Part 2 on ISAO 200-1: Foundational Services and Capabilities

As a continuation from “Part 1” of my blog on November 30, 2017, I want to share my views on ISAO certifications. To be completely up front, I am 100% in support of certifications. I come to this position from having helped start and run a brand new ISAO. First, based on my personal experiences, I recognize the value and importance it brings (and would have brought to the Indiana ISAC), having a third party come in and validate what we were doing. It is one thing for an individual to declare they are an expert. It is a completely different thing when a third party makes that declaration. I think most people would agree that the process of certification and accreditation is a recognized method for verifying and validating one’s ability to demonstrate they can meet established criteria. It is my opinion that these certifications will bring value to new and emerging ISAOs.

If we are talking honestly, with no political biases or personal organizational gain and other motivations from getting in the way of the conversation, we have to ask ourselves: “What harm is there in providing new and emerging ISAOs with an avenue to be certified?” and “What are the real consequences, issues or concerns of having a voluntary certification program through the ISAO SO?” Having been a part of several discussions on this subject, I’ve done my best to view things from everyone’s perspective. Even now, I try to view the problem at its core, before addressing any of those things that complicate the issue. I keep coming back to a few questions I posed in the days after the ISAO SO announcement:

As the ecosystem grows, what mechanism(s) or criteria will new and emerging ISAOs use to create a list of ISAOs they would want to engage with?
How will established ISAOs/ISACs know which new and emerging ISAOs to trust and to engage with?
How will organizations outside of the ISAO ecosystem know which ISAOs to trust and to engage with?
If certifications aren’t part of the answer, what other solutions would work to address the scaling, cost and efficiency concerns (outside of those potential solutions already mentioned)?

I’m glad to see that other individuals and groups have publicly proposed realistic alternatives in the last few weeks. I hope more members of the community come up with equally thoughtful suggestions for viable alternatives or complements to ISAO certifications.

To get to the heart of the conversation, I want to address a couple of the biggest arguments against ISAO certification. The first argument is that certifications were not specifically addressed in Executive Order 13691 (EO). After reading through the EO a couple of times, it is my opinion that this process is at least within the spirit of the EO, as certifications will help strengthen and mature the ecosystem (as directly mentioned in the EO). More to the point, I feel that certifications would be covered in Section 3 of the EO. This section states: “The standards will address the baseline capabilities that ISAOs under this order should possess and be able to demonstrate.” The key term in this sentence is demonstrate. One of the key pieces of the proposed certification process is that an ISAO has to demonstrate their services and capabilities. Additionally, Section 3 states, “These standards shall address, but not be limited to, contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.” In my opinion, the ISAO SO and the community are charged with coming up with other means and are not limited to those items specifically mentioned in this section of the EO. Again, it is my opinion that a certification process will meet the criteria of addressing the baseline capabilities of ISAOs, and therefore the ISAO SO’s initiative is authorized by the EO.

Another major point that has been discussed is trust. I think we can all agree that trust is a major requirement for the health of the ecosystem. There are those who claim certifications build trust. Will certifications be the be-all and end-all for establishing trust? No, no it won’t. These certifications are just one of the mechanisms to build trust. Allen Shreffler raised some good points about how certifications build trust in his blog post To Certify or Not To Certify a couple of weeks ago, so I won’t reiterate those points. One of the main solutions proposed for building trust within the community are face-to-face meetings. Though face-to-face contact can be a very effective means of building trust, it does not scale well, it takes a lot of time, it can be extremely costly, and it is not very efficient. The face-to-face only solution does not give new and emerging ISAOs a way to easily narrow down the number ISAOs in which to create a meaningful and useful prospect list. For a new and/or emerging ISAO, money will almost certainly be a concern. Meeting with dozens or hundreds of ISAOs just to create a prospect list doesn’t seem to be practical, effective, or the best use of limited funds. To me, it makes better sense to have a way to filter a list of established ISAOs without having to do some sort of speed dating. In my opinion, limiting the number of solutions, especially one that is designed to take years to implement, only benefits those that are already established. Requiring time-consuming and face-to-face meetings creates a barrier to entry. I am all about the free market, and I feel that anything that creates competition in a market where there is little to no competition is a very good thing for everyone.

I belong to a couple of fraternal organizations, including a college fraternity. To be a member of these organizations I had to meet a certain set of requirements, as all of the members had to do. When I’m meeting someone for the first time and discover that they’re part of my organization, I know that we have a common interest. We may have never met previously, but the ability to establish trust happens more quickly than it would otherwise. The same can be said about how we approach professional certifications and accreditation in the business world. When we share a common interest, or have to go through a similar set of processes, that creates a shared experience. Through that shared experience, trust between two people or organizations can begin to form. This is how I see ISAO certifications enabling trust within and outside of the information sharing community.

In conclusion, I see the establishment of trust mechanisms as an opportunity for the community to grow, not as a challenge that will hold us back. My hope is that we can put aside politics, biases, or fear so we can do what is truly best for the information sharing community, our states, local communities and for the Nation. As Working Group 2 works through the adjudication process on ISAO 200-1: Foundational Services and Capabilities, I look forward to our conversations and discussions and how they might relate to certification. I imagine that they will be lively, thoughtful and, at times, intense. I wholeheartedly believe those engaged in this conversation want to do what they think is best for the information sharing community and nation. I also believe we can come up with a solution or solutions that most people will be comfortable with.

Nick Sturgeon

About author

Nick Sturgeon is the Security Operations Center Director for Pondurance LLC, an Indianapolis based cybersecurity firm. Nick is a 2003 graduate of Indiana State University with a B.S in Management Information Systems, a 2015 graduate of Purdue University with a M.S in Cyber Forensics, and a graduate of the 67th Indiana State Police Recruit Academy. After graduating from the ISP Academy, Nick spent eight years serving as an ISP Trooper in multiple capacities and two years managing the IN-ISAC. Nick is also an Instructor with the University of Texas San Antonio, where he will be teaching Information Security to SLTT government officials.