I've spent the last three days in two different information sharing forums, having no less than four industry segments talk about what's happening in APT in their environments. Tuesday and Wed were spent with about 150 of my closest DIB, banking/finance, and communications sector friends, and yesterday with healthcare CISOs at the CISO Executive Network Annual Healthcare Summit.
My sample size is only about 100 companies across the four sectors, and not exactly scientific in my methods, but here's what I found out:
1. Every CISO wants to do the right thing.
2. Most know about APT, but only a few actually have the resources to protect themselves.
3. The hype can be overwhelming. While many know, APT means a lot of things to a lot of people, including now a subset of APT - Anti-Exploitation Threats (AET) --those anti-forensic techniques taken by attackers. I'm not sure they're actually different, but I am sure a new name is being tossed around.
4. CISOs don't know how to talk their management about APT, and therefore can't articulate the need for resources.
Here's the good stuff:
1. There was an entire presentation yesterday about how CISOs can articulate gaps in defenses using compliance language and graphics. I learned something new, and will probably call the company for a demo!
2. CISOs want to do the right thing!
3. Information sharing works! When CISOs can get in a room, either physical or virtual, without threat of oversight, regulatory pressures, etc., they talk! And when they talk, everyone gets something.
Before I leave.. I've got a few RSVPs for Happy Hour on the 15th. Drop me a note!
JLS