WHAT DOES TRANSPARENCY IN CYBERSECURITY REALLY MEAN?

This article was originally published at Black Hat’s website, you can read it via this link right here

Last week, Dr. Erdal Ozkaya (Group CISO at MAVeCap) shared his perspective on cybersecurity in education right now – and particularly what’s missing. 

This week, we’re digging deeper into one aspect of Ozkaya’s work right now: striving to create ways for cybersecurity to be more transparent. 

But what does transparency in this sector really mean; and how could increased transparency improve both perceptions of cybersecurity across different industries, and the strength of cybersecurity programs?

What is transparency in cybersecurity?

“In a nutshell,” Ozkaya said, “cybersecurity transparency is about being open and honest about cybersecurity risks, incidents, and the measures an organisation takes to protect itself. This includes:

• Disclosing breaches: Promptly and transparently informing customers, stakeholders, and regulators when a security incident has occurred and the potential impact.
• Sharing best practices: Proactively sharing information about cybersecurity strategies, tools, and lessons learned with the wider community to raise the collective security bar.
• Vulnerability disclosure: Collaborating with security researchers and providing processes for responsibly reporting and mitigating software vulnerabilities.
• Clear communication: Avoiding jargon and explaining cybersecurity concepts in ways that non-technical stakeholders can understand.” 

Crucially, transparency builds trust – even when you’re revealing information about negative events. Because the act of revealing that information” shows a commitment to accountability and builds trust with customers and the public.”

Proactively disclosing incident information also reduces misinformation, helping to minimise the spread of rumours and inaccurate details. And it enables rapid problem-solving and informed decision-making – “stakeholders can make better risk assessments when they have clear information about an organisation’s security posture,” Ozkaya pointed out.

So what stops organisations from being transparent about their security posture? 

There are numerous obstacles to transparency. One is the fear that “disclosing too much information will aid attackers,” putting the company at risk of exploitation. 

Disclosing worrying information about attacks has the potential to cause unnecessary panic among users or customers, too – damaging the organisation’s reputation and sales. And prematurely announcing breaches that haven’t yet been verified, or when full details of the breach haven’t been gathered, can cause more mistrust than not disclosing the breach at all. 

There are also complexities from a legal and regulatory standpoint: “There are evolving regulations around what and when security incidents need to be disclosed,” Ozkaya noted, and companies must do due diligence to ensure they’re complying with current rules before they announce a breach. 

Ultimately, it’s a balancing act. “It’s about finding the right level of transparency – enough to be informative and accountable, but not so much that it creates additional risks.” 

We’re moving in the right direction

More and more organisations are realising that a culture of transparency brings benefits for their work and reputation, and contributes to a more secure digital world. As we move forward, transparency is likely to become a differentiator in itself – with customers seeking businesses that have clear, accessible cybersecurity policies and disclosure protocols. 

“Overall, cybersecurity transparency is moving away from being seen as a weakness and more toward a sign of good security practices,” Ozkaya added. “It’s a complex area, but increasingly important in our digitally connected world.”

Thanks to Dr. Erdal Ozkaya. Do you want to learn more from the world’s leading cybersecurity experts? Join us in Riyadh for Black Hat MEA 2024. 

To see other articles I have been featured on the news click here

Black Hat MEA

Black Hat Middle East and Africa is a leading cybersecurity conference and exhibition that takes place in Riyadh, KSA, welcoming over 40,000 infosec professionals, 300+ exhibitors and 300+ world renowned speakers from over 120 countries

STAY ONE STEP AHEAD

The cybersecurity industry is ever-evolving, and you need to stay ahead. This means learning from global CISOs and infosec execs, exploring open-source hacking tools and taking home niche tactics from leading experts.

HOW BLACK HAT MEA CAN HELP YOU

Three days is all it takes at Black Hat MEA. Take home technical insights from over 300 leading experts, engage in live hacking stations in our activity zone and network with over 40,000 industry pioneers. It’s all there under one roof – what are you waiting for

https://blackhatmea.com/overview

200+ global Infosec influencers, including 50 Black Hat trainers and hundreds of ethical hackers flew in from across the world to tell their stories and provide tuition on how to stay ahead of the dark criminal networks seeking to devastate critical infrastructure. You can learn from them next year at one of the world’s biggest cybersecurity conferences, Black Hat MEA

About Black Hat

Founded in 1997, Black Hat is an internationally recognized cybersecurity event series providing the most technical and relevant information security research. Grown from a single annual conference to the most respected information security event series internationally, these multi-day events provide the security community with the latest cutting-edge research, developments, and trends.

keywords

transparency in cybersecurity – conflicts in cybersecurity- promotes trust industry participation- transparency and accountability -values and What is transparency in cyber security? What does transparency mean in security? Why is transparency and communication with users about security vulnerabilities and updates important? What does transparent communication mean?