Lawrence M. Walsh
Published: 01 Sep 2004
Here's a paradox we constantly deal with: Security is dependent upon communication, yet few are willing to talk about it.
Security practitioners are among the tightest-lipped corporate beings in the world. Sure, put a bunch of propeller heads in a room together and they'll bad-mouth every Windows vulnerability they've ever come across. But don't expect specific, meaningful details about their companies' security programs.
There are good reasons for shutting up. If you spill the beans about last week's security incident, you run the risk of diminishing shareholder and customer confidence--and getting fired. If you talk about your security architecture and strategy, you may reveal vital information to miscreants and hackers. And, if you boast about your security, you paint a big bull's-eye on your enterprise.
Yet, when Information Security examined the state of critical infrastructure security (see "Mission: Critical"), we found that the key to protecting digital assets, and, ultimately, national security, is the open and continuing exchange of information and intelligence.
Just look what happened this summer when the government learned al Qaeda was targeting key financial institutions: The Financial Services-Information Sharing and Analysis Center (FS-ISAC) sprung into action. It dissected the intelligence, looked at different permutations of possible attacks (physical and cyber) and determined best defenses and precautions. By the time CNN broke the story, FS-ISAC members were already implementing contingency plans and knew exactly what their neighbors were doing to protect themselves and the community as a whole.
This is a prime example of how communal information-sharing benefits one and all. But it's also an example of the limited amount of actual information being shared. The FS-ISAC has fewer than 700 member institutions, but estimates the financial services community numbers greater than 30,000. And, according to the 2004 CSI/FBI Computer Crime and Security Survey, 57 percent of U.S. enterprises don't to belong any information-sharing group.
Those who have embraced the sharing philosophy usually belong to multiple security groups. However, the CSI/FBI survey found that most still keep their security practices and problems close to the vest.
Everyone has an excuse. Intelligence- and knowledge-sharing remain superficial. If it's not one of the standard reasons for guarding methodologies, it's the ubiquitous threat of having vital information leaked through partners, associations and government public records reports. Congress did pass Freedom of Information Act exemptions for companies that share information with the ISACs, eliminating the threat of sensitive information leaking out through public records. But there's still not enough sharing and coordinating of security intelligence among peer groups, industry associations and government agencies.
Security is about trade-offs. Practitioners balance security against budget and operational necessities on a daily basis, applying appropriate protections that won't curtail the reason we're in business in the first place. We need to apply the same thought process to security intelligence sharing, releasing the right amount so we can benefit from the experiences of others and contribute to the security of the greater community.
About the author:
Lawrence M. Walsh is executive editor of Information Security.