Boston\u2014Cybersecurity experts and those new to the space gathered together at the Federal Reserve Bank to join the Advanced Cyber Security Center (ACSC) for Massachusetts Cybersecurity 2.0: Preparing for the Next Wave of Cyber Challenges.Whether it\u2019s securing self-driving cars, cloud computing, or exposing criminals in the Darknet, the industry will face many challenges in the near and distant future. Cybersecurity leaders across all sectors are struggling to understand the most effective ways to share threat data without creating additional harm.So, the focus of this year\u2019s ACSC conference highlighted the value of using information sharing as a means of helping others to defend against malicious cyber activity.After a welcome by Kenneth C. Montgomery, first vice president and chief operating officer, Federal Reserve Bank and vice chair, ACSC, a panel took the stage to discuss, \u201cThe case for collaborative defense: Beyond threat sharing.\u201dModerator, William Guenther, chairman, CEO and founder, Mass Insight Global Partnerships, and chair, ACSC posed the question of how collaboration can benefit security practitioners before, during, and after an incident.Across all of the larger enterprises and government entities, there indeed are some fantastic intelligence teams. Those intelligence teams and operations teams could be beneficial to the industry at large, but to the SMBs in particular.Still, there are legal impediments to collaboration and information sharing that need to be considered. \u201c The better educated legal teams can be, the better they are going to understand the liability of risk,\u201d said Michael Darling, director, cybersecurity and privacy, PwC.For most events, there is not a lot that can help in the middle of an incident response. \u201cIf you did a good job of the proactive piece, then your incident response time shrinks to minutes or hours instead of months or years,\u201d Darling said.Keynote speaker, Richard Puckett, vice president, cybersecurity, product and commercial security at GE Digital, said that the security practitioners have two goals. \u201cEither make incidents not happen or make them less bad.\u201dAccepting that incidents will happen has become commonplace, so the best they can do pre-incident is a thorough self-examination. Look at the existing controls and policies and ask, \u201cHave I segregated? What are the best practices associated with that? In the pre-incident phase, there is forensic sharing to help with understanding techniques,\u201d Puckett said.Differing slightly from the opinion of his panel colleagues, Puckett said, \u201cDuring an incident there is an opportunity for shared purchasing power. Can you make it cheaper because you have a prearranged retainer and you bought it in bulk?\u201dWhen collaborative defense has great value, though, is in the aftermath of an attack. After discerning not only the \u2018what\u2019 but the \u2018how\u2019 of the events, the response can then serve as a model to guide industry peers within or across sectors.\u201cNow that the incident is done, how does one member\u2019s response become everyone else\u2019s protection? What led to the incident and how can we share information and intelligence to help protect others?\u201d Puckett said.Taking the opportunity to discuss major headline breaches can be enormously fruitful, but the barriers to information sharing often result in security teams getting stuck in \u2018no\u2019, instead of \u2018how\u2019, the panel said.Asking, \u201c'What would happen if that happened to us?\u2019 while walking through more publicized breaches helps them get to the \u2018how\u2019,\u201d said Puckett. The focus then shifts from resistance to active engagement of internal and external partners across organizations and supply chains.\u201cInformation sharing doesn\u2019t just happen within the people at the company. They can have forums of human resources professionals around a breach. Open it up to the broad community,\u201d said Michael Papay, vice president and CISO, Northrop Grumman.[ MORE ON CSO: Information sharing still a heavy lift ]The broader community, which extends far beyond the four walls of the corporation, is often the weakest link that sits beyond the control of even the most sophisticated defenses. Plunkett asked rhetorically, \u201cWhat do we do about everybody else? How do we think about mid-sized firms in terms of collaboration?\u201dWhere the digital world is interconnected in the most complex and sometimes convoluted ways, determining the trajectory that data travels, with whom it is shared, and how it is stored can be cumbersome at best. That\u2019s why the big guys have to be sharing with the little guys. They have to strengthen what is often their weakest link.Enterprises have a duty, not only to others but to themselves, to help out the little guys. \u201cThe bigger organizations are plowing away, and there is a corporate and social responsibility to give back by lending either knowledge experience or expertise,\u201d Plunkett said.As the larger organizations have a duty, so too do those SMBs, who need to actively look for guidance and instruction rather than run ahead toward things like cyber intelligence that will likely result in alert overload and yield little actionable intelligence.\u201cThe only thing we can do is look for things that scale,\u201d said Papay. \u201cA synchronous teaching tool that we can record once and push out many times. We have to get smarter by levels,\u201d Papay continued.While there is indeed a need to look at defense from a compliance perspective, \u201cThe DOD can\u2019t go in and say, show me that you are compliant. They don\u2019t have a contractual relationship with those second tier, so larger organizations worked to put together a single compliance checklist at the top level,\u201d said Papay.But what happens as they move down to the next tier of suppliers? In order for them to trust that the second tier suppliers are able to effectively evaluate the third or even fourth tier suppliers, there need to be some clear regimes about role responsibility.\u201cI do feel like there are some practical regimes that can be put in place. There is a little bit of responsibility to help influence the thinking about defense, not just the standards. What it comes back to is good breach management. We have to be teaching them to think about the \u2018how\u2019 because that\u2019s what gets them out of the compliance mindset,\u201d Plunkett said.One additional hurdle is deciding just how wide of a net to cast when determining with whom information is shared. \u201cWhen you think about how you want to organize, whatever sector you are in, you need to decide whether you are organizing because of the commonality of issues in your sector or by geography because of the commonality of relationships. There is a value proposition at each layer,\u201d Darling said.If decisions are guided by outcomes, Darling continued, they have a clearer understanding of what they are trying to do, what they are protecting, and what sensitive issues they have to deal with. Everything comes down to value proposition.While there are barriers to sharing cybersecurity information, including regulatory requirements, legal implications, and impact on reputation, Guenther said, \u201cCollaborative defense is here to say. Large scale sharing has value, but we also heard about false positives, so the power of small groups is still a credible operating thesis.\u201dBefore diving head first into a collaborative defense community, security teams need to build their networks with a purpose. First understand the objective, then consider what they are getting out of it, but also they must have a plan for how to measure success.