It’s true that too many cooks spoil the broth. But there are exceptions. For example, when it comes to IT security, nothing beats collaboration. Here, many heads really are better than one.
Martin Leuthold and Peter Reich of SWITCH are travelling to Vienna. They are responsible for the .ch registry’s information security management system (ISMS). The ISMS ensures that the registration system’s security meets high international standards. On their laptops is a list of more than 400 questions. At the University of Vienna, they’re greeted by their Austrian colleagues, and are soon followed by their counterparts from Germany and the Netherlands. Over the next two days, seven ISMS specialists from three registries will work together to intensively vet the Austrian system. At the end of this period, they will offer suggestions for measures to further improve its security and stability. While there’s time for the occasional joke, the tone is primarily serious, as befits the importance of the work. This type of review takes place in cycles and has won the CENTR award for security. No sooner has one review been completed than a date is arranged for the next – when SWITCH’s ISMS will be put under the microscope.
How did this close collaboration arise? Why do these specialists reveal their security measures and vulnerabilities to each other?
SWITCH (.ch/.li), DENIC (.de), nic.at (.at) and SIDN (.nl), the registries for top-level domains in their respective countries, recognised that mutual exchange is extremely useful for all participants when it comes to security issues. This requires a considerable investment of time, but ultimately pays off. A registry invests two weeks and receives an objective external perspective from three expert groups as compensation.
Viewed objectively, this represents a win-win situation. At its heart, however, it’s much more than that. It should be recognised that open discussions about possible vulnerabilities can only take place if the parties involved all trust each other. From a legal perspective, this could be solved via a confidentiality agreement. However, this would not come close to producing this kind of collaboration, which is brought to life by the participants’ commitment. Trust is primarily created through collaborative work, when the tension of the technical ‘interrogations’ gives way to personal exchanges. This is when participants are able to learn about each other's lives and goals, creating the trust necessary for an open and mutual discussion.
This method creates an inter-state, inter-organisation community of information security experts with personal connections, which keeps developing professionally as members spur each other on to ever higher performance. The insight into other companies doesn’t just have positive effects on organisations as a whole, but also on their employees. The expertise developed by SWITCH is continually expanded thanks to an international network of relationships.