Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Transparency as a Policy

Transparency is an interesting concept, especially for cyber security organizations. I say that as I recently experienced a complete lack of transparency – and what followed was confusion turned to anger for really no good reason. Let me elaborate.

Transparency is an interesting concept, especially for cyber security organizations. I say that as I recently experienced a complete lack of transparency – and what followed was confusion turned to anger for really no good reason. Let me elaborate.

Have you ever sat at an airport watching your flight get delayed every hour, for another hour, then another and another? Sitting there in Raleigh as the snow heavily fell in Atlanta I knew I wouldn’t be flying home that afternoon. Or evening. Everyone at the gate knew it. I’m 100 percent convinced my airline knew it as well. Yet, they persisted to give false hope and kept pushing the flight back from 3 to 4 p.m., then to 5:30 p.m., 8:30 p.m., and eventually 2:00 a.m. Finally, I heard that it was re-scheduled for 8:30 a.m. the next morning.

The ridiculous part, even though everyone knew it wasn’t leaving, the airline refused to acknowledge that fact. I’m sure there are other operational issues and legal things that go with saying, “Yup, we’re not going anywhere tonight,” but think of the havoc it caused. Those poor passengers who don’t have a travel team like I did ended up with no way to get home, no way to rent a car (they were all gone quickly), and no available hotel rooms. So, they slept at the airport, according to one news report. 

All that chaos caused all from a complete and utter lack of transparency. I hate that.

This example is relevant to the cyber security industry in so many ways. Most notably for incident management, and how we communicate and act. A balanced approach to transparency should be the one and only possible approach companies take. When a significant incident occurs, the victim organization has a duty to notify those who are impacted, quickly. Period. The trick is to do this in a manner that makes it clear the investigation is ongoing, but also provides enough information so that the impacted customers can appropriately protect themselves. There are victims, and there are companies that also make their customers victims. I have sympathy for one, but not the other.

Transparency isn’t limitless, this much should be clear. You can’t expect the company that just had a breach impacting you to tell you everything that’s happened. You also should not expect them to keep anything material that impacts you from you. Therein lies the balance, and here is where trust comes into play. Transparency, essentially, is a matter of policy that can make or break trust, in my opinion.

My father always told me, “Tell me, I may still be mad but at least I’ll know you’re honest.”

Advertisement. Scroll to continue reading.

Your customers feel the same way, and you should be designing your enterprise incident management policies and standards with this in mind. There is no other way. Without transparency you cannot have trust. And without trust, your business will suffer long-term negative consequences. FUD aside, one of the only things that can destroy your brand is explicit destruction of trust.

So then, don’t keep telling me everything is “probably OK” until you are mandated to tell me that everything is lost. Here are the three things I advise for good transparency:

Communicate an estimate. In the early hours and minutes of the sheer panic of a breach – and let’s face facts, it’s panic no matter how many times you’ve practiced – you won’t know every detail. That’s OK. Tell your stakeholders and customers what you know, estimate the rest and provide incrementally more accurate updates at a regular cadence. 

Over-communicate. Even if you have nothing to tell, send regular communications to let your stakeholders and customers know you’re working on it and you’re thinking of them. It’s difficult to overestimate the importance of this when you’re sitting on the victim side of the table.

Let the facts speak. Transparency is about facts. If the facts point to a narrative, try not to include your own spin that’s meant to make things feel “nicer.” No one believes it, and those who are actually drawn into it will be angry and feel betrayed.

Trust and transparency go hand-in-hand. Whether you’re sending a newsletter or fighting a “biggest ever” breach, remember transparency will win you trust. And like my father, your customers may still be mad as hell, but at least they’ll know you’re being honest with them. And that may allow you to salvage trust. That’s worth more than anything else. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.