Major U.S. retailers that have formed a group for sharing cyberthreat information will have to overcome a number of hurdles before security can be improved within the participating companies, experts say.
The Retail Cyber Intelligence Sharing Center (R-CISC), launched Wednesday, includes J.C. Penney, Gap, Lowe's, Nike, Safeway, Target, Walgreen, American Eagle Outfitters, and VF Corp., which owns more than a dozen brands.
At least four of the members, including Walgreen, J.C. Penney, Lowe's and Target, have been the victims of major data breaches, which experts believe has added urgency to forming the group.
During last year's holiday shopping season, Target had 10s of millions of customer accounts and credit-card numbers siphoned off its computer systems. Target CEO Gregg Steinhafel resigned this month, in part, because of the breach. In addition, the company could face more than $1 billion in costs, according to Jeffries retail analyst Daniel Binder.
The centerpiece of the center's strategy for bolstering security is the Retail Information Sharing and Analysis Center (Retail-ISAC), which will be responsible for "identifying real-time threats and sharing actionable intelligence to mitigate the risk of cyberattacks."
How all that will be done is not clear. The Retail Industry Leaders Association, the trade group that's a part of the effort, did not respond to a request for an interview.
Nevertheless, such information-sharing initiatives are not new, so what needs to be done is known. A successful example is the Financial Services Information Sharing and Analysis Center (FS-ISAC), which co-ordinates security collaboration among banks.
For retailers, the first major hurdle will be to have a legal framework for sharing information among competitors. Frank discussions about how systems were hacked, vulnerabilities exploited and botched responses require guarantees that the information cannot be used for competitive advantage.
The R-CISC appears to have gotten around this problem initially by not having direct competitors in the group. However, that will have to change if the organization plans to grow.
Even with a legal framework, the participating companies will need time for their security people to get to know and trust each other, Rick Holland, analyst for Forrester Research, told CSOonline. Confidence is built through "getting people together, drink some beers, socialize and build up relationships."
"It's going to take some time to build up that circle of trust before people are really comfortable sharing high-fidelity information amongst themselves," Holland said.
On the technical side, the retailers will have to do extensive audits in order to get a clear understanding of where critical data is stored within a network infrastructure that can span several geographical regions, Christopher Strand, a retail expert at security vendor Bit9, said.
Once that is done, retailers can use the shared intelligence to test the defenses of important systems, he said.
Sign up for CIO Asia eNewsletters.