[BreachExchange] To fend off attacks, CISOs share threat information. Even with competitors

Wed Jan 22 10:04:35 EST 2020

https://www.ciodive.com/news/infosec-cybersecurity-threat-CISO/570594/

NEW YORK — After a data breach, companies have to clean up their mess,
pay settlements, and restore customers' trust.

But if a company is as popular as Target is, shoppers remain loyal.

Target's 2013 data breach wasn't the first major data breach, but it
was "significant" because it introduced a new threat to retail, said
Rich Agostino, SVP and CISO of Target, while speaking at the National
Retail Federation (NRF) conference last week.

Target's breach recovery didn't end with remediation; it needed a
sustainable security model that included active information sharing.
Ever-present cyberthreats in retail are forcing CISOs to talk to each
other, even if they're competitors.

It’s Time to Rethink Your Cybersecurity Solution

Cybercriminals are getting more advanced in their attacks and less
picky in who they target. Learn why it’s time to rethink your
cybersecurity solutions, vendors and how you protect your business.

Agostino is part of the Cyber Twin Cities Cybersecurity Coalition,
which includes seven other companies headquartered in Minnesota, such
as Best Buy and General Mills. "We didn't go to an organization" and
pay sponsorship fees — the coalition was self-formed, said Agostino.

How to start the conversation

Having seen the other side of a data breach, Target knows what is
required for remediation and maintenance.

"We brought all critical functions in cybersecurity in-house to reduce
our reliance completely on contractors [and] managed services," said
Agostino. After bringing cybersecurity experts in-house, the team has
filed for at least 10 patents.

The retailer also has a cybersecurity center where team members are
monitoring the threat landscape. But the retailer knows a sustainable
security model isn't confined to Target's walls. Bad actors repurpose
their attacks; one retailer's threat is every retailers' threat.

Retailers are all fighting the same adversaries, if one company knows
how to avoid a cyberthreat, it's in the best interest of other CISOs
to learn from it, said Dave Estlick, CISO of Chipotle, while speaking
on the panel at NRF. "Security is not a competitive advantage."

CISOs connecting with other CISOs, whether in a formal capacity or on
a text chain, is vital. In times of crisis, such as heightened
cybersecurity alerts, collaboration can't be reserved for incidents
post-mortem.

"Too often what happens is we find ourselves back on our heels or
reactive," said Estlick. "Crisis is not the time to try to figure out
what level of information are you going to share."

Estlick recommends reaching out to CISOs or companies who have already
solved their business's problem and determining the following:

Does your business share information?

If yes, does your business already have an information sharing plan or
reporting hierarchy?

What level and what kind of information are you willing to share?

If you're not a security professional, should you have a security
conversation on behalf of the brand?

Resistance to talk

Information sharing in cybersecurity can feel taboo, though it's
widely encouraged.

Companies are concerned about liabilities if they share information
that's not entirely accurate or incomplete, said Agostino. But weeding
through what is and isn't appropriate to share among CISOs is fairly
simple.

There are two different kinds of information sharing: tactical, threat
data and "more strategic benchmarking," Agostino later told CIO Dive.
Strategic information sharing usually outlines how a CISO is funding
their team, what tools are they using or how are they recruiting
talent.

Information sharing is a lifeline for companies without the resources
or bandwidth for constant threat analysis or data collection. "I hear
[smaller organizations] say, 'we don't have anything to share,'" said
Agostino. His response is, every company will know something someone
else doesn't — bad actors replicate attacks across targets.

A company sharing an "indicator" externally is a "simple gesture" that
could save a company from a phishing email-turned-data breach, said
Agostino.