’re humans in a virtual world. We develop shared understanding and trust much more rapidly through direct contact with other carbon-based lifeforms than through a silicon-based interface. Once trust is established, we can integrate and leverage channels, such as e-mail, listservs, portals, automated exchanges, etc.
5. Private sector leadership. If my company’s contract with your government agency includes new cybersecurity requirements that aren’t yet fully understood by government OR industry, I might be reluctant to be completely transparent in a public-private forum. On the other hand, businesses have an inherent self-interest in protecting their data and reputation. Private-sector leadership in establishing tailored, voluntary sharing arrangements that meet the needs of industry will likely lead to broader participation that will also benefit the government.
6. Learn from one another. CIOs, CISOs, and ISAC leaders all have tremendous insights and lessons to share. I learned a great deal from last week’s discussions. Likewise, those considering joining or forming an ISAO can benefit tremendously from those who have “been there, done that.”
Thanks to the Mid-America chapter of the Armed Forces Communications-Electronics Association (AFCEA) for hosting their symposium, to Mr. D.R. Kenerley of USTRANSCOM for conducting a follow-on classified cybersecurity forum, and to the National Defense Transportation Association for their thoughtful comments and engagement in support of this important initiative.