As cyberattacks continue spread in number and severity, President Obama and Congress have made information-sharing programs a key pillar of their defensive strategy. However, top security executives and experts believe that the “effort is very much a work in progress.”
Information Sharing and Analysis Centers (ISACs), non-profit groups that facilitate information sharing within industries, are an important aspect of the government’s new initiatives and many organizations have gotten on board with the idea. However, some experts argue that the steps taken to date are preliminary and need to be further developed before tangible results can be seen.
Hewlett Packard Co. Chief Information Security Officer Brett Wahlin recently stated, “when you’re a large company, you’re not going to get a lot out of an ISAC. H-P has a business in security, and often receives and acts on threat information before it gets out to the public. As a result, H-P receives no actionable information from the IT ISAC.” Many in the industry argue that the government needs to do a better job of sharing threat indicators with the private sector and offer better incentives to encourage participation.
For now information sharing organizations “greatly benefit smaller companies that lack the security expertise of large organizations,” and although help develop relationships among large firms “they have a ways to go before providing a uniform way to deliver the depth of insight large companies can use on a regular basis.”