The threat landscape is constantly evolving, and organizations of all sizes are essentially under siege. Effective cybersecurity is essential but evaluating and selecting cybersecurity solutions is challenging for companies—especially when it comes to trying to understand claims made by vendors and ensure that different products are being measured or compared on an even playing field. That is why transparency is crucial.
Value of Transparency
A company cannot effectively compare products without being able to qualify or quantify the claims that are made by the vendor. One vendor may claim to stop 99 percent of all malware, and another may claim to block all malicious threats, but without revealing how those claims have been validated, or in what context they may be true, they are essentially meaningless.
Vendors generally conduct tests and evaluate products for performance—either standalone or as compared against similar computing products. Whether intentional or not, however, those tests and evaluations tend to be biased in favor of the vendor. The vendor thinks in terms of how their own product works and will design tests accordingly, and they have a vested interest in ensuring their product beats the competition in the tests it designs.
This bias is understandable—and to some extent possibly even unavoidable. The problem is not the tests or evaluations themselves, but the lack of transparency. In order for companies to accept the claims or be able to use the information to compare the vendor’s product against other similar products, they have to know the details behind how the tests are conducted. A product may perform exceptionally under certain conditions, and poorly under other conditions.
Transparency Behind Closed Doors
Complete transparency and openness have benefits but can also have negative consequences for some industries or in some situations. Many organizations are reluctant to share information about their cybersecurity posture or the threats they encounter because they fear that revealing any details of their security infrastructure opens them up to greater risk—and that may, in fact, be true. They can still be transparent with one another, though.
One example of this is the medical industry. It’s an unfortunate reality that people die in hospitals—and a somewhat disturbing fact that some of those deaths are avoidable or may be the direct result of human error by the medical staff. Revealing this information publicly would both undermine confidence in the healthcare system and expose the hospital to lawsuits that could cripple or shut down the hospital entirely. Medical professionals need to be able to share information and learn from one another’s mistakes, though, so they conduct internal mortality boards or mortality reviews to transparently and openly share critical details.
A similar situation exists when it comes to cybersecurity. Some industries—specifically the banking and finance sector—are prime targets for malware and cyber attacks. They don’t want to share details of their cybersecurity infrastructure or reveal what they know about ongoing attacks publicly, but by working together they can defend against them more effectively. For example, the Financial Services Information Sharing and Analysis Center (FS-ISAC) shares notification and authoritative security information specifically across its member communities to help protect critical systems and assets from cyber threats.
The cyber attack is like a jigsaw puzzle, and the intelligence gathered, and indicators of compromise identified are like individual pieces of the puzzle. The problem is that none of the companies being targeted know what the whole picture is supposed to look like, and the pieces of the puzzle they’ve collected don’t make sense on their own. By being transparent with one another and sharing information, though, the industry as a whole can cooperate to determine crucial details of the cyber attack and prepare to defend against it more effectively.
Better Cybersecurity with Transparency
Whether it’s transparency related to how products are tested or measured to enable customers to accurately compare and evaluate products against one another, or transparency between companies to share threat intelligence about emerging threats, transparency is good for cybersecurity.
As more companies embrace the value of transparency, it will help make cybersecurity technologies more accessible and reliable. Transparency enables organizations to implement and maintain complex security solutions with confidence, and results in more effective cybersecurity for everyone.