Promoting Cybersecurity Information Sharing Across the Extended Value Chain
Olga Biedova, Lakshmi Goel, Justin Zhang, Steven A. Williamson, Blake Ives
This study analyzes an alternative cybersecurity information-sharing forum centered on the extended value chain of a single company in the forest and paper products industry. The paper explores the forum's design, execution, and challenges to provide recommendations for similar company-specific collaborations. The goal is to enhance cybersecurity resilience across interconnected business partners by fostering a more trusting and relevant environment for sharing best practices.
Problem
As cyberthreats become more complex, industries with interconnected information and operational technologies (IT/OT) face significant vulnerabilities. Despite government and industry calls for greater collaboration, inter-organizational cybersecurity information sharing remains sporadic due to concerns over confidentiality, competitiveness, and lack of trust. Standard sector-based sharing initiatives can also be too broad to address the specific needs of a company and its unique value chain partners.
Outcome
- A company-led, value-chain-specific cybersecurity forum is an effective alternative to broader industry groups, fostering greater trust and more relevant discussions among business partners. - Key success factors for such a forum include inviting the right participants (security strategy leaders), establishing clear ground rules to encourage open dialogue, and using external facilitators to ensure neutrality. - The forum successfully shifted the culture from one of distrust to one of transparency and collaboration, leading participants to be more open about sharing experiences, including previous security breaches. - Participants gained valuable insights into the security maturity of their partners, leading to tangible improvements in cybersecurity practices, such as updating security playbooks, adopting new risk metrics, and enhancing third-party risk management. - The collaborative model strengthens the entire value chain, as companies learn from each other's strategies, tools, and policies to collectively improve their defense against common threats.
Host: Welcome to A.I.S. Insights, powered by Living Knowledge, where we translate complex research into actionable business strategy. I’m your host, Anna Ivy Summers.
Host: Today, we’re talking about a challenge that keeps leaders up at night: cybersecurity. We’ll be discussing a fascinating study titled "Promoting Cybersecurity Information Sharing Across the Extended Value Chain."
Host: It explores a new model for cybersecurity collaboration, one centered not on an entire industry, but on the specific value chain of a single company, aiming to build a more trusting and effective defense against cyber threats.
Host: And to help us unpack this is our analyst, Alex Ian Sutherland. Welcome, Alex.
Expert: Great to be here, Anna.
Host: Alex, we all know cybersecurity is important, but collaboration between companies has always been tricky. What’s the big problem this study is trying to solve?
Expert: The core problem is trust. As cyber threats get more complex, especially in industries that blend physical machinery with digital networks, the risks are huge. Think of manufacturing or logistics.
Expert: Government and industry groups have called for companies to share threat information, but it rarely happens. Businesses are worried about confidentiality, losing a competitive edge, or legal repercussions if they admit to a vulnerability or a breach.
Host: So everyone is guarding their own castle, even though the attackers are collaborating and sharing information freely.
Expert: Exactly. And the study points out that even when companies join traditional sector-wide sharing groups, the information can be too broad to be useful. The threats facing a specific paper company and its logistics partner are very different from the threats facing an automotive manufacturer in the same general group.
Host: So this study looked at a different model. How did the researchers approach this?
Expert: They facilitated and analyzed a real-world forum initiated by a single large company in the forest and paper products industry. This company, which the study calls 'Company A', invited its own key partners—suppliers, distributors, and customers—to form a private, focused group.
Expert: They also brought in neutral university researchers to facilitate the discussions. This was crucial. It ensured that the organizing company was seen as an equal participant, not a dominant force, which helped build a safe environment for open dialogue.
Host: A private club for cybersecurity, but with your own business partners. I can see how that would build trust. What were some of the key findings?
Expert: The biggest finding was that this model works incredibly well. It created a level of trust and relevance that broader forums just can't match. The conversations became much more transparent and collaborative.
Host: Can you give us an example of that transparency in action?
Expert: Absolutely. One of the most powerful moments was when a company that had previously suffered a major ransomware attack openly shared its story—the details of the breach, the recovery process, and the lessons learned. That kind of first-hand account is invaluable and only happens in a high-trust environment. It moved the conversation beyond theory into real, shared experience.
Host: That’s incredibly powerful. So this open dialogue actually led to concrete improvements?
Expert: Yes, that’s the critical outcome. Participants started seeing the security maturity of their partners, for better or worse. This led to tangible changes. For instance, the organizing company completely revised its cybersecurity playbook based on new risk metrics discussed in the forum. Others updated their third-party risk management and adopted new tools shared by the group.
Host: This is the most important part for our listeners, Alex. What does this all mean for business leaders, regardless of their industry? What’s the key takeaway?
Expert: The biggest takeaway is that your company’s security is only as strong as the weakest link in your value chain. You can have the best defenses in the world, but if a key supplier gets breached, your operations can grind to a halt. This model strengthens the entire ecosystem.
Host: So it’s about taking ownership of your immediate business environment, not just your own four walls.
Expert: Precisely. You don’t need to wait for a massive industry initiative. As a business leader, you can be the catalyst. This study shows that an invitation from a key business partner is very likely to be accepted. You have the power to convene your critical partners and start this conversation.
Host: What would you say is a practical first step for a leader who wants to try this?
Expert: Start by identifying your most critical partners—those you share sensitive data or network connections with. Then, frame the conversation around shared risk and mutual benefit. The goal isn't to point fingers; it's to learn from each other's strategies, policies, and tools to collectively raise your defenses against common threats.
Host: Fantastic insights, Alex. To summarize for our audience: traditional, broad cybersecurity forums often fall short due to a lack of trust and relevance. A company-led forum, focused specifically on your own business value chain, is a powerful alternative that builds trust, encourages transparency, and leads to real, tangible security improvements for everyone involved.
Host: It’s a powerful reminder that collaboration isn’t just a buzzword; it’s a strategic imperative for survival in today’s digital world.
Host: Alex Ian Sutherland, thank you so much for your time and expertise today.
Expert: My pleasure, Anna.
Host: And thanks to all of you for listening to A.I.S. Insights, powered by Living Knowledge. Join us next time as we continue to bridge the gap between academia and business.
cybersecurity, information sharing, extended value chain, supply chain security, cyber resilience, forest products industry, inter-organizational collaboration
