Being secretive about your organization’s security isn’t smart and can actually set you up for some scary scenarios. A long time ago, in a very different online security universe, with a very different set of criminals and threats, security by obscurity was the norm. The less you said about your security posture the better.
In today’s dystopian security environment, this approach is no longer valid- if it even was 15 years ago. Criminals probably already know more about your environment than you do. They can see employees on LinkedIn, extract data from commercial credit reports on them, and it’s more than likely there already is an intruder in your organization doing reconnaissance. So, obscuring your organization’s posture is not enhancing security. A second point is that the invaders aren’t at the gate, they’re in the castle. Now that cyber criminals are winning the war, it’s time to shake up the “don’t say anything about security” mantra
From a communications and marketing perspective, there seem to be understandable reasons not to talk much about security. There is a fear of “gotcha journalism,” – that if you talk publicly about an initiative that isn’t perfect and doesn’t stop every attack by every man, woman or child and something really bad happens, you get hoisted on your own petard.
Another tactic I see in today’s environment is when companies use secrecy or unwillingness to talk about their security measures to cover up the fact that they’re actually not doing much to address the issue and protect their brand, revenue, and, most importantly, their customers. This is not a winning approach. I’ve said it many times and I’m not alone in this, but it’s not a question of “if” you will be breached, it’s only a matter of “when.”
Yet even when a company does publicly telegraph an successful security initiative it has put in place, then others come along and say, “why, yes, we’re doing that too and more.” Then the microphones will swing your way and you will be asked why aren’t you putting a cherry on top like these other guys and more. We end up, in this case, with an environment where one is evaluated not on the security contributions but rather on whether your security measures look exactly like your competitors’.
So, what to do? First, assess your risks from the perspective of a malicious actor. What you may find is that the things you conclude are valuable, at risk, and worth protecting may not at all be what your cybercriminal opponents are thinking. For example, I suspect Sony was more concerned about DRM for their movies and other content than they were about the disruption of their entire business from malicious attack.
Second, with this assessment, it’s imperative to have a business conversation with C-level executives in your organization and with your customers about the right investments to make in risk management to enhance their security and safety. We all know you can’t protect everything perfectly all the time but it’s far better to agree on the right investments and risks rather than spin around in circles, trying in vain to create perfect protection against every individual attack.
Finally, once these priorities are in place, it is mandatory to drive all of this through the business. It can’t just be the security team that secures the data and email channel, because if the business doesn’t know why the measures put in place are important, it’s going to be twice as difficult. In addition, when you are talking to your customers about your security posture and programs, make sure what you’re telling them is actually true. If you’re a hotel chain and claim that you encrypt your guests’ credit card payment data and then don’t, that’s obviously a problem. The same thing goes for a social media site that charges a premium to delete your data and profile: it should actually do that. Too many companies today underestimate the importance of security to their clients. All of the marketing efforts, customer relationships, fantastic new products, everything can be eroded in a flash with a cyber attack and usually companies don’t know until it is too late.
Given the likelihood that most every company today — regardless of size — will suffer a data breach, being secretive about what organizations do (or don’t) to enhance their digital security measures is simply no longer a tenable option. If it ever was.