| SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore information sharing, with the purpose of evaluating what is happening now and preparing cybersecurity leaders for what lies ahead in 2026 and beyond. |
Information sharing is necessary for efficient cybersecurity, and is widespread; but never quite perfect in practice.
“Information sharing provides an asymmetric defensive advantage,” explains Dario Perfettibile, VP and GM of European operations at Kiteworks. “When one organization detects a novel attack and shares indicators of compromise, threat actor tactics, and defensive measures, hundreds of peers can immunize themselves before being targeted.”
Matthew Hartman, chief strategy officer at Merlin Group, adds, “The rapid and persistent exchange of cyber threat intelligence enables organizations – public and private, domestic and international – to detect and respond to intrusions more quickly and effectively.”
We saw this first-hand in late-2024 with the PRC state-sponsored intrusion campaign into U.S. commercial telecommunications infrastructure, known colloquially as ‘Salt Typhoon’.
“Public-private persistent collaboration,” he continues, “directly enabled the U.S. Government’s detection of the Salt Typhoon threat and, importantly, the swift dissemination of hunting and hardening guidance to network defenders across potentially impacted sectors and organizations therein. This rapid, coordinated response would almost certainly have been hampered if not for the Cybersecurity Information Sharing Act of 2015 (CISA 2015).”
The sheer volume of cyber threat intelligence being generated today is overwhelming. “Information sharing channels often help condense inputs and highlight genuine signals amid industry noise,” says Caitlin Condon, VP of security research at VulnCheck. “The very nature of cyber threat intelligence demands validation, context, and comparison. Information sharing allows cybersecurity professionals to more rigorously assess rising threats, identify new trends and deviations, and develop technically comprehensive guidance.”
It is a critical element of cybersecurity. “It’s possible the swathe of attacks against retailers and businesses such as Harrods and JLR in 2025 could have been, if not prevented outright, then at least mitigated faster if the lessons from each victim were learned and disseminated faster,” adds Marie Wilcox, VP of market strategy at Binalyze. “This responsibility is too important to rest upon any single body.”
Information sharing methods
There are indeed multiple bodies involved in information sharing, each with different strengths and weaknesses. The best known is perhaps CISA.
Cybersecurity Information Sharing Act (CISA)
There are two CISAs: the Cybersecurity Information Sharing Act of 2015, and the Cybersecurity and Infrastructure Security Agency created under the DHS by the separate Cybersecurity and Infrastructure Security Agency Act of 2018. They are separate, although there is synergy from them.
The former is currently the more tenuous, having passed its expiry (sunset clause) date of September 30, 2025. It is currently on oxygen, being temporarily reauthorized until January 30, 2026, as part of the continuing resolution passed to reopen the federal government following the shutdown in the fall of 2025. If it is not reauthorized before the end of January, it will lapse.
CISA, the agency, will continue even if CISA, the act, lapses – but its information‑sharing framework, supported by the act, could be weakened. In fact, the entirety of information sharing could be weakened.
“The importance of the Cybersecurity Information Sharing Act of 2015 for U.S. national security cannot be overstated,” says Crystal Morin, cybersecurity strategist at Sysdig. “Without legal protections, many legal departments would advise security teams to pull back from sharing threat intelligence, resulting in slower, more cautious processes. That shift would reduce the flow of high-fidelity, real-time insights, which is exactly the kind of intelligence that organizations rely on to stop adversarial campaigns before they escalate.”
She continues, “Legal departments would likely advise their security teams to scale back or halt sharing altogether, given the loss of liability protections and FOIA shields. This would result in a noticeable reduction in newly reported indicators of compromise (IoCs). Instead of real-time information sharing, a lapse would likely cause more cautious, delayed, and limited exchanges, weakening the momentum that CISA [the agency] built over the last eight years.”
“The Cybersecurity Information Sharing Act provides liability protections encouraging voluntary sharing, but its potential non-renewal would chill participation as organizations fear antitrust implications or disclosure requirements,” warns Perfettibile.
“Industry groups have been urging congress to reauthorize the Cyber Information Sharing Act,” says Todd Thorsen, CISO at CrashPlan. “If there is no renewal or replacement there may be a significant reduction in sharing intelligence due to fear of legal exposure.”
“The lapse of CISA 2015 is significant given its critical role in enabling information sharing across the public and private sectors… That said, the real issue is not the lapse itself, but the outdated and reactive nature of what is being shared,” comments Kevin E Greene, chief cybersecurity technologist, public sector at BeyondTrust.
“Much of today’s threat intelligence remains reactive, driven by short-lived IoCs that do little to help agencies anticipate or disrupt cyberattacks,” he explains. “We need to modernize our information-sharing framework to emphasize behavior-based analytics enriched with identity-centric context. Until we do, our national cyber defense will remain reactive, fragmented, and a step behind our adversaries.”
CISA (the agency) won’t ‘lapse’ but has an additional set of problems concentrating on staffing and funding. Under the previous government administration its responsibilities were widened (following SolarWinds), while under the current administration its funding is being reduced (framed as ‘refocusing’) by almost $500 million. The bottom line is that CISA has more responsibility with less resources.
“Foreign adversaries and cybercriminals could certainly view a reduced CISA workforce as an opportunity to probe US critical infrastructure. Even if a surge of attacks isn’t guaranteed, the perception of weakened defenses alone may embolden threat actors to test the boundaries,” warns Morin.
There could also be knock-on effects with other CISA responsibilities. CIRCIA, for example (mandatory incident reporting to CISA by critical industries). The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is likely to come into full effect around mid-2026 after CISA completes its ‘rulemaking’ role. Coming into effect will further increase the strain on CISA.
“Even though that legislation is about reporting rather than intel sharing, it will create structured pipelines of incident data into the government once it’s live,” comments Sabeen Malik, VP of global government affairs and public policy at Rapid7. The hope is that more and better information going into government could result in better threat information coming out.
But the strain on CISA is possibly already showing. CISA is the strategic sponsor for MITRE’s CVE operation. CISA provides funding and guidance to ensure alignment with government needs to support the critical infrastructure. But it is noticeable that the CVE numbering system is decreasing in relevance to security professionals. This is partly because of the sheer volume and accuracy of numbers following the decentralization of numbering authorities. The situation has a further knock on effect on NIST and the process of adding severity scores to the CVEs – there is a backlog and growing concern over the accuracy of the scores applied.
The biggest concern for security professionals is timeliness and accuracy of the resulting NIST NVD (national vulnerability database). It can deliver historical and questionable data when security people need immediate data.
Starting in 2021, CISA began a catalog known as the KEV List. This is a list of ‘known exploited vulnerabilities’. Its primary value is informing organizations which vulnerabilities really need to be patched as soon as possible – but it is not a complete list of exploited vulnerabilities and is biased towards critical industries (federal agencies are required to patch items listed within 50 days) reflecting CISA’s primary purpose of security support for the government.
Miscellaneous sources of information
There are numerous other sources of threat information for security professionals – perhaps the two most important being the sector specific ISACs and InfraGard.
Information Sharing and Analysis Centers (ISACs)
An ISAC (information sharing and analysis center) is generally a non-profit, member-driven organization that ingests, analyzes and distributes threat information from and to its members within a specific industry sector. The cost of joining an ISAC is often based on the revenue of the joining organization – smaller companies pay less than larger companies.
“Having ISACs that are targeted to only certain areas of information allows them to specialize in the TTPs and information that are most valuable to the members of their group,” comments Bob Erdman, associate VP of R&D at Fortra. “It helps to filter out more of the noise and pass along potentially more actionable information to their members.”
Thorsen adds, “ISACs continue to be useful, and their value will continue to grow. Organizations that treat ISACs as part of a broader intelligence network (not their only source) will see the greatest return.”
However, “ISACs deliver variable value,” warns Perfettibile. “Financial services ISACs demonstrate high utility with real-time threat feeds, while newer sector ISACs struggle with participation and relevance.”
Condon is more enthusiastic. “ISACs are certainly useful, particularly since many of them focus on specialized sectors with overlapping threat models and regulatory requirements. Sector-specific intel sharing efforts can be hugely helpful for addressing emerging threats and attack vectors as well as for guiding risk strategy longer-term. I’d argue that ISAC value is growing, especially amid ongoing uncertainty about the future of government data sources (like NIST NVD) and government-led sharing efforts.”
InfraGard
InfraGard is a cross-sector, public-private partnership between the FBI and private individuals. Its primary purpose is to gather and disseminate threat information to protect industry. Members provide observations and insights on cyber intrusions to their local chapter (there are more than 70 around the country).
In turn, the FBI disseminates what should be timely and reliable security information to all the InfraGard members via a secure online portal, or direct email for urgent alerts. Non-members can still receive the information more circuitously via FBI relationships with other organizations such as CISA.
While the theory behind InfraGard is sound, there remain criticisms in practice. Phil Steffora, CIO and CSO at Arkose Labs, comments, “LEA-to-business sharing is tactical and incident-focused; business-to-LEA sharing is often hesitant due to liability concerns and contractual limitations.”
Thorsen adds, “LEAs share what they can with private sector businesses but only to the extent that the information shared does not compromise active/ongoing investigations, sources and methods. It is an asymmetrical relationship.”
Perfettibile expands on this. “LEAs typically share selectively, providing sanitized threat intelligence that doesn’t compromise ongoing investigations, creating frustration among CISOs who share raw incident data but receive vague warnings in return. The Cybersecurity Information Sharing Act provides liability protections encouraging voluntary sharing, but its potential non-renewal would chill participation as organizations fear antitrust implications or disclosure requirements.”
IC3
The internet crime complaint center (IC3) was founded by the FBI 25 years ago (originally known as the Internet Fraud Complaint Center in 2000 and renamed to IC3 in 2003) with the primary purpose of fighting cybercrime – victims of crime report incidents to IC3. While the IC3 will provide direct support to such victims, it also disseminates threat information it receives; but not in a timely or really meaningful manner.
It does so through public service announcements about new or ongoing threats, through annual reports, through online industry alerts, and by sharing with LEAs and trusted partners such as InfraGard and CISA. The last is the most detailed sharing but is not public. It is better at discovering trends than providing specific threat intelligence.
Private CISO communities
Timeliness and specific relevance are the primary weaknesses in the major mediums for information sharing. To combat this, CISOs have developed their own closed communities where they can discuss current incidents with other CISOs. This is done via channels such as Slack, WhatsApp and Signal. Security of the channels is a concern, but who better than multiple CISOs to monitor and control security?
These communities started to emerge following the Covid lockdown. Before then, CISOs sought each other at conferences and seminars for private conversations. During the lockdown, this became impossible and instead they started to meet online. The evolving communities have grown ever since, have become international, and can comprise hundreds of individual CISOs.
The size of a community can be anything from a dozen to many hundreds of members, and they are often grouped around subject areas (vertical industry sectors) and geographic regions. In large groups, the conversations tend to be less sensitive, with sensitive topics confined to smaller groups. In some ways, the size of the overarching community is irrelevant – a sensitive topic can be raised, and only those interested can hive off into a separate group for the duration of the conversation.
“By definition, information or intelligence that’s shared widely isn’t secret. Rather than expecting perfect security from any given platform, a better approach to security-aware information sharing is to segment the information itself by sensitivity and only share data or intel that matches the trustworthiness of the platform or channel being used,” says VulnCheck’s Condon.
“For unclassified intel, the type of information shared in Slack, Discord, or other chat platforms is often less sensitive than what’s shared in Signal messages or other end-to-end encrypted communications. Infosec also makes heavy use of Traffic Light Protocol (TLP) designations, which indicate how broadly information can be shared.”
Fortra’s Erdman expands on the value of TLP. “The sharing levels of the information needs to be properly signified, and the method allowed for sharing should follow those designations. In a smaller group it can be as informal as a statement that this is TLP Red so keep it to yourself. In a larger group setting the TLP Traffic Light Protocol colors still work well. If entities do not follow the rules, then swift action to sanction or remove them from the group can be taken. If you want access to the data, you have to be trusted to follow the rules.”
But the security of the chosen channel remains a concern. “Many participants in closed-circle info sharing groups have heightened awareness of not only what they’re sharing and with whom, but also of the potential impact of a hypothetical breach or subpoena – and how likely the platform provider is to fork over data under political or market pressure,” continues Condon.
In an entrenched and expanding surveillance economy, platform providers’ privacy and security choices will become increasingly important to organizations deciding which platforms to trust for information sharing.
Steffora calls it the ’security vs accessibility tension’. “One example is the invite-only Slack communities with hundreds of CISOs which are phenomenal for real-time peer advice and threat intel – but they’re also a concentration risk. If Slack itself is compromised, or if one member is a bad actor, you’ve got exposure. There’s no perfect answer; organizations balance openness with risk tolerance. I think in 2026, the community will work towards figuring out a good balance between these two goals.”
Nevertheless, Trey Ford, chief strategy and trust officer at Bugcrowd, explains the primary value of these communities. “Trust between individuals is explicit. Trust between organizations is implicit. The legal and organizational effort required to create and maintain a government sponsored safe place constrains the trust level to implicit – company to company rather than person to person. But I can sit down for a beer or coffee with another security executive and we can talk explicitly and share notes on investigations or on problems or on failure modes or on a whole array of other things. We can talk about staffing, talent, a new breaking vulnerability, or how we’re responding to the latest log4j.”
The future of sharing
The potential value from information sharing for cybersecurity is immense; the realizable value not always so much.
“Much of today’s threat intelligence remains reactive, driven by short-lived IoCs that do little to help agencies anticipate or disrupt cyberattacks,” comments BeyondTrust’s Greene. “We need to modernize our information-sharing framework to emphasize behavior-based analytics enriched with identity-centric context,” he continues. “Until we do, our national cyber defense will remain reactive, fragmented, and a step behind our adversaries.”
It is inevitable, however, that sharing will increase in 2026 and beyond. “Information sharing and reporting will continue to increase for many reasons. One is that there are more incidents than ever,” comments Brent Riley, VP of digital forensics & incident response (North America) at CyXcel.
“Another,” he adds, “is that organizations that might have been reticent to report a cyber incident to law enforcement in the past have learned that there are some increased audit protections when a crime has been reported to the IC3. Where there was fear of audits or other government regulatory attention simply for reporting a cybercrime, that concern has been somewhat assuaged in the past five years.”
Kiteworks’ Perfettibile agrees that sharing will increase in volume in 2026, but it faces quality challenges. “Automation generates massive indicator feeds that overwhelm analysts, while truly valuable contextual intelligence about attacker tradecraft remains closely held due to competitive concerns or classification. The future depends on solving the incentive problem. Organizations sharing detailed breach information risk reputation damage and regulatory scrutiny while free riders benefit without contributing.”
He adds, “Without platforms enabling anonymized sharing, regulatory safe harbors protecting good-faith sharers, and government investment in fusion centers synthesizing private sector reports with classified intelligence, information sharing will remain high-volume but low-fidelity in 2026, limiting its defensive value despite increasing participation.”
Condon says, “I think we’re seeing the overall cyber market swing more toward privatization and closed-source intelligence, both to try to gain commercial advantage and to attempt to keep intel out of the hands of adversaries. But the cybersecurity market is still, by and large, very competitive – so long as there’s a business advantage in validating and sharing threat intel more broadly, information sharing will continue at both community and industry level.”
Information sharing in cybersecurity is here to stay, she adds. “And if governments want to shape and enable those efforts, they can’t merely be consumers – they must continue to be active collaborators.”
Rapid7’s Malik believes, “Information sharing is not going to go away in the US, but it will move from government-only mechanisms to trusted platforms hosted by third parties and other governments.”
There is wide agreement that information sharing is here to stay and will continue growing in the years ahead. There is less consensus on how best to achieve this successfully.
Final thoughts
There are two primary problems with current mainstream information sharing. The first is the time delay between the sharing platform’s ingestion of information from the source, and its subsequent dissemination to the recipient organizations. Security teams need information early, preferably before an attack hits them, so they can ensure their defense is in place.
If the delay is lengthy, the information may become historical rather than forewarning.
The second issue is the nature of most information sharing organizations – they tend to be government vehicles to further government preferences and are subject to government priorities. Thus, the FBI will not circulate information that may be relevant to an ongoing investigation. Similarly, funding may alternate between tight and sufficient, depending upon the current administration.
There are very few options that can overcome both these concerns – but perhaps the most promising is the direct peer-to-peer closed CISO communities. Here, questions may be asked and answered within days if not hours, and the response will likely come from a peer who understands concerns and may have experienced and overcome those very same concerns, issues or attacks.
Related: The Cybersecurity Information Sharing Act Faces Expiration
Related: From Silos to Synergy: Transforming Threat Intelligence Sharing in 2025
Related: CISA Warns of ScadaBR Vulnerability After Hacktivist ICS Attack
Related: MITRE Warns CVE Program Faces Disruption Amid US Funding Uncertainty
