The Gnarly Nine: How to Make Sure Your ISAO Is a Success

April 20, 2016
Partners with Purpose: Post by Bruce Bakis

In this post, I’m going to introduce you to the "Gnarly Nine." That’s what we call the nine top strategic challenges that must be tackled by any aspiring cyber information sharing volunteer partnership. The G9 represent the essential elements in what will become the business plan for the consortium.

MITRE has guided and built many of these consortiums, particularly in the area of cybersecurity, including the Advanced Cyber Security Center and the Northeast Ohio CyberConsortium. We've found that every new information-sharing partnership wrestles with the same set of difficult questions. Whether you’re in Cleveland, or Boston, or Singapore, you’ll face the same issues with staffing, seed funding, and membership vetting. How you address these universal challenges can make or break your consortium's success.

Here’s a quick overview of the Gnarly Nine to help you know what you're up against.

1. What is the essence of the consortium?

Identify the consortium's short, mid, and long-term mission. For example, short term might be sharing cyber threat indicators and defensive measures. Mid-term: conduct research and development collaboratively. Long-term: Engage in regional economic development.

2. What are the implementation milestones?

Develop a high-level plan that matches up with your missions that includes specific milestones at each phase.

3. What information will be shared by members and how will it be shared?

Determine what information will be shared by whom, for whom, and for what purposes. Other considerations include defining the appropriate level of sensitivity, whether the information will be attributed or anonymous, and if it will be used for tactical defense or strategic decision making.

4. What is the consortium's value proposition?

Establish a value proposition that sets the consortium apart to encourage potential members to commit resources, time, and effort. Determine what services the consortium will provide for its members.

5. What is the membership criteria and composition?

Decide if membership will be based on location, sector, event, or type of threat. For example, will it be capped or unlimited? Is there a vetting process for membership?

6. How can members trust the consortium to safeguard their sensitive information?

Look for a trusted, independent, third party to manage operations. Determine the appropriate controls. Create platforms and mechanisms for building trust among members, such as institutional and individual nondisclosure agreements.

7. How does the consortium fit into the local, regional, and global cyber ecosystems? What are the roles of government and law enforcement?

Determine who has access, under what circumstances information can be shared or used outside the consortium, and define the consequential obligations.

8. What is the consortium's leadership and governance?

Identify key stakeholders and their roles. Consider the benefits of organizing as a non-profit. Develop a plan for selecting a board of directors, creating steering and sub committees, and for staffing.

9. What is the consortium's financial plan?

How you address the other eight questions will drive your financial plan and your financial plan will affect how you address those questions. Explore seed funding and grants to get started; without it, you'll have to start small, lean heavily on member in-kind contributions, or jack up membership fees. Determine fee structure for founding members and other membership categories, including sponsors.

In coming weeks, I will address each gnarly challenge one by one with more detail and instructions—to help ensure your consortium's success.