Major U.S. retailers that have formed a group for sharing cyberthreat information will have to overcome a number of hurdles before security can be improved within the participating companies, experts say.
The Retail Cyber Intelligence Sharing Center (R-CISC), launched Wednesday, includes J.C. Penney, Gap, Lowe's, Nike, Safeway, Target, Walgreen, American Eagle Outfitters, and VF Corp., which owns more than a dozen brands.
At least four of the members, including Walgreen, J.C. Penney, Lowe's and Target, have been the victims of major data breaches, which experts believe has added urgency to forming the group.
During last year's holiday shopping season, Target had 10s of millions of customer accounts and credit-card numbers siphoned off its computer systems. Target CEO Gregg Steinhafel resigned this month, in part, because of the breach. In addition, the company could face more than $1 billion in costs, according to Jeffries retail analyst Daniel Binder.
The centerpiece of the center's strategy for bolstering security is the Retail Information Sharing and Analysis Center (Retail-ISAC), which will be responsible for "identifying real-time threats and sharing actionable intelligence to mitigate the risk of cyberattacks."
How all that will be done is not clear. The Retail Industry Leaders Association, the trade group that's a part of the effort, did not respond to a request for an interview.
Nevertheless, such information-sharing initiatives are not new, so what needs to be done is known. A successful example is the Financial Services Information Sharing and Analysis Center (FS-ISAC), which co-ordinates security collaboration among banks.
For retailers, the first major hurdle will be to have a legal framework for sharing information among competitors. Frank discussions about how systems were hacked, vulnerabilities exploited and botched responses require guarantees that the information cannot be used for competitive advantage.
The R-CISC appears to have gotten around this problem initially by not having direct competitors in the group. However, that will have to change if the organization plans to grow.
Even with a legal framework, the participating companies will need time for their security people to get to know and trust each other, Rick Holland, analyst for Forrester Research, told CSOonline. Confidence is built through "getting people together, drink some beers, socialize and build up relationships."
"It's going to take some time to build up that circle of trust before people are really comfortable sharing high-fidelity information amongst themselves," Holland said.
On the technical side, the retailers will have to do extensive audits in order to get a clear understanding of where critical data is stored within a network infrastructure that can span several geographical regions, Christopher Strand, a retail expert at security vendor Bit9, said.
Once that is done, retailers can use the shared intelligence to test the defenses of important systems, he said.
The kind of intelligence that would be most useful to share include actual attack scenarios, hacker techniques and methods for getting useful intelligence from the terabytes of log data collected from network computers and security systems, Patrick Harbauer, senior security consultant for Neohapsis, said.
In addition, the companies should conduct exercises in responding to a breach, Harbauer said.
"If they can get the technical people that are actually defending their systems talking to each other, then I think there would be a ton of value in that," he said.
Finally, the retailers will need to build a central repository for all the collected information, so the companies, law enforcement and federal agencies, such as the Department of Homeland Security, can access it. Some form of analytics to provide actionable intelligence from the data would also be helpful, experts say.