When the latest critical Microsoft RPC vulnerability was announced last month, Don Garvey turned to his counterparts at similar-sized companies -- including competitors -- for guidance. By close of business next day, his patch deployment strategy was in place.
"It's in everyone's best interest to make sure these companies are protected and secured," says Garvey, VP and director of information security for Chubb Corp. "A breach of security at our competitor's network also hurts us."
Garvey belongs to a growing number of small information-sharing forums that promote participation through intimacy rather than anonymity. One such example is Information Technology Security Sharing Forum (ITSSF), operated by KnowledgeConnect, of which Garvey is a member.
These forums each have up to 12 members, representing different industries, who must actively participate in quarterly, in-person "impact sessions" on three or four topics, as well as monthly, hour-long teleconference "jam sessions." In between, members exchange info, tips and ideas, such as Garvey's experience with the Microsoft flaw.
Trust and participation are paramount, which makes these types of groups unsuited for those who prefer to learn through lectures and passively gather information.
"In some ways, it's like a marriage, except instead of it being a two-way street, it's a 12-way street," says Ann-Marie Borelli, cofounder of KnowledgeConnect.
Other region-specific, cross-industry forums are cropping up nationwide, all with the goal of sharing data and ideas to strengthen infosecurity programs, particularly those guarding critical infrastructure systems.
Even larger organizations like the Financial Services Information Sharing and Analysis Center, the first public-private security intelligence sharing cooperative, are moving toward inclusion and providing more online chat capabilities to strengthen information channels.
"When I was put on the board, no one even wanted to hand out a contact list," says FS-ISAC chair Suzanne Gorman. "But there's nothing like having a cup of coffee or a beer and exchanging business cards and phone numbers and knowing what platforms you're all working on, so if I have a problem, I have someone to call."
The FS-ISAC recently created three tiers of service, ranging from free critical alerts to the $10,000 premiere service, which features collaborative online and in-person meetings, and real-time conference calls during emergencies. By comparison, it costs $15,000 to join an ITSSF group, to which members are admitted by unanimous vote. Among the perks included in the fee is a comprehensive annual comparative analysis of members' security programs, covering budgets, manpower, services and policies.
ITSSF member Jim Abernathy, director of information security at Inovant, Visa's IT and processing arm, used that study to compare his company's security costs with similar-sized enterprises. He then lobbied for more money where resources seemed weak.
Both Abernathy and Garvey, who belong to both large and small information sharing groups, warn that smaller forums may not suit everyone's personality and needs.
"Larger forums tend to benefit smaller companies that are building an information security program," Garvey says. "It offers them a chance to gather large quantities of information quickly.
"Smaller forums can benefit companies with established security practices, by offering them opportunities to establish best practices and keep their programs fine-tuned and on the cutting edge," he says.