Active participation in an ISAO has the potential for reducing penalties if a data breach were to occur. Here is a short background on the legal framework that has been driving this cultural change in the cybersecurity industry.
Executive Order 13691 called “Promoting Sector Cybersecurity Information Sharing” was released in 2015. This order aims to encourage the formation of organizations that share information related to cybersecurity risks and the ability of these organizations to partner with the federal government voluntarily. The Executive Order states that the Secretary of Homeland Security will encourage the development of Information Sharing and Analysis Organizations (ISAOs). ISAO Standards Organizations (SOs) will create a set of standards that will encourage information sharing with and among ISAOs “to create deeper and broader networks of information sharing nationally.”[i]
The Cybersecurity Information Sharing Act (CISA) of 2015 also encouraged cybersecurity information sharing among government and private sector entities. The bill requires the Director of National Intelligence (DNI), Department of Homeland Security (DHS), Department of Defense (DOD), and Department of Justice (DOJ) to develop ways to share cybersecurity information with private entities, nonfederal government agencies, the public, and threatened entities. It also requires the DNI to report cybersecurity threats to Congress, and required the DHS to collaborate with the OMB to update government information security measures. Overall, this bill aims to improve the collaboration among governmental agencies and among nongovernmental entities regarding cybersecurity.[ii]
In October 2016, NIST released Special Publication 800-150, which is called “Guide to Cyber Threat Information Sharing.” This document emphasizes the importance of information sharing in the wake of the treats that varying types of threat actors pose. Information sharing provides many benefits within a sharing community, including the leveraging of collective knowledge and capabilities, a more complete understanding of threats, better decision making, and being able to use information from multiple sources. Organizations can then use this information to protect themselves from threats and detect campaigns that might target them. Information sharing also allows entities to access information that would have been unavailable otherwise, and the members of a sharing community might face actors that use similar TTPs or target similar information. Other benefits of information sharing the publication outlines are shared situational awareness, improved security, knowledge maturation, and ability to defend themselves faster.