Information Sharing Among CISOs Key to Firms' Protection

There was no shortage of media coverage in 2012 when reports began to leak out that Iran had launched massive denial-of-service attacks on US banks.

Media outlets would eventually report that Iran's attack was in response to joint cyber attacks by the US and Israel on its nuclear program. The news seemed to signify a shift in how cyber attacks were perceived: no longer just sloppy hackers working by themselves.

Nation-state hacking certainly dictated a change in how firms would approach cyber security, but the actual attacks weren't exactly news to most of the firms being targeted.

Thanks to information sharing in the industry, the banks were well-prepared for what Iran had in store for them. As a result, most banks only saw a brief interruption in their service, as opposed to an extended shutdown of their websites.

"We had the exact script for the attacks and we knew when the attacks were going to happen," says Jim Routh, chief information security officer (CISO) at Aetna. "Every single one of those banks on that target list had that information prior to the attack."

Value in Sharing

It's an odd concept in a space full of them: CISOs are tasked with protecting their firms' information, yet one of the best ways they can do that is by sharing some of that information with other firms.

Routh says the Iran attacks showcased how valuable the sharing of information amongst firms can be. Even the banks that weren't involved in the attacks recognized how valuable pooling together information could be as part of increasing a firm's resiliency.

"It's actually pretty simple: The best and most mature information security programs in the private sector are the same organizations that share information well," says Routh, who also served as the CISO at KPMG, American Express and the Depository Trust & Clearing Corporation (DTCC) before joining Aetna. "I don't think that's an accident. I think that's an enabling capability. The firms with the programs that I admire for their maturity and information security practices are the ones that actually share more information than anybody."

Group Share

One of the largest organizations for sharing cyber security information in the industry is the Financial Services Information Sharing and Analysis Center (FS ISAC). The group has been around since 1999, and its membership has grown by leaps and bounds in recent years.

After going from 48 to 68 members between 1999 and 2004, the FS ISAC currently has over 5,200 members, according to CEO Bill Nelson. The group saw steady growth until they were hit by what Nelson calls a "membership tsunami" last year. Nelson estimates 1,200 firms joined in 2014 alone.

Firms in the FS ISAC share all types of information on cyber attacks, including indicators such as suspicious IP addresses, details on emails used in phishing attacks or an actual malware executable file.

"Indicators of compromise are invaluable," Nelson says. "That enables you, as a community, to kind of band together and share information together. You become much stronger as a community if you share that information as it's happening."

Todd Scharf, CISO at the US Securities and Exchange Commission (SEC), has been on the FS ISAC since he got into the financial services industry and says it's an outstanding resource and one that is a necessity in the industry. Information sharing, he says, is vital when so many firms are connected in one way or another.

"The bad guys are sharing information. They're learning from their attacks. They're learning from one another and becoming more mature," Scharf says. "We can't hold that information internally or within individual units without making everyone else aware, especially in the financial services sector. If one part of that sector goes down or gets hit hard, it can dramatically affect the rest of us. That communication needs to take place."

Balancing Act

Some do see drawbacks to information sharing. While Bob Ganim, CISO at Neuberger Berman, recognizes the value in working with peers to find out what threats they're facing, he says he still needs to make sure his firm's information is secure.

It's a balance that all CISOs need to be aware of, according to Ganim.

"You're still going to be careful on how much you divulge to others," he says. "You're keeping your firm's privacy in mind."

And Nelson says that concern has been a problem since day one at FS ISAC. One potential solution is offering the ability to share information anonymously, which does alleviate the issue to an extent.

For most, though, the benefits gained from trading information with each other are just too good to be ignored.

"I can't possibly see how anyone can be successful locking themselves away and ignoring the rest of the world," says John Masserini, CISO of MIAX Options Exchange. "When people see attacks, it's basically our early warning system. In many cases, we're able to ensure our defenses are in line to be attacked even before they start attacking us. So there is a huge value in the assuring of that information."

The Bottom Line

·Information sharing is a vital part of a CISO's job, as firms gain valuable insight from learning what to look for from potential attacks.

·The FS ISAC is one of the biggest information sharing groups in the industry. Last year they gained more than 1,000 members. Currently, they have an enrollment of over 5,200.

·While there are some that are a bit hesitant to share their firm's cyber security information, citing privacy, there is no way a firm can have a sustainable security program without at least some form of sharing.