When we talk about transparency in cybersecurity we are refering to the practice of openly and honestly communicating about security practices, vulnerabilities, and breaches to stakeholders. These conversations can include customers, employees, peers, auditors, and the general public. There are many ways that increased transparency can have a profoundly positive affect on your cybersecurity operation. This article is going to break down several ways that transparency benefits cybersecurity and several places to put it into practice.
Talking About Issues and Risk
Transparency can help to improve overall security practices. By openly disclosing security breaches and vulnerabilities, your organization can learn from their mistakes and take steps to prevent similar incidents from happening in the future. Additionally, by disclosing vulnerabilities, you encourage researchers and security experts to help identify and fix problems, which can ultimately lead to stronger and more secure systems.
This is about improving trust with people who need to have trust in whatever it is your organization or team does. Let's expand on the act of disclosing breaches or security incidents to the public or a related subset of stakeholders:
- Your customers or stakeholders finding out something from you instead of an unofficial and unaffiliated third party is going to be received better.
- In this messaging you also have the opportunity to provide guidance to those who were affected. This might focus on what they should do to protect themselves and manage their own risk, such as rotating credentials or reviewing logs for specific activity.
- You build trust when you commit to your remediation activities and then follow up on them. Nobody likes to be told something is going to happen (or to assume it will) and then have their expectations totally let down when nothing happens.
Information Flow and Alignment Between Teams
Transparency can also help with overall cybersecurity by allowing your team to have a 360 degree view of what's happening. This is vital in a security operations setting. There is an information loop from the IR team, to SOC analysts, to the firewall team that is an unbelieveable force multipler. I have been involved with security teams that weren't great at this and I have also been involved with teams that had awesome communications and transparency. The increased level of trust that can be fostered through full transparency across the team will not just improve morale, it will make your systems more secure.
Transparency in this particular setting can manifest in a couple of specific ways. Which of these you adopt depends on your team culture or the working environment. The point is to be more open across teams internally.
- Communication channels (Slack or Teams channels)
- Calendars and corresponding meeting notes
- Plans, goals and intentions
- Challenges and setbacks
- Decision making processes as well as past decisions made (an architecture decision record process is a fantastic example of this).
- Conflict resolution and performance focused on the team environment
I believe that this particular practice can benefit trust building across any teams and any level of an organization.
Supporting Compliance and Operations
Another internal line of communication where you'll want to ensure transparency is between operations and compliance. Think about the affect on overall security this could have if compliance folks were fully read-in on all the latest vulnerabilities, incidents, and pentest findings. And instead of blindly conforming to a standard, our compliance team was giving advice based on their knowledge of the enterprise and the recent risks that have been identified.
We would be remiss if we didn't talk about the importance of transparency in the disclosure of security breaches. When a company experiences a data breach, it is important for them to be transparent about what happened, how it happened, and what is being done to prevent it from happening again. This helps to restore trust with customers and other stakeholders, as well as demonstrate a commitment to security.
However, there are often tensions between the need for transparency and the need for confidentiality. For example, a company may not want to disclose details about a security breach for fear of damaging its reputation or attracting legal action. Additionally, there may be concerns about revealing trade secrets or intellectual property if details about the breach are made public.
There are also concerns about the potential for malicious actors to use information about vulnerabilities or breaches for their own gain. For example, if a company publicly discloses a security vulnerability, a hacker may use this information to exploit the vulnerability before it can be patched.
Despite these challenges, there are several reasons why I think that post-breach transparency is important, for both practical and compliance reasons. One key reason is that it helps to build trust and credibility with stakeholders. When an organization is open and honest about its security practices, it demonstrates a commitment to protecting customer and employee data. This can help to build trust and confidence in the organization, which is especially important in industries where security is a top concern, such as financial services or healthcare.
There are also legal and regulatory incentives for transparency in cybersecurity. For example, many countries have laws that require companies to disclose data breaches to regulators and/or affected individuals. In the United States, for example, the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to report data breaches that affect the personal health information of more than 500 individuals.
In conclusion, transparency in cybersecurity is an important practice that helps to build trust and credibility, improve security practices, and meet legal and regulatory requirements. In this article we covered three key areas where transparency can help and where to put it into practice. While there are certainly challenges to achieving transparency, such as the potential for malicious actors to exploit information and the need to balance transparency with confidentiality, the benefits of openly and honestly communicating about security practices outweigh the risks.