As CISO of Washington Mutual, Dave Cullinane has shut down around 930 phishing sites since last October. Dealing with phishing attacks and overall identity theft issues has been one of the biggest challenges for this year's winner of SC Magazine's CSO of the Year award.

However, you wouldn't know it after reviewing the WaMu website, where consumers can gather tips on avoiding online scams, learn all about recent phishing emails, and report any suspicious activity directly to the Fortune 100 company. "It's becoming a much more pervasive problem than we ever anticipated, both in terms of the number of attacks going on [and] also in terms of the ramifications and the impact it is having," he says.

With the help of New York-based anti-fraud vendor Cyota, Cullinane is taking a proactive approach by shutting down websites to which phishing emails have directed customers – hopefully before customer data has been misused. These moves are only part of the overall phishing protection strategy that he has implemented for WaMu.

"It's gone way beyond anything I would have expected, so it has created all sorts of side-issues and related things that need to be done," he says.

"We've put together a really nice program. We're doing a really good job of getting the sites shut down... and protecting our customers and watching their accounts."

At the same time, WaMu is also trying to measure the impacts of phishing on its business.

"We're looking at the fraud impact... how [to] measure it accurately, [how to] tell if it's really fraudulent or not and, if so, to what extent. There's all sorts of speculation that three to five percent of phishing attacks are successful, but we are finding that it doesn't look as if it's anywhere near that level," he says.

"We're not sure if that's because we're doing such a good job with it, or if there are things that we're missing. So we're looking at a lot of things from a product perspective to make sure that we're able to track it accurately and detect anything that's going on."

As well as seeking assistance from Cyota, which services other financial institutions such as Chase, Bank One, Navy Federal Credit Union, and Capital One, Cullinane says WaMu is also looking to a new service from Symantec that works with ISPs to help detect large blocks of email pointed at banks.

Currently piloting the solution, he expects to have a contract signed with the IT security giant shortly.

As part of WaMu's identity theft program, Cullinane has been sure to get every appropriate department involved. With participation from the likes of the public relations department and customer relationship management, the strategy is helping to address questions posed by consumers about online identity scams and what WaMu is doing to thwart them (see the panel "What you need to do to protect yourself" on page 24 for additional tips on establishing one in your organization).

The firm's phishing mitigation and awareness program was planned and implemented proactively, well before WaMu started experiencing large-scale phishing attacks last fall, explains Jim Reavis, president of Reavis Consulting, editor of the CSOinformer newsletter and vice-president of vendor relations for the Information Systems Security Association (ISSA).

"Dave didn't wait for them to get hit," says Reavis, noting that the phishing program was "ready to go" when the first phishing emails started to arrive.

"I actually think the Office of Thrift Supervision might be looking at Dave's program as a model," he adds. "That isn't official, but it was very impressed and is considering how it can use it for instructional purposes."

Cullinane explains that WaMu wants to project an image of being one of the most secure firms in the business.

"Our public relations philosophy has always been... that we are the number one bank in terms of customers feeling that they're secure, and that's obviously something we want to protect. We're doing a very good job thanks to being able to watch Citibank and some of the other [financial services companies] struggle with it initially," he says.

Shutting down sites is a key component to that success, he adds, but the goal has to be getting them offline "so that even if they've managed to collect some data, we get them shut down before the bad guys... use it somewhere."

Phishers are sending out roughly ten million emails with each attack. Since WaMu is one of the many financial institutions that has been built into phishing kits, like many of its counterparts it is "getting clobbered" with fake emails, explains Cullinane.

"So far, we have identified 45 million messages that have gone out. So there are 45 million email messages out there trying to get people to go to one of these sites and submit information that they shouldn't," he says.

Beyond identity theft

Cullinane's identity theft strategy is only one reason why SC Magazine's panel of judges, comprised of analysts, consultants and senior members of SC's editorial team, decided to name him CSO of the Year.

Under his leadership as the ISSA's international president, the largest not-for-profit association of information security professionals, he has not only boosted membership, but also widened the organization's scope and enhanced its reputation.

"He has led the ISSA into more public policy debates and got it represented on national cybersecurity task forces," says Reavis.

"He's been getting us inserted into the public policy debate by picking up the phone and talking to people."

According to the SANS Institute's Alan Paller, Cullinane has played a pivotal role in increasing the ISSA's size, as well as evolving it into a highly respected IT security association that is now on a par with the industry's various other leading associations.

Further strengthening the ISSA's position are two separate partnerships Cullinane spearheaded – one with the Information Systems Audit and Control Association (ISACA) and ASIS International, and another with the University of Southern California's Institution for Critical Infrastructure Protection at the Marshall School of Business (see this month's News section for more about the goals of these alliances).

"Under his leadership there's been quite a bit of growth," says Reavis. "He has also been quite a visionary, both in using the ISSA as a bully pulpit [for the IT security industry], but also... by developing the CISO membership within the ISSA."

As part of this effort, CISO Executive Forums are organized quarterly, providing senior-level professionals with the opportunity to network and talk about their IT security problems and corporate-wide problems.

Reavis says that as soon as Cullinane took his post at WaMu, he began looking for CSO resources. And realizing that these were few and far between, he brought the idea of the CISO executive forums and membership to the board.

"What we're trying to create is an educational forum where we can provide information to [CSOs] quickly," says Cullinane.

"We're trying to do some things with federal CISOs to merge our two groups together and start some information sharing at that level. Paul Kurtz [of The Cyber Security Industry Alliance] has been helping us with that. Amit Yoran, [former US director of the Department of Homeland Security's Cyber Security Division] was before he left."

Yoran says that, while he was in office, many IT security companies had organized quite effectively to publicize their opinions about the public policies being launched out of Capitol Hill. On the other hand, those professionals responsible for security in their corporations were failing to use that well-organized voice to guide public discussion about cybersecurity issues.

"Dave has been a very strong ally, a good person to work with in that he has been able to... help some of those CSOs get their voices heard on the public policy side of things," says Yoran.

But giving security professionals a voice in Washington to help form policy and influence legislation has been another uphill battle for Cullinane. So too has been forming a better relationship with federal agencies to enhance information-sharing efforts.

This is compounded with "a perception by government that corporate America is doing only what it absolutely has to, and is trying to get away with doing as little as possible," he says.

"But that's really not the case from what I've seen," he insists. "Most of my peers I talk to, not only from the financial services industry, but in other industries as well, are doing as much as they can to try to secure things."

In an attempt to overcome such misconceptions, and to avoid any further legislative mandates from being passed that only mirror current regulations such as Sarbanes-Oxley, GLBA and HIPAA, and which would further complicate his and other CSOs' jobs, Cullinane is looking to get agency and corporate CSOs working from the same script. His hope is for CSOs from both the private and public sectors to meet regularly and to establish a process by which IT security information can be shared securely.

Yoran is optimistic that such collaboration will take place, probably playing a key role in avoiding costly mistakes. CSIA's Kurtz agrees, although he says that government is a slow beast.

But if anyone can help develop a thoughtful interchange among legislators, government officials and corporate professionals, Cullinane is the man.

"To be an effective CSO, you need both to master your own environment, and be an effective participant in what is a very small community of trust," says Yoran. "Dave has done an exceptional job of bringing his peers together."