Last week, Dr. Erdal Ozkaya (Group CISO at MAVeCap) shared his perspective on cybersecurity in education right now – and particularly what’s missing.
This week, we’re digging deeper into one aspect of Ozkaya’s work right now: striving to create ways for cybersecurity to be more transparent.
But what does transparency in this sector really mean; and how could increased transparency improve both perceptions of cybersecurity across different industries, and the strength of cybersecurity programs?
What is transparency in cybersecurity?
“In a nutshell,” Ozkaya said, “cybersecurity transparency is about being open and honest about cybersecurity risks, incidents, and the measures an organisation takes to protect itself. This includes:
Disclosing breaches: Promptly and transparently informing customers, stakeholders, and regulators when a security incident has occurred and the potential impact.
Sharing best practices: Proactively sharing information about cybersecurity strategies, tools, and lessons learned with the wider community to raise the collective security bar.
Vulnerability disclosure: Collaborating with security researchers and providing processes for responsibly reporting and mitigating software vulnerabilities.
Clear communication: Avoiding jargon and explaining cybersecurity concepts in ways that non-technical stakeholders can understand.”
Crucially, transparency builds trust – even when you’re revealing information about negative events. Because the act of revealing that information ”shows a commitment to accountability and builds trust with customers and the public.”
Proactively disclosing incident information also reduces misinformation, helping to minimise the spread of rumours and inaccurate details. And it enables rapid problem-solving and informed decision-making – “stakeholders can make better risk assessments when they have clear information about an organisation’s security posture,” Ozkaya pointed out.
So what stops organisations from being transparent about their security posture?
There are numerous obstacles to transparency. One is the fear that “disclosing too much information will aid attackers,” putting the company at risk of exploitation.
Disclosing worrying information about attacks has the potential to cause unnecessary panic among users or customers, too – damaging the organisation’s reputation and sales. And prematurely announcing breaches that haven’t yet been verified, or when full details of the breach haven’t been gathered, can cause more mistrust than not disclosing the breach at all.
There are also complexities from a legal and regulatory standpoint: “There are evolving regulations around what and when security incidents need to be disclosed,” Ozkaya noted, and companies must do due diligence to ensure they’re complying with current rules before they announce a breach.
Ultimately, it’s a balancing act. “It’s about finding the right level of transparency – enough to be informative and accountable, but not so much that it creates additional risks.”
We’re moving in the right direction
More and more organisations are realising that a culture of transparency brings benefits for their work and reputation, and contributes to a more secure digital world. As we move forward, transparency is likely to become a differentiator in itself – with customers seeking businesses that have clear, accessible cybersecurity policies and disclosure protocols.
“Overall, cybersecurity transparency is moving away from being seen as a weakness and more toward a sign of good security practices,” Ozkaya added. “It’s a complex area, but increasingly important in our digitally connected world.”
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!