1000words - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Should companies share data breach information with the public?

Data breach information sharing between CISOs is a helpful security tool, but expert Mike O. Villegas explains why sharing with the public may be detrimental.

There's been some criticism of Target, Home Depot and other organizations that have experienced data breaches for...

not sharing their internal reactions to the breaches. As a CISO, I'd like to know what those companies did that worked for them and what didn't. If this information were public, CISOs would know how to react should our companies suffer a data breach, too. Why don't companies share this information? Does anything like it exist anywhere?

Breaches happen every day, but not all of them get as much press as the likes of Target, Home Depot or JP Morgan Chase. There is no such thing as absolute security. This means corporations need to consider incident response programs for when they get breached -- not if they get breached.

When a data security breach occurs, should that company share the details so it will not happen again somewhere else? The answer seems to be yes, but it begs the question of how much of those details should be shared with the public. No one needs to know how security is deployed in your organization. Sharing data breach information to the public means hackers and malcontents will also learn enough about the company and its vulnerabilities to subvert and abuse them. Fortunately, there are forums in the information security world that allow for sharing such information in a secure and private manner.

In the Los Angeles area, there exists an informal forum of CISOs that meet every three to four months for the purpose of sharing information and learning from each other. There is a gentlemen's agreement not to share details outside these meetings that might compromise trust or embarrass any of the respective companies. This allows for an open forum and discussions of vendor solutions -- good and bad -- management challenges, inherent technology weaknesses and what works in one company but might not necessarily in another.

Professional organizations such as ISSA, ISACA, CISO Executive Summit, (ISC)2 and others allow interchange of security related information. The key is to establish a network of CISO peers with private meetings that are periodic, candid and mutually beneficial. There will be CISOs from other organizations who do not see the benefit, don't have time to share or do not want to be burdened with mentoring. That is their prerogative. You still need to take the initiative and not wait to be called.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how to boost the morale of your staff after a data breach

This was last published in March 2015

Dig Deeper on Information Security Incident Response-Information