Security Experts:

Transparency as a Policy

Transparency is an interesting concept, especially for cyber security organizations. I say that as I recently experienced a complete lack of transparency – and what followed was confusion turned to anger for really no good reason. Let me elaborate.

Have you ever sat at an airport watching your flight get delayed every hour, for another hour, then another and another? Sitting there in Raleigh as the snow heavily fell in Atlanta I knew I wouldn’t be flying home that afternoon. Or evening. Everyone at the gate knew it. I’m 100 percent convinced my airline knew it as well. Yet, they persisted to give false hope and kept pushing the flight back from 3 to 4 p.m., then to 5:30 p.m., 8:30 p.m., and eventually 2:00 a.m. Finally, I heard that it was re-scheduled for 8:30 a.m. the next morning.

The ridiculous part, even though everyone knew it wasn’t leaving, the airline refused to acknowledge that fact. I’m sure there are other operational issues and legal things that go with saying, “Yup, we’re not going anywhere tonight,” but think of the havoc it caused. Those poor passengers who don’t have a travel team like I did ended up with no way to get home, no way to rent a car (they were all gone quickly), and no available hotel rooms. So, they slept at the airport, according to one news report. 

All that chaos caused all from a complete and utter lack of transparency. I hate that.

This example is relevant to the cyber security industry in so many ways. Most notably for incident management, and how we communicate and act. A balanced approach to transparency should be the one and only possible approach companies take. When a significant incident occurs, the victim organization has a duty to notify those who are impacted, quickly. Period. The trick is to do this in a manner that makes it clear the investigation is ongoing, but also provides enough information so that the impacted customers can appropriately protect themselves. There are victims, and there are companies that also make their customers victims. I have sympathy for one, but not the other.

Transparency isn’t limitless, this much should be clear. You can’t expect the company that just had a breach impacting you to tell you everything that’s happened. You also should not expect them to keep anything material that impacts you from you. Therein lies the balance, and here is where trust comes into play. Transparency, essentially, is a matter of policy that can make or break trust, in my opinion.

My father always told me, “Tell me, I may still be mad but at least I’ll know you’re honest.”

Your customers feel the same way, and you should be designing your enterprise incident management policies and standards with this in mind. There is no other way. Without transparency you cannot have trust. And without trust, your business will suffer long-term negative consequences. FUD aside, one of the only things that can destroy your brand is explicit destruction of trust.

So then, don’t keep telling me everything is “probably OK” until you are mandated to tell me that everything is lost. Here are the three things I advise for good transparency:

Communicate an estimate. In the early hours and minutes of the sheer panic of a breach – and let’s face facts, it’s panic no matter how many times you’ve practiced – you won’t know every detail. That’s OK. Tell your stakeholders and customers what you know, estimate the rest and provide incrementally more accurate updates at a regular cadence. 

Over-communicate. Even if you have nothing to tell, send regular communications to let your stakeholders and customers know you’re working on it and you’re thinking of them. It’s difficult to overestimate the importance of this when you’re sitting on the victim side of the table.

Let the facts speak. Transparency is about facts. If the facts point to a narrative, try not to include your own spin that’s meant to make things feel “nicer.” No one believes it, and those who are actually drawn into it will be angry and feel betrayed.

Trust and transparency go hand-in-hand. Whether you’re sending a newsletter or fighting a “biggest ever” breach, remember transparency will win you trust. And like my father, your customers may still be mad as hell, but at least they’ll know you’re being honest with them. And that may allow you to salvage trust. That’s worth more than anything else. 

view counter
Rafal Los is Managing Director, Solutions R&D within the Office of the CISO for Optiv, which was created in 2015 from the merger of Accuvant and FishNet Security. Los leads a team developing research-backed guidance addressing key program challenges for enterprise security leaders. Prior to joining Optiv, Los served as principal, strategic security services at HP Enterprise Security Services. Previously at HP, Los served several diverse roles including security strategist of enterprise security products where he advised customers on implementing practical solutions. Los also held various positions at GE entities and various other start-ups. Follow Rafal on Twitter: @Wh1t3rabbit.