ISAO Standards and Cybersecurity Collaboration: One Year Later

It’s been 58 weeks since President Obama issued the Executive Order for the formation of the Information Sharing and Analysis Organizations (ISAOs). This vital order calls for “private companies, nonprofit organizations, executive departments and agencies, and other entities” to “share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible”.   

Also in 2015, the Verizon Data Breach Incident Report (DBIR) estimated that 40% of attacks hit a second organization within an hour.

So, in 2015, President Obama encouraged sharing and collaboration, and Verizon made the case for doing it.  




It’s 2016. Where are we now?

The Department of Homeland Security awarded a Cooperative Agreement to the University of San Antonio (UTSA) with support from the Logistics Management Institute (LMI) and the Retail Cyber Intelligence Sharing Center (R-CISC) to develop best practices and standards for the formation of ISAOs.  Six working groups were formed, and work efforts are well under way.   

I had the good fortune to attend the ISAO Standards Organization (SO) workshops in San Antonio, Texas a few weeks ago, and I’m happy to report that pace is picking up. There is a real energy and focus by the participants that comes from a common sense of purpose and urgency.  ThreatConnect contributed several best practices and templates during the ISAO SO data call back in December, and we are currently participating in the Security and Privacy working group.

By the way, it’s not too late to join the ISAO SO efforts! Most of the working groups are in their second or third round of reviews, and would welcome input and comments.  To learn more, please visit the DHS ISAOs webpage.)                                                                                          

This is good.  Actually, it’s great.  But, let’s not get ahead of ourselves. Think about that statistic from the 2015 Verizon DBIR for a moment:  

40% of attacks hit a second organization within an hour.

This is mind boggling. It proves that we can’t afford to wait to form ISAC and ISAO Communities to facilitate cybersecurity collaboration. A more traditional, conservative approach would be to develop the standards and best practices first. In this case, waiting is not an option.

At ThreatConnect, collaboration is what we do. Our platform was built for it, our Research team shares intel best practices with our users daily, and we have Community success stories that prove the value of human collaboration.

We are working with several ISAC and ISAO partners, and have more than 50 Communities on our platform – some are public, while others are private. Many of our Communities have operated for a couple of years now, and our oldest ISAC/ISAO partner has been operationally using a ThreatConnect Community for about 18 months. Our four month old SANS DFIR Alumni Community crossed it’s 500 member mark last week, and we just welcomed a new Agriculture (ISAO) Community to TC Exchange.

If you are looking for an ISAC or ISAO Community, or are an ISAO/ISAO looking for a threat intelligence platform, let us know.

After all, 40% of attacks hit a second organization within an hour.  

What are you waiting for?


About the Author

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at