The Cybersecurity Information Sharing Act (CISA), which is a proposed law to increase information sharing about cybersecurity threats between companies and the U.S. government, is on its way moving through the Senate (an 83-14 procedural vote on October 22 indicated strong support). While the premise of the bill is good (shares information between corporations and the federal government on cyber threats and protection methods to reduce large-scale attacks), if passed, it would add complexity to companies impacted by the bill (think Twitter, Apple, Yelp). Personal information, which we all know is a touchy subject when it comes to cyber-attacks, is to be excluded in the information sharing between companies and the government. Where complexity is added is securely separating the personal information from the threat intelligence before the sharing begins. In other words, making sure our personal information is not sent out en masse. This is where consulting has a chance to shine.
New and changing regulation has been adding to companies' headaches for years now increasing over the past few years as cyber-attacks escalate in size, frequency and sophistication. Consulting firms with expertise that spans business, technology and cybersecurity (e.g. The Big Four, Accenture, Mandiant and Optiv), are poised to play a key role in helping companies establish methods and make IT investment decisions to enable select information sharing in a secure manner (as would be called for with CISA). Similarly, there is consulting opportunity on the government side – once the U.S. government has this information, how will it securely share it across relevant government agencies in a timely manner? Consulting firms with deep cybersecurity and U.S. government proficiency (e.g. Booz Allen Hamilton, CGI, CSC, Deloitte, KPMG, PwC) are well positioned to partner with the government to help sort out the details (processes, IT, cybersecurity measures) to facilitate secure information sharing within the U.S. government.
