The establishment of ISACs certainly represents a significant advance in the sharing of expertly screened and analyzed security information within and among sectors and with the government. From the perspective of the IT-ISAC, one can say, as Mr. Algeier does, that “From where we were 10 years [ago,] it’s night and day,” since the IT-ISAC did not exist a decade ago. From my perspective, we in financial services had already established a working ISAC by “the late 1990s,” with the result that this remarkable accomplishment was already behind us, and was therefore not included in my assessment of the status of information sharing.
To their credit, the various ISACs continue to add membership and improve the quality, quantity and content of their services. And their increasing population of members do get to know each other and trust one another with confidential information about some incidents that they have knowingly experienced. There is also a broad sharing of information about security threats, exploits and vulnerabilities. Many of the latter are in the public domain, but some are held within the confines of the ISACs.
That being said, I believe that we have not yet achieved an acceptable level of participation and protection, as illustrated by the Heartland situation. I understand that at the time of their incident, Heartland was not a member of the FS-ISAC, but joined subsequently. In my opinion, virtually all organizations, particularly those within critical sectors (such as financial services, health services, information technology and telecommunications, energy, transportation, emergency services and the like) should be required to join an ISAC and have staff assigned 24/7 to monitoring their networks and systems and responding to alerts. This should apply however small and seemingly insignificant an organization might be, because small and medium-sized businesses are often particularly vulnerable to attack. A compromise of a small or medium-sized firm can become a conduit for access to their larger business partners, suppliers and clientele.
Popularity: 5%
