What Me Data Share?
I completely have to support Chris in his analysis of the latest CSI/FBI Survey. He sums it up nicely with: “there is no reason to give this survey any credence.”
The survey, does an excellent job of highlighting a general problem within the security industry, the sharing of data. If we’re to make real progress in managing risk, we need real information about what the risks actually are.
Unfortunately, this lack of data sharing is not limited to just the CSI/FBI survey, bur rather an endemic problem with our industry. At this year’s RSA show, I sat in a session with approximately 100 CSO/CISOs and the topic of data sharing came up. Someone asked “Who here would be willing to say what brand of firewall they are running at their site?”. Less than ten percent of people in the room raised their hands!
In the past, I’ve been a member of FIRST(Forum of Incident Response and Security Teams). One of the goals of FIRST is to “develop and share technical information, tools, methodologies, processes and best practices”. I am very fond of FIRST and it is a great organization for developing contacts and intend to be a member again in the future, however, I can’t remember the last time I actually saw real information being shared on the mailing list. And this is an organization that attempts to do some level of trust verification of members.
I’ve heard mixed things about the Information Sharing and Analysis Centers and rumor has it that mostly there is no data sharing going on there either. Can anyone who is a member of one of the ISACs shed more light on this for me?
There is however, a potential ray of sunshine, the Deloitte 2006 Global Security Survey. This survey focuses specifically on the financial services industry and goes into a lot more detail of how the data was collected, including the fact that they used in-person interviews. Can any of our readers who have more experience with statistics chime in here with a better analysis of this report?
[Updated to fix html errors]