'Operation Aurora' Changing The Role Of The CISO

Targeted attacks out of China against Google and other U.S. firms have forced some chief information security officers to reach out to their counterparts in other organizations and share attack, forensics information
It's not the only attack-sharing forum, however. U.S. defense contractors already have their own online exchange for swapping attack information -- the Defense Security Information Exchange, for example.

Meantime, while CISOs attend events such InfraGuard, the FBI-led association of local businesses, academic institutions, and state and local law enforcement agencies, CISOs are mainly there to network with security people rather than with their peers, CISO Group's Shimel says. Shimel says the CISO Breakfast Club, an organization with local chapters in Washington, D.C., Baltimore, Pittsburgh, Boston, and New York, is attempting to provide a forum for CISO's to share attack information, he says.

"There's a huge need for CISOs to talk about Aurora, what's working and what's not, and to learn from their peers about what's going on...where they can talk in confidence. We don't have that [on a broad scale]."

But the CSO Council's Terrell says organizations like InfraGuard are often less about intelligence-sharing and typically include plenty of presentations by vendors. The Bay Area CSO Council prides itself in its no-vendor member status. "We're focused in intelligence-sharing," Terrell says.

The council's Franceour says CISOs traditionally have been hamstrung in getting to the bottom of targeted attacks. "CISOs...have been walking around trying to collect crumbs of what happened in the past. It's so frustrating because it seems so ineffective given the actual nature of the threat," he says. "This [Operation Aurora] event is stealing our source code, our competitiveness. This is so extremely important that, to me, we need to define a game-changer on our side because they changed the game on us."

Even so, no CISO wants to be the poster child for a breach of confidentiality or a leak about a targeted attack that doesn't require public disclosure. The recent firing of Pennsylvania CISO Robert Maley for speaking publicly at the RSA Conference earlier this month about a security incident on the state's online driving exam scheduling system, for example, was a stark reminder of what can go wrong when CISOs share their experiences, even in general terms.

"Everyone is afraid" of their businesses being compromised if they share attack information, says Mike Murray, co-founder of MAD Security and with "Even with a confidential forum, it's not going to protect me if someone leaks and my boss fires me. If there's an incident, [there's an] imperative not to say anything to anyone at all."

And the CISO no longer can be just the technical lead at the organization. "There's a real transformation occurring," says Lee Kushner, president of LJ Kushner and Associates and also with "I think a lot of people inherited that position in the late 1990s and early 2000s and are now moving to the end of their career slope. When organizations are replacing their CISOs, they are replacing them with people who have much broader business skills...they need to interact with business units and speak their language with a technical understanding, but not a tech-centric [approach]," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.