Why are we still talking about cyberthreat information sharing? It is not a controversial topic. Cybersecurity professionals almost universally support increased information sharing. Scores of reports have endorsed the concept, and government policies promote the idea. Entire organizations exist to enable it. In fact, the consensus on information sharing is remarkable for its consistency and durability. Yet, despite this consensus, the level of cyberthreat information sharing remains insufficient. Cleary, if everyone agrees that we should do something, but many organizations do not, we need to examine the impediments to action more closely. Most importantly, we need to think about the topic differently.
This paper, “The Business Imperative of Cyber Information Sharing for Our Collective Defence”, provides such an alternative perspective. Critically, it does not make the case for information sharing based on altruism or patriotism or on technical grounds – traditional arguments for increased sharing. Instead, it makes the case based on economics. In today’s world, if a business wants to thrive (or even survive), then it must successfully manage its cyber risk. In turn, effective risk management requires cyberthreat information sharing. By tying information sharing to a business imperative, this paper uses a language that business leaders understand and regularly act upon.
Of course, legal issues, cultural barriers and an unclear return on investment can still hinder sharing even if business leaders recognize the imperative.
This paper also addresses these problems. It lays out a practical, three-step method for overcoming the barriers to sharing, focusing on the organizational structures needed to make sharing practical and acceptable. Following the paper’s framework will enable businesses to change their behaviour and increase their sharing to meaningful levels.
Businesses need to adopt the paper’s framework because increased information sharing at the organizational level creates multiplier effects across the digital ecosystem. For example, several organizations have come together through the World Economic Forum Centre for Cybersecurity to support a project called the Cybercrime Atlas. This effort combines information from widely disparate sources to develop a better picture of the cybercrime ecosystem, from malware development to distribution networks to money flows. The different “maps” or views derived from the shared information will enable the much more effective disruption of malicious cybercriminal activity. Without the underlying shared information from multiple sources, the project’s analysis would not be possible.
Information sharing will never be easy. It will always require sustained resources, commitment and support. However, once businesses get into the habit, once this practice becomes the norm, we will wonder how anyone ever functioned any other way. Then, we can finally start managing our cyber risk effectively – and stop talking about cyberthreat information sharing.