To begin with, it’s important to understand what we mean by the term community.  “Community” is used in different ways and can mean different things. One common use is when discussing a group of individuals or organizations with similar interests. The group would be termed a “community of interest”. Another use of the term is in relation to a specific geographic region – a city for example. We are referencing this second definition when talking about a Community ISAO.

We also need to define an ISAO. The acronym, ISAO, stands for an Information Sharing and Analysis Organization. It is a group of individuals with a common characteristic who have come together to share information on cybersecurity in order to better protect the entire group. This common characteristic that can bring them together might be, for example, members of a specific sector (such as energy, oil and gas, water distribution or financial services). Another characteristic, as referred to in this article, might also be the fact that they all reside in a given geographic region (such as a city or state).

So, given these two definitions and how we are using them, a Community ISAO is a group of individuals and organizations that reside within the boundaries of a city/town that have come together to share and analyze cybersecurity information to improve the security posture of the entire community. To further clarify, we are also referring to the whole community – not just the city government and the critical infrastructures. These are certainly important elements of any community, and initial efforts to secure a community from the negative impact of cybersecurity events might very well begin with these entities. We, however, include all other elements within the community whether they are from academia, industry or the general citizenship.

Some may wonder whether it is important to consider industry and the citizens in a Community ISAO.  There are three main reasons we consider them important elements. To begin, an attack may first hit industry or academia before it hits the city government or critical infrastructures. Having all members of the community participate in an ISAO may provide early warning of an attack to other members who might then be able to prevent or mitigate the attack on themselves.

Second, as has been seen during the current COVID-19 pandemic, having large portions of the industry sector not operating can have a severe impact on the economy of the nation – or a state or local jurisdiction. Having individuals out of work will have a negative impact on an area’s economy. Third, it is important that local businesses are adequately securing their computer systems and networks so that a community member’s financial or personal information, given to a local business, is being protected and their information is not stolen.

An important question concerning Community ISAOs is “What information might the ISAO share?”  Obviously, information about cybersecurity attacks or incidents is an important element as sharing this information can potentially prevent organizations within a community from being hit with the same or similar attacks. Sharing this same information with the state and the nation (through entities such as the Multi-State ISAC) is also important because what is happening in one state may be happening, or may soon happen, in other states. Within the state, two organizations to work with in terms of information sharing are the Texas ISAO and the CIAS-ISAO. It is not just information on incidents, however, that can be shared. Training programs, best practices, awareness ideas and cybersecurity tips can also be shared and help raise the level of preparedness for all members of the community.

This may seem of interest to you, but you may find yourself asking “But how do we get started?” A very important fact to remember is that you do not need to be immediately doing the same things that very robust information sharing organizations (such as the MS-ISAC or the Financial Services ISAC) engage in. Remember that it took years for these entities to get to their current level of maturity.

Your first steps can be simple and your sharing of information very basic. First, the important thing is to just get started.

For example, a tabletop exercise to help make city leadership aware of the potential impact a cyber-attack could have on the community might be one way to start. The Texas Department of Information Resources (DIR) provides tips and possible scenarios that can be used by a community to conduct a simple exercise. The CIAS-ISAO also has several years of experience in conducting both state and local cybersecurity exercises and can provide guidance.

Another simple step is to bring security-interested individuals within the community together on a regular basis, such as monthly or quarterly. One member of the group can host the meeting at lunch, and they can pick a cybersecurity topic to discuss and have a presentation on. The next time, another member can host the event and speak on a different topic of interest. There is no membership fee required to do this; you just come together to talk about cybersecurity over lunch. Eventually, members will get to know each other better and soon you will find that the community has a group of cybersecurity professionals that are willing to work together if an event occurs.

As an aside, if you start with something like this, you have actually formed an information sharing organization and you are on your way! One more simple step the community can take is to form a cybersecurity advisory group for the mayor/city manager. Local officials will then have a body of individuals they can turn to should a cyber event hit the community. They don’t have to search for subject matter experts, they will already know who they can turn to.

These are three simple steps that can be taken to start establishing a community-wide cybersecurity program and a Community ISAO.  There are many other things that can be done, many of which are no- or low-cost options.  For more information on this subject, don’t hesitate to contact the CIAS-ISAO or the TX ISAO.