Go ahead and ask CSOs from the nation's largest banks about the myriad distributed denial-of-service (DDoS) attacks they've experienced in recent months. They're not going to tell you anything.
Security execs have never been comfortable talking about these attacks because they don't want to draw more attention to their companies. They worry that offering even the basic details of their defensive strategy will inspire attackers to find the holes.
But many companies are finding themselves under attack for the first time, and their security chiefs need answers if they're going to fight back. So despite knowing CSOs are reluctant to talk, we tried to get answers anyway. We offered several CSOs anonymity to tell their stories, a tactic that always worked before.
Not this time.
DDoS attacks have become more ferocious than ever the past few years, fueled by hacktivists who understand that every minute of downtime for a financial services site equals millions of dollars in lost business. Attacks hitting the likes of Bank of America, Capital One, Chase, Citibank, PNC Bank and Wells Fargo have been so relentless and sophisticated that most security execs are too freaked out to discuss details.
"These DDoS attacks are a very sensitive issue now and not something we can talk about publicly," says the CISO at a midsize bank that operates out of the Pacific Northwest.
"Our communications department has asked that we don't discuss this with the media right now, out of concern that we may draw attention to ourselves and become a target," says a security officer at another financial services firm in the southeastern U.S.
Tight lips sink company defenses
While theres plenty of truth behind the old World War II propaganda posters that say, "Loose lips sink ships," the saying "Knowledge is power" also holds true, especially when it comes to defending modern business-technology systems. There's no doubt that tight lips can be a problem if you're the newly-minted CISO of a bank and find yourself under attack. You need good information on the most recent attacks and defense trends.
Some contend that the adversarial relationship between regulators, the public and financial institutions regarding cybersecurity incidents is at least partially to blame for organizations playing their cards so close to the vest.
"The best way to drive this kind of cooperation and information sharing is to make sure that there are no repercussions to the institutions for sharing both successes and failures. If an institution shares attack information that was successful and then the regulators come down on them for that, they're not going to want to cooperate in the future," says Chip Tsantes, principal of information security advisory services at Ernst and Young.
Sign up for CIO Asia eNewsletters.