Written by Rick Howard, CSO, Chief Analyst, and Senior Fellow at CyberWire
Back in 2013, I had just taken over as the Chief Security Officer for Palo Alto Networks. Literally, I was weeks in the job, when my boss, Mark McLaughlin, the CEO, called me into his office to assign me a special project. He and Ken Xie, the Fortinet CEO, and one of Palo Alto Networks’ biggest competitors, had an idea.
The two companies were in a protracted legal dispute about some technical issue within each of the company’s products. Fortinet thought that Palo Alto Networks had stolen some of their tech and Palo Alto Networks thought that Fortinet had stolen some of theirs. Both sides were preparing to pay lawyers a metric ton of money to resolve the issue in court.
The headquarters for the two firewall companies were located close to each other in Silicon Valley; so close, that employees could engage in a rock throwing contest If they wanted to. The two CEOs agreed to sit down at a local Starbucks to see if they could resolve the legal issue themselves without going to court. On a handshake, both CEOs agreed to throw the legal case out and to instead, spend the money that they were going to give to the lawyers on something that would benefit the cybersecurity community.
Let me say that again. On a handshake, these two remarkable leaders decided to throw out a lawsuit, against their despised competitor, and do something good for the public good. That never happens, and yet, that’s what they did. Remarkable.
Their big plan was to create an ISAC, an information sharing and analysis center, for security vendors. ISACs had been around since the late 1990s for various business sectors but the security vendor sector never established one because, mostly, security vendors hated each other. For other ISACs, all participants saw the mutual benefit of sharing threat intelligence with each other because the bad guys targeted them as a group. That wasn’t the case for security vendors. They didn’t like each other, they definitely didn’t trust each other, and most believed that the threat intelligence produced by their internal teams gave them an edge in the marketplace. There was no way that they would share it with their competitors.
When I walked into Mark’s office that fine day, he handed me this tangled Gordian knot of security vendor distrust and said, “Don’t let this fail.” The very next week, I was in Singapore representing the company at some conference and I reached out to my counterpart at Fortinet: Derek Manky. Apparently, he was handed the same knot that I was handed from his boss. I suggested that we meet and discuss a way forward. Amazingly, Derek was at the same conference in Singapore that I was and we met that night for dinner. That was the start.
Through a lot of hard work from the founding member representatives, all handed their respective Gordian knots and parallel “Don’t let this fail” missions, we spent time the first couple of years building trust from the ground up while we determined what a security vendor ISAC would look like. I think the big trust-building breakthrough came when we realized that the threat intelligence we each individually collected was not the thing that was valuable to our respective customers. The thing that was valuable was what we did with the intelligence. In other words, how did we each use that intelligence to better protect our customers with our products. That was the key.
And now, seven years later and five years after forming a nonprofit, the CTA is still going and growing strong. I guess we did untangle that Gordian knot.