The Internet Security Alliance (ISA), an international, multi-sector trade association founded in 2000 and focused on cyber security. ISA’s Mission is to integrate advanced technology with economics and public policy to create a sustainably secure cyber system. ISA is unique in that it is structured as the internet is, on an international and cross sectoral basis. Although it is structured as a trade association, with corporate rather than individual memberships, many view ISA as equal parts think tank, trade association and professional association. ISA has three major goals;
- To generate thought leadership in the field of cyber security,
- To advocate for policy advocacy
- To develop and promote sound security practices for public and private organisations.
ISA’s President and CEO is Larry Clinton who is based outside Washington DC USA. ISA’s European operations are managed by Richard Knowlton, the former Global Director for Security at Vodafone. Mr. Knowlton currently resides in Italy. Noting that while there is a great deal of activity in cyber space there has been comparatively little overarching thought to guide this activity, ISA attempts to construct a coherent approach to the issue that ties together their thought leadership with their policy advocacy and best practice development. ISA seeks to develop programs that are scalable across industry sectors and across nations. For example, ISA believes that the traditional governance model with centrally determined government mandates applied to industry is ill-suited to address cyber attacks because both the technology and attack methods change too quickly for the traditional regulatory apparatus to manage. Moreover, mandating outdated methods to meet compliance regimes diverts scarce cyber security resources to compliance programs with minimal effect. Instead in 2008 ISA developed an alternative approach moved on the Social Contract.
The ISA Social Contract calls for collaboration between industry and government to determine best practices and standards are worthy of adoption. Industry is motivated to voluntarily adopt cost effective practices consistent with their own unique cyber threat assessment and government motivates additional practices beyond what is commercially viable by providing market incentives. In addition to outlining a creative model for addressing the 21st century cyber threat, ISA has developed specific legislative proposals and worked to identify specific standards and practices worthy of government incentives –thus tying together their thought leadership, policy advocacy and pragmatic practices/ In 2008 ISA first published their Social Contract model.
In 2013 President Obama adopted this model as USA policy. In 2014 the Cyber Security Council of Germany, working with ISA, adapted the model for the EU. In 2015 the USA enacted the first legislation fully implementing this model. This legislation encourages voluntary sharing of cyber security information incentivised by liability protection for entities that share. This stands in contrast to the current EU model of mandatory information sharing and substantial penalties for non-compliance. ISA is currently seeking to align western European policy with the Social Contract. ISA also does substantial work to enhance enterprise cyber security. In 2014 ISA created the first ever Handbook on Cyber Risk Management specifically designed for corporate boards of directors.
The ISA Handbook, published by the National Association of Corporate Directors (NACD) advocates that corporate boards understand cyber risk in terms of the everyday business decisions they make—mergers/acquisitions/innovation, new product development – and provides guiding principles for boards to better understand the issue from a business perspective. The Handbook concludes with detailed specifics as to what boards need to do within their own space to better manage cyber risk and advice as to how boards can more profitably address these issues with senior management. The Handbook concludes with specific questions for boards to ask and dashboards for them to use in managing cyber risk. This is another example of how ISA coordinates thought leadership with coherent policy advocacy including specific practices to successfully implement the program. The Handbook has been widely endorsed including by the International Auditors Association.
In the PricewaterhouseCoopers 2015 Global Information Security Survey, PWC reported the Handbook had fundamentally altered the way corporate boards understand cyber risk and has led to substantial increase in funding for cyber security, improved risk management and developing a culture of security in the organisations who are using it. ISA is currently working with the European Confederation of Directors Associations to create a version of the Handbook for corporate boards specifically tailored to EU law and culture. ISA also offers a service, provided in conjunction with the world’s second largest law firm DLA Piper that tracks cyber security laws and regulations across 21 world markets including a mapping of the standards embedded in the laws and regulations. This “Cyber Trak” service saves both time and money managing the ever changing legal/regulatory landscape in world markets and cuts down on individualised legal services.
To Contact Internet Security Alliance, visit www.isalliance.org