Extreme Transparency or Corporate Security Responsibility?

With the risks, costs, and consequences of cyberattacks spiralling, security now ranks as a top concern beyond the office of the CISO.

Across legal, comms, sales, and finance leaders there is a clear conclusion: security through obscurity is no longer working. Organisations wanting to adopt a new culture of openness and collaboration have pledged to Corporate Security Responsibility (CSecR) to create a safer digital world for everyone. A key tenet of CSecR is Transparency. More transparency into security practices not only makes organisations more secure but can help accelerate innovation and business growth.

Security through obscurity reigns supreme

For many, the instinctive action on experiencing a cyberattack is to hide as many facts as possible about the event, to avoid appearing insecure. In fact, a survey of 800 security professionals revealed that well over half (64%) of all organisations admit to maintaining a culture of security through obscurity and 38 percent are closed off about their cybersecurity practices. This lack of openness may be influenced by the lack of enforceable regulations; in 2021, nine cyberattacks affecting the British transport sector would have escaped view by the UK’s mandatory reporting laws if they hadn’t been proactively disclosed to the government.

Without the push to disclose, it’s easy to stick to old habits and remain silent as a strategy for reputational survival. However, any scaling businesses with greater resources will continue attracting cybersecurity issues. With breaches being more of a ‘when’ than ‘if’, and bad news having a habit of travelling fast, handling a breach publicly is inevitable for many organisations.

Building trust with transparency

In the last few years, progressive organisations have viewed cybersecurity disclosure differently. The reality of threats that can take down mission-critical services, such as healthcare establishments, has called for a new kind of openness among peers. In 2019, Norsk Hydro, a renewable energy and aluminium manufacturer, suffered an extensive ransomware attack that affected its operations worldwide. In response, the company distributed frequent and candid communications to inform its customers and shareholders about the unfolding events, specifically to help other organisations defend themselves against similar attacks.

Norsk Hydro took a risk and did not pay the ransom demand, but through sharing the experience openly, it built trust with its customers, suppliers, and shareholders. As a result, its reputation and share price remained intact during the breach.

Addressing challenges with transparency best practice

By sharing knowledge and experiences, disclosing vulnerabilities and leveraging ethical hacking, organisations can ensure they remain secure and demonstrate security best practices. Some key considerations for taking this approach include:

Involving developers in the security process

Developer first security makes developers the customers of the security team. Developers are responsible for writing secure code, and security teams are responsible for providing developers with the tools and resources they need to do their jobs securely. This means tools, training and a security culture that has the developer at the heart of everything. Developers cannot do this if security is a black box.

Selecting the right security technologies

Innovation requires the fast development of apps and services. Fast means that not all code can be security audited by overstretched internal teams. The risk of a vulnerability being pushed to production must be accepted. Consider mitigating this risk by launching a public bug bounty program and using innovative crowdsourcing models for code review to give developers  feedback directly at their pace, enabling continuous security testing.

Embracing ethical hacking

Tools are an important part of any security practice, but automation can not discover all vulnerabilities: tools are limited in their scope and technology support. Ethical hackers are limited by only their imagination and are able to detect vulnerabilities using critical thinking and creativity.

Avoiding blame culture

When a vulnerability is discovered it should be celebrated. When a security incident happens, it’s important not to assign blame but to remain focused on building a culture of openness. This will inspire development and operations teams to innovate with security built into processes, which will provide on-the-job developer training, and bring safer products to market faster.

Meeting expectations of the security-conscious buyer

A trust-driven cybersecurity strategy can enable an organisation’s brand to stand out to the increasingly security-conscious buyer. In addition, being transparent in security processes and practices can bring enterprises closer to their customers.

Taking The Corporate Security Responsibility Pledge

For the ultimate commitment in cybersecurity best practices, enterprises can sign up to The Corporate Security Responsibility Pledge, which is based on four core principles: transparency, collaboration, innovation, and differentiation. This helps identify their organisation as actively committed to transparency.

Transparency is a business game changer

It may seem counterintuitive for leaders to overtly discuss failing processes. Yet, since all organisations face similar cybersecurity challenges, sharing new approaches can help detect issues earlier and make the internet a safer place.

Building a security culture that promotes trust and transparency can pave the way for other changes in mindset. In return, this will increase trust, differentiate the brand and create a robust security posture that is essential to keep pace with evolving hostile cyber activity.

These are the principles that lie at the foundation of the Corporate Security Responsibility Pledge. Enterprises that have signed up to this pledge, illustrate their organisation’s commitment to creating a safer digital world for everyone. By sharing our experiences and knowledge, we can build a safer and more secure world. This is not something that we can do in isolation. Every organisation, no matter how large or small, should take this step and commit to these four simple guiding principles.

About the Author

Laurie Mercer is Director of Security Engineering at HackerOne. HackerOne empowers the world to build a safer internet. As the world’s trusted hacker-powered security platform, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces.

Featured image: VTT Studio