Let’s Get Real: Transparency in the Cybersecurity Community 

Over the past couple of years I have spoken with a lot of MSPs at various industry events about trust and transparency—or, frankly, the lack of it—within the cybersecurity community.

Lately I’ve been talking about transparency even more, especially surrounding the recent website launch of a cause that I’m super excited about: the Truth In Cyber movement.  

Those who know me are well aware of my sense of urgency around this topic, as well as my frustration with some of the cybersecurity culprits that continue to rely on mystery and smokescreens as a means to sell more solutions.

So, based on the positive feedback I have received from colleagues who don’t mind getting real in order to solve problems, I’d like to unpack how “transparency” and cybersecurity can work better together in the future.  

THE FEAR OF TRANSPARENCY

Unfortunately, transparency is much harder to find than it should be in the cybersecurity industry. In my opinion, fear is at the root of that problem.  

There are a few reasons that it may be tempting for organizations to hide their cybersecurity incidents, whether internally or externally. For example, this article on Forbes.com explores why cyber incidents often go unreported, as well as some tips on what to do about it.  

If we want transparency to flourish within the cybersecurity community, fear-based beliefs need to be replaced with solution-oriented thinking. Below are 3 examples:

With over 20 years of leadership in network infrastructure, security, program management, and M&A integration, I have come face-to-face with the lack of transparency in the cybersecurity industry.

Most of my career was spent helping Fortune 500 and large enterprises navigate various cybersecurity challenges and building effective policies and frameworks to solve them.

Then in 2018, after a friend’s experience with ransomware revealed how much I identify as a “corporate misfit on a mission,” I founded Ostra to make cybersecurity simple, effective, and accessible for businesses of all sizes. At the same time, Ostra strives to lead by example in promoting more transparency in the industry at large.  

WHY TRANSPARENCY MATTERS

Trust is eroded when organizations try to hide things. This is especially true when it comes to cybersecurity capabilities, prevention efforts, or incident reporting. Saying everything is fine (when it’s not) will only delay the inevitable.

If an organization (or team member) is trying to cover up or minimize a data breach, for example, why should anyone believe what they say about other matters that impact their reputation—such as product quality, workplace culture, financial health, or delivery timelines?  

Admittedly, folks in cybersecurity are notorious for making things sound more mysterious and complicated than they need to be.

Demanding that clients decipher our cyber jargon to understand where the gaps are in their systems and how their tools interact is not okay. It can be intimidating to ask questions in the presence of other tech egos—as I have personally experienced!    

Recipe for Transparency in Cybersecurity

A transparency revolution would benefit MSPs as well as end-user clients and the cybersecurity community at large. So, how can we ALL step up, keep learning, and do better?

Here are 4 key ingredients that result in the kind of transparency we need in this industry:  

Honesty

• Avoid hiding behind jargon. Use plain, everyday language that all user levels can understand.  

• Be transparent in sales and marketing practices. It’s not okay to sell cybersecurity solutions that promise the moon but don’t deliver. Clients shouldn’t have to find out the hard way that their newly deployed solution doesn’t work—or that it just creates more to-do lists for them.  

• Stop chasing contracts and money. Instead, focus on solutions. What are clients already doing right, and how you can support them if they have cybersecurity gaps?  

• Use non-predatory practices. Instead of using fear tactics, build trust.  

• Create a safe space to report incidents. Implement reward-based (vs. shame-based) security awareness training and promote a growth mindset (vs. perfection).  

• When we really care about our clients, we will prioritize building long-term relationships and earning their trust through problem-solving.  

Self-Awareness

• Openly recognize that no organization/solution is perfect or ideal for everyone. Cybersecurity gaps leave clients compromised, and one single provider may not be able to do everything you need done.  

• Stay committed to constantly growing, learning, and improving. It’s essential for security professionals and it’s good for our clients.  

• Embrace your role as an advocate for your clients. Educate them on cybersecurity tools, resources, and execution best practices that can keep their data safe.  

Accountability

• Take ownership and solve it. No more finger-pointing at other providers (or clients) when things go wrong.  

• Culture matters. Curate a talented, dialed-in team that cares about clients.  

• Collaborate with industry partners and peers. Consider donating your time, talents, and other resources to bettering the industry as you prioritize service vs. sales quotas.  

Transparency

• Give and receive constructive feedback. None of us should be too strong (or fragile) to admit when a new approach might be in order.  

• Build trust with outside vendors and even “competitors.” Hoarding information does not help us serve and protect our clients—work with multiple partners and use referrals as needed to find the best solution.  

• Be clear about your solution’s strengths as well as its limitations. Since there is no “catch-all” solution for cybersecurity, be sure your clients know who is responsible for solving and remediating any cybersecurity issues that come up.   

TAKE THE TRUTH IN CYBER PLEDGE

As I mentioned at the start of this article, my colleagues and I recently launched an independent movement called the “Truth In Cyber” Initiative.  This movement is designed for IT leaders and vendors who are tired of the status quo and want to join us to help change the industry. Please consider visiting TruthInCyber.org to learn more, take action by signing the Pledge, and spread the word.  

Bottom line? As a cybersecurity community, let’s work on becoming more transparent with each other and our clients. It won’t happen overnight; changing habits and building trust takes time. But in the interest of fighting cybercrime more effectively on every front, I hope you’ll join the Truth In Cyber movement.