I’ve long been a proponent of sharing information about breaches and insecurity with our peers, so I liked a recent post by Adam over at New School… “Breach disclosure and Moxie’s Convergence.” There are two main takeaways for me.
First, if we don’t disseminate information, we can’t make breakthrus like the one described for Comodo and Moxie. And no one else will learn from the mistakes of others, or triumphs of others post-mistake.
Second, while it is important to “share” information especially amongst our peers (in a possibly controlled environment), it is a step further to actually be able to “publish” that information instead. For instance, it’s one thing to attend Infragard with an actual or just understood NDA in place, but another entirely to let the world know the information and be able to possibly action upon it.
While I will still always say we need to “share” information more, I’ll definitely have to keep in mind that the spectrum of sharing does have different meanings to others. The spectrum would look something like: private–>shared with a few–>shared with quite a few–>published. As long as we can share, it’s good, but it gets better as you move down that spectrum.