One topic that comes up regularly in conversations with clients and peers is information sharing — the idea that organisations can better defend themselves by sharing what they’re seeing, learning, and experiencing during cyber incidents.
In theory, information sharing sounds straightforward. In practice, it’s complicated, imperfect, and sometimes frustrating. Yet despite the challenges, it remains one of the most important elements of effective cybersecurity — especially as attacks become faster, more coordinated, and more difficult to detect in isolation.
Why Information Sharing Is So Powerful
At its best, information sharing gives defenders an advantage. When one organisation detects a new attack technique, phishing campaign, or exploited vulnerability and shares those insights, others can prepare before they are targeted themselves. Instead of each organisation learning the hard way, the wider community benefits from early warning.
We’ve seen this work in real life. In late 2024, a state-sponsored intrusion campaign targeting US telecommunications infrastructure — often referred to as Salt Typhoon — was detected and responded to more quickly because of sustained collaboration between government and private-sector organisations. The ability to share indicators, tactics, and defensive guidance across sectors helped limit the damage and speed up response.
This kind of coordinated defence is difficult to achieve without trusted information-sharing mechanisms.
The Reality: Too Much Information, Not Enough Clarity
While sharing is essential, the sheer volume of cyber threat information being generated today can be overwhelming. Security teams are flooded with alerts, indicators, and reports — not all of which are equally useful or relevant.
This is where information sharing can help filter signal from noise. When insights are validated, contextualised, and compared across organisations, patterns emerge. Teams can see which threats are real, which are escalating, and which require immediate attention — rather than chasing every alert equally.
However, not all information-sharing channels are equally effective, and not all information arrives in time to be useful.
Government-Led Sharing: Valuable but Under Pressure
Government bodies play a major role in cybersecurity information sharing, particularly in coordinating responses across critical infrastructure and national sectors. Legal frameworks have helped encourage organisations to share threat information without fear of legal or regulatory repercussions.
That said, these systems face challenges. Legislative uncertainty, funding constraints, and staffing pressures can reduce the speed and depth of information being shared. In some cases, organisations become more cautious, slowing down the flow of timely intelligence. When sharing becomes delayed or overly sanitised, its defensive value drops.
There’s also a practical reality: government-led sharing often prioritises national or critical infrastructure concerns. This can leave smaller organisations or non-critical sectors feeling less supported, even though they face many of the same threats.
Sector-Based Sharing: Strengths and Limitations
Industry-specific sharing groups, often organised by sector, help address this gap. These communities allow organisations facing similar risks and regulatory pressures to exchange more targeted intelligence.
For example, financial services, healthcare, and energy organisations often benefit from sharing within their own sector, where threats, attack patterns, and compliance obligations overlap. These groups can provide more relevant insights and reduce noise.
However, their effectiveness varies. Some sectors are mature and highly engaged, while others struggle with participation or timely contributions. Information sharing only works when members actively contribute, not just consume.
Law Enforcement Partnerships: Helpful, but Not Symmetrical
Partnerships with law enforcement can provide valuable insight, particularly during large-scale or organised cybercrime campaigns. Information does flow both ways — but not always evenly.
Law enforcement agencies must balance sharing intelligence with protecting investigations, sources, and methods. This can result in high-level warnings rather than detailed, actionable intelligence, which can be frustrating for security teams who have already shared raw incident data.
Legal protections play a key role here. When organisations feel protected for sharing in good faith, participation increases. When protections weaken or become uncertain, sharing tends to slow down.
The Rise of Private CISO Communities
In response to delays and gaps in formal channels, many security leaders have formed private, peer-to-peer communities. These are often invite-only groups where CISOs and senior security professionals share experiences, ask questions, and exchange insights in near real time.
These communities grew rapidly during the COVID period, when in-person networking disappeared. Since then, they’ve become global, highly trusted networks where sensitive conversations can happen quickly and informally.
The strength of these groups lies in personal trust. People are more willing to share candid insights with peers who understand the pressure, context, and consequences of cyber incidents.
That said, these communities also face challenges. Platform security, concentration risk, and information sensitivity must be carefully managed. Many groups rely on clear rules — such as traffic-light-style sharing guidelines — to ensure information is shared appropriately and responsibly.
Where Information Sharing Is Heading
Information sharing isn’t going away. In fact, it’s likely to increase as:
- Cyber incidents continue to rise
- Regulatory reporting requirements expand
- Organisations recognise the value of collective defence
The challenge is quality, not quantity. Much of today’s shared intelligence remains reactive, focused on short-lived indicators rather than deeper understanding of attacker behaviour. To be truly effective, sharing needs to evolve toward:
- Behaviour-based insights
- Identity-focused context
- Faster dissemination
- Safer environments for good-faith sharing
Without this shift, organisations risk being overwhelmed by data while still remaining one step behind attackers.
Final Thoughts
There are two persistent problems with many mainstream information-sharing models today.
The first is timing. Information that arrives days or weeks after an incident may be interesting, but it’s far less useful than intelligence shared early enough to prevent or reduce impact.
The second is structure. Many sharing mechanisms are shaped by government priorities, funding cycles, or legal constraints, which can limit speed and openness.
This is why peer-to-peer sharing — when done responsibly — is gaining importance. When trusted professionals can share insights quickly with others who face similar risks, the benefits are immediate and practical.
At CSB, we see information sharing as a cornerstone of modern cybersecurity — not because it’s perfect, but because no organisation can defend effectively in isolation. The challenge ahead is making sharing faster, more meaningful, and more sustainable for everyone involved.
