As a military member for 32 years, I moved every 1-2 years. I was constantly trying to find a mechanic who was competent and wouldn’t try and rip me off. Owning five cars with the newest being a 2012 model, I’m often at an automotive repair shop for either a service or vehicle repair. How do I know where to go? Sometimes I use word of mouth, trusting the word and experience of others. However, how do I know those who are making the recommendation aren’t getting ripped off? At the end of the day, I look for Automotive Service Excellence (ASE) Certified mechanics. Why? Because I worked with mechanics in the Army and those who were certified by ASE knew their stuff! Those who worked on Army vehicles without their certification were under the supervision of those who had their certification. Why? Because the certified mechanic met an objective criteria, a standard. Why wouldn’t I want certification in the information sharing business? If I am new to the cybersecurity information sharing community, should I trust someone just because they say they are good at what they do? Should I trust an ISAC or an ISAO just because someone else does? How do I know those who are part of a particular ISAC or ISAO know what they are receiving is of any value? Trust comes from experience, but it can also be bolstered by third parties who verify a set criteria is met, called a standard. Should we simply trust people and entities just because they say to? Maybe. Heck, I’m a great guy. Just ask me.
Colonel (RET) Allen Shreffler
LMI, Senior Cybersecurity Consultant