When It Comes To Cyber Threats, CIOs Don’t Like To Share

Cyberthreats are something that CIOs don't like to talk about
Cyberthreats are something that CIOs don’t like to talk about
Image Credit: UK Ministry of Defense

By now we all know that our firms are under an almost constant set of attacks from a wide variety of outsiders because of the importance of information technology. Some of these attackers are simply children who are just fooling around with their computes and are trying to see how far they can get. However, other attackers could be organized criminals or even state sponsored hacking teams. As the person with the CIO job, it’s your responsibility to protect your company from these assaults no matter where they come from. Is it time to go outside the company in order to get some help?

We’re From The Government And We’re Here To Help

So the way that this story gets started is when the U.S. Government proposed legislation that is intended to encourage the sharing of cyberthreat information between the government and companies in the private sector. On the surface, this seems like a great idea. In order for firms to make sure that they don’t get surprised by hackers slipping in through their back door, they first need to fully understand what the threat is. You would think that if the government talked with everyone, then they’d be able to make sure that everyone knew what kind of threats they were facing.

One of the biggest questions that this new legislation brings up is simply “who goes first?” Both the government and business already have information on a wide variety of different cyberthreats. However, it’s not quite clear who is going to open up and start sharing first. CIOs believe that it is the responsibility of the government to be proactive and start to share first.

What the government is proposing is that firms share their cyberthreat information with the government’s Department of Homeland Security. This organization would then share the information that it had gathered with both other government agencies and private-sector information-sharing organizations.

Why CIOs May Be Cautious About Helping The Government

Although the idea of sharing cyberthreat information with the government seems like a good idea, CIOs are right to be cautious. Right now CIOs generally don’t share too much information on this topic. Instead, they are just a bit shy and don’t like to share too much.

The reasons that the person in the CIO position may not want to share cyberthreat information with the government are many. They include that this information could place their firm out of regulatory compliance. Yes, they’d like to share information but not if it’s going to harm the company. Additionally, there is a concern that sharing the information will result in proprietary information being shared with their competition. Finally, if a company reveals that it has been attacked, there is always the possibility that they will be opening themselves up to some sort of a retaliatory attack.

There is another reason that some CIOs may be hesitant to share cyberthreat information with the government. CIOs are not convinced that the information that the government will be sharing with them will be valuable to them in helping to improve their company’s security. An additional challenge that CIOs would face if they decided to share information with the government would be that they would have to scrub the data that they shared. All personal customer information would have to be removed. This is an added expense and yet another way that a company could have an unintended information leak.

What All Of This Means For You

Unfortunately, along with the CIO position comes the additional responsibility of keeping your company safe from all of the people who would like to do it electronic harm. You can’t be sure how many people are trying to break into your network or what level of sophistication they have.

Instead, what you need to consider is going outside to get some help. The U.S. government recently stated that they would like CIOs to be more open in sharing information on attacks on their network with them. This idea does have some merit for CIOs, but it also comes with a set of risks. CIOs are going to have to determine if sharing such information could harm the company’s reputation or cause it to be considered to be out of compliance.

When we try to deal with the complicated nature of the increasingly sophisticated attacks that are being launched against our networks, we need to have as much information available to us as possible. The U.S. government wants our information so that they can help other companies. CIOs should participate in this program; however they are going to have to very carefully plan what information they are going to share and when.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: Do you think that you should ever share Cyber Threat information directly with competitors?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

The person with the CIO job understands that the because of the importance of information technology, the role of the IT department is to support the rest of the company. The challenge for the longest time has been how exactly to go about doing this. Over the past few years, the interactions between the IT department and other departments has been increasing; however, there is still a gulf between the two groups. Innovative CIOs have been looking for a way to bridge this divide. A few of them think that they may have found a way: embedding IT staff.