Sharing Vulnerabilities

Sharing Vulnerabilities of Your Organization

Under what conditions would you/can you, accept the risk of shastarbucks gift card for cybersecurityring vulnerabilities online about your organization’s cybersecurity posture?

Would you share this information for a $25 Starbucks Card?

OMG! As I am writing this I received an unsolicited questionnaire which promises me a $25 Starbucks card if I fill it in.  The company looks legit.  They will give you another $25 if you call them and talk to them.

There are a plethora of surveys being pushed to us on a regular basis to gather data regarding the vulnerabilities of organizations by sector, size, criticality, supply chain etc.

Observation:
None of the surveys I’ve seen ask two important questions before you fill in the survey:

Does your organization have a policy in place for sharing information about how you care for information and the state of your security?

Do you have permission to provide this information?

Recently I asked a high-level person within our federal government who is responsible for such a survey why they didn’t ask the above questions.

The response troubled me. It was not,We didn’t think about it, thank you for bringing this to our attention Charlie. We will consider this for future surveys. It would be a very piece of data.

The response was: “It isn’t our responsibility, we are just trying to find hard to get data and besides, we keep it secure.” Think about that for a moment.

The above two questions have a latent function of teaching awareness. How many people responding asked themselves the same thing? How many put themselves in a position of violating corporate policy?

Who are we willing to share this information with? 

After all its fun to share right? How about business partners? insurance companies? colleges? NIST? DHS? even internally?

Example: Imagine you are a small business applying for cyber insurance protection for sustainability. You are performing due diligence and contact four insurance companies. Each asks you to fill in a questionnaire of 60 or more questions in order for them to determine risk. What happens to the information given to the companies? Who has permission to share it? Do you really need to?

I am interested in your experiences and guidance.