With all the talk about information sharing, including the possibility of the automotive ISAC, the launch of retail ISAC, the NIST draft information sharing guidance, and the launch of not one, but two ISACs to serve the Oil & Gas industry (DNG ISAC and ONG-ISAC) I couldn’t help but draw a cartoon:
So before you misinterpret the cartoon, I want to make clear that I like ISACs. I think they are a good idea, and can be useful.
What I want to decry, however, is the fact that they are too often a political response for a failure to really care about security. They have turned into a way for participant firms to tell the government and themselves “See, we are doing something… we are getting information from DHS and making it available to our members… we don’t need regulation.”
If you are going to buy into the importance of “information sharing” and “threat intelligence”, then you should do it right. Hire a team, get the the technologies you need, generate thoughtful requirements. Without these things, what are you going to do with all that *awesome* intelligence/shared threat information anyway?