Undercover

Stumbling Toward Partnership

Effective information-sharing between the public and private sectors is still the exception, not the rule

By Anonymous

October 01, 2006CSO — This is my favorite typical-day-in-security story. I was preparing some budget estimates when the supervisor of our security ops center dashed in and said that a crime had just been discovered and that our security response was evolving. In fact, a maintenance truck had been stolen. The truck was carrying equipment that was in use at the time of its theft and was a potential safety hazard.

Specifically, it could explode.

What's more, POTUS (that's the President) was visiting nearby facilities. So much for quietly working on retrieving a stolen vehicle. And it didn't help to have responding FBI and police units overhear our maintenance crews describing the truck as, ahem, a "rolling bomb."

So saying the response was "evolving" was an interesting choice of words.

Because you never heard or read about the massive explosion of a stolen truck near the president, you know this particular crisis ended well. We got on the phone with local police, the Joint Terrorism Task Force and U.S. Secret Service. Together we partnered as we had several times before in the interest of protecting both the public and our mutual interests. Within minutes, we provided pictures and had public broadcasts over local news stations advising people to report any sightings of our stolen vehicle.

That did the trick. The vehicle was spotted and recovered, thus ending the danger to the public and to

the reputation of the company.

It was information-sharing between the government and industry at its best. I have seen it happen other times, especially with time-sensitive problems like this one. Unfortunately, though, I'd have to say that this case was the exception, not the rule. In general, information-sharing is not working well. At best, we can say that it's "evolving."

The Information-Sharing Dilemma

From the corporate security perspective, the fundamental dilemma of information-sharing is not trivial.

CSOs really want to help struggling government organizations develop an effective defense of the homeland. But no one can guarantee that what's shared will remain confidential. I have attended several meetings with government officials where they adamantly warned that they could not protect the information and that we shouldn't share anything we didn't potentially want to see on the front page ofthe newspaper.

In one specific case a few years ago, the government requested highly sensitive information on a security event and, after an intense session with the CEO, we agreed to send it along, marked clearly as highly confidential, because it dealt with critical infrastructure data.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
The Surest Path to Effective and Efficient Compliance

VeriSignIn this webcast, we explore why and how — with best practices, practical tips and solutions that work — to ease your compliance challenge.

» View the webcast

Featured Sponsors
Sponsored Links

Think your data is safe? Think again. It's time to Outthink the Threat. Get eBook now

Prepare for (ISC)2® Certification With Villanova - Online

Rolling the dice with your security? Take the Self-Assessment Test now

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Revolutionizing Endpoint Security with a Single Agent

Envision Identity-Based Access Control for the Datacenter

IT Service Management: Metrics That Matter

ITCi White Paper: Challenges and Opportunities of PCI

Effective Security with a Continuous Approach to ISO 27001 Compliance

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Envision Identity-Based Access Control for the Datacenter

Digital Identity Protection and Data Security Get Personal

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

The Case for Business Software Assurance ~ Securing Your Applications

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Learn how the new Quad-Core AMD Opteron™ processor improves performance

Configuration Audit and Control for Virtualized Environments

Take our CSO role survey and receive a copy of the results

Ponemon Study: How Much Does a Data Breach "Cost"?

Data Protection: Challenges for the Traveling User

Key strategies for C-level executives and security staff

Configuration Assessment: Choosing the Right Solution

The PCI Data Security Standard

Configuration Audit and Control for Virtualized Environments

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

How Are Open Source Development Communities Embracing Security Best Practices?

IDC Defines an Identity and Access Management Submarket

Using Likewise to Comply with PCI Data Security Standard

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

Solving Online Credit Fraud Using Device Reputation