Has your organization ever found out about a technology vendor’s security incident from news reports rather than a transparent disclosure to customers from the vendor itself? If so, and that vendor has not profusely apologized for not disclosing that incident, then it may be time to cut bait with that particular provider.
That is especially true if that provider is part of an unstoppable trend of cloud, software-as-a-service or cybersecurity providers taking on the responsibility of handling and safeguarding its customer’s data. Without those internal controls over a cloud-based technology that is being handled in a vendor’s environment, trust is now more important than ever.
Offloading that responsibility to a technology and putting them in the position to make critical business decisions for your organization should require a high level of trust. IT buyers should ensure that not only are the right security practices in place at the prospective vendor, but that they also have the resources and the right philosophy when it comes to customer data, says Robb Reck, a security professional currently working to uphold standards of trust and transparency as the chief trust officer at managed detection and response provider Red Canary.
“All of those questions should work to determine if the technology vendor is a trustworthy partner or not,” Reck says.
Positions such as Reck’s are typically security or risk management initiatives from leadership that go beyond the scope of a typical security program and look critically at the company’s transparency with customers.
A chief trust officer defines how the software vendor talks to customers about security issues, including proactively bringing issues to customers, oftentimes before they even know about it.
Can you trust your technology vendor?
According to Reck, technology providers are trustworthy when they follow two simple rules: fulfilling their promises and being proactively transparent.
“You probably learn this at age 2—the idea of doing what you said you were going to do and saying what you’re going to do. Telling a customer what is coming and delivering that thing over and over again is a way to earn an awful lot of trust,” Reck says. “When you become predictable, you become trustworthy.”
Equally as important when selecting a technology vendor is their track record when it comes to transparency, and not just being honest when asked about security incidents. For example, a vendor should tell its customers about a security incident that went unnoticed, even if it could have gotten away without any negative press.
Reck used the analogy of borrowing a friend’s car, getting in a minor fender-bender, and not telling the owner.
“Am I willing to be the person who proactively tells the truth and apologizes and explains how they’re going to make it better? In the future, you know I’m not going to lie to you.”
Another key pillar of trust is around aligned incentives of the software vendor and customer that prioritize positive outcomes rather than just business transactions.
“If they’re making money on me all the way until I go bankrupt, I don’t feel like that’s a very good partnership,” Reck says. “Finding ways that you can align incentives between the provider and customer is a big part of it.”
Cloud, SaaS providers and trust
While cybersecurity providers may top the list of tech companies that should be trustworthy, organizations consuming any software-as-a-service (SaaS) and other cloud-based deployments of their enterprise technologies should demand a higher level of transparency and trust.
With data storage and management shifting from on-premises and an organization’s own data center to the cloud, organizations are essentially trusting the control of their data, infrastructure and services to an outsider. Before, the enterprises themselves were their own backstop and were able to make changes, and evaluate how the software was running.
Customers of security providers like Red Canary—that monitor telemetry and essentially decide what behavior to ignore and what behavior warrants an alert and investigation—have to trust that the software is both made well by the vendor and that is running well, and that any human interaction is not costing them downtime.
With that in mind, a wide range of cloud-based technologies should be looked at from this angle, including customer relationship management tools and enterprise resource planning (ERP) software.
According to Reck, these are several warning signs that indicate a software vendor is not transparent or trustworthy.
Downplaying the incident in first communications about an incident
Those first few messages about a security incident need to clearly outline what is known and what is not known. Too often software vendors will say only a certain portion of customers are affected, only to later revise that to a larger number and undermine the trust their customers place in them.
No transparency about any security incidents
Every company has security incidents, so a lack of disclosures should be alarming—regardless of how insignificant the incident is. Reck provided one example from his experience at Red Canary in which a customer stopped sending the firm its telemetry to be monitored for threats for about 12 hours. Once the company noticed the issue and fixed it, it combed through the data to make sure nothing malicious was missed. After that, the company had a brief internal conversation about informing the customer, and it quickly decided that the customer should know, even though nothing bad happened during those 12 hours.
“I see each of those opportunities as a way to not only build trust with our customers … but also to build that internal understanding of what it means to be a trustworthy company,” Reck says.
No status page
Public-facing resources or information detailing the status of services are the low-hanging fruit of any technology vendor’s transparency.
This level of transparency is now being required by certain agencies in the U.S. government, including the SEC, which has proposed new rules that would require publicly traded organizations—which include many leading software providers—to report about material cybersecurity incidents and provide updates about previously reported incidents.
In addition, organizations would be required to detail their security policies and procedures to identify and manage cybersecurity risks, per the proposals.
As a result of President Joe Biden’s Executive Order on cybersecurity, software providers will be required to be more proactively transparent about the security of their products and their own environment, including a software bill of materials that details the different components in a piece of software.
In a recent blog, Brookings Institution notes that the recent RSA Conference highlighted offerings to secure the supply chain and increase vendor transparency, with many referencing the Executive Order. The Institute calls Biden’s decree a “set of goals” designed to create a transparent marketplace for technology and security tools.
“The creation of a transparent market for software and provision of information for operators and purchasers leverages the greatest competitive advantage of the United States: the rule of law required to support a trustworthy marketplace,” the research group wrote.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!