Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?


Management & Strategy

Transparency as a Policy

Transparency is an interesting concept, especially for cyber security organizations. I say that as I recently experienced a complete lack of transparency – and what followed was confusion turned to anger for really no good reason. Let me elaborate.

Transparency is an interesting concept, especially for cyber security organizations. I say that as I recently experienced a complete lack of transparency – and what followed was confusion turned to anger for really no good reason. Let me elaborate.

Have you ever sat at an airport watching your flight get delayed every hour, for another hour, then another and another? Sitting there in Raleigh as the snow heavily fell in Atlanta I knew I wouldn’t be flying home that afternoon. Or evening. Everyone at the gate knew it. I’m 100 percent convinced my airline knew it as well. Yet, they persisted to give false hope and kept pushing the flight back from 3 to 4 p.m., then to 5:30 p.m., 8:30 p.m., and eventually 2:00 a.m. Finally, I heard that it was re-scheduled for 8:30 a.m. the next morning.

The ridiculous part, even though everyone knew it wasn’t leaving, the airline refused to acknowledge that fact. I’m sure there are other operational issues and legal things that go with saying, “Yup, we’re not going anywhere tonight,” but think of the havoc it caused. Those poor passengers who don’t have a travel team like I did ended up with no way to get home, no way to rent a car (they were all gone quickly), and no available hotel rooms. So, they slept at the airport, according to one news report. 

All that chaos caused all from a complete and utter lack of transparency. I hate that.

This example is relevant to the cyber security industry in so many ways. Most notably for incident management, and how we communicate and act. A balanced approach to transparency should be the one and only possible approach companies take. When a significant incident occurs, the victim organization has a duty to notify those who are impacted, quickly. Period. The trick is to do this in a manner that makes it clear the investigation is ongoing, but also provides enough information so that the impacted customers can appropriately protect themselves. There are victims, and there are companies that also make their customers victims. I have sympathy for one, but not the other.

Transparency isn’t limitless, this much should be clear. You can’t expect the company that just had a breach impacting you to tell you everything that’s happened. You also should not expect them to keep anything material that impacts you from you. Therein lies the balance, and here is where trust comes into play. Transparency, essentially, is a matter of policy that can make or break trust, in my opinion.

My father always told me, “Tell me, I may still be mad but at least I’ll know you’re honest.”

Your customers feel the same way, and you should be designing your enterprise incident management policies and standards with this in mind. There is no other way. Without transparency you cannot have trust. And without trust, your business will suffer long-term negative consequences. FUD aside, one of the only things that can destroy your brand is explicit destruction of trust.

Advertisement. Scroll to continue reading.

So then, don’t keep telling me everything is “probably OK” until you are mandated to tell me that everything is lost. Here are the three things I advise for good transparency:

Communicate an estimate. In the early hours and minutes of the sheer panic of a breach – and let’s face facts, it’s panic no matter how many times you’ve practiced – you won’t know every detail. That’s OK. Tell your stakeholders and customers what you know, estimate the rest and provide incrementally more accurate updates at a regular cadence. 

Over-communicate. Even if you have nothing to tell, send regular communications to let your stakeholders and customers know you’re working on it and you’re thinking of them. It’s difficult to overestimate the importance of this when you’re sitting on the victim side of the table.

Let the facts speak. Transparency is about facts. If the facts point to a narrative, try not to include your own spin that’s meant to make things feel “nicer.” No one believes it, and those who are actually drawn into it will be angry and feel betrayed.

Trust and transparency go hand-in-hand. Whether you’re sending a newsletter or fighting a “biggest ever” breach, remember transparency will win you trust. And like my father, your customers may still be mad as hell, but at least they’ll know you’re being honest with them. And that may allow you to salvage trust. That’s worth more than anything else. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.