Why transparency is the foundation for trust in cybersecurity

The imperative for a transparent approach to cybersecurity

The risks and potential consequences of cyberattacks and data breaches are rightly high on the agenda of every organization. Businesses and public institutions across all sectors are no longer willing to take at face value claims from vendors about the security of their products and solutions. Indeed, in many countries and regions, legislation demands that they must have greater insight into the security of products and services used within their organization.

The idea that concealing the details and workings of a system is the best way to enhance its security, often referred to as “security through obscurity”, has largely been discredited. The US National Institute of Standards and Technology (NIST) itself states that “system security should not depend on the secrecy of the implementation or its components”.

Insights into a technology vendor’s security practices are a central aspect of conducting vendor risk assessments. These examine the potential impact that a vendor’s products can have on the customer’s network and connected systems and determine if the vendor has the appropriate measures in place to mitigate risks. 

Customers are, therefore, demanding full visibility into every aspect of a vendor’s approach to supporting optimal product security and sustaining it throughout the product lifecycle. This demand for transparency should be embraced, as it’s foundational to determining whether a vendor’s products can support a customer’s own security posture, and to building trust between vendors, partners, and customers. 

The multiple benefits of transparency 

When a technology manufacturer is transparent about its security practices, it fundamentally demonstrates a commitment to ensuring product security. This includes providing the security features and settings that enable customers to use products in the most secure manner possible to protect their own systems and data.  

Transparency also allows for more effective collaboration and information sharing with customers and partners, enabling them to quickly address any newly discovered software vulnerabilities. 

Furthermore, transparency helps manufacturers and customers alike to learn from past security incidents and improve their overall security postures. Informed decisions can help prevent future incidents and ensure the continued protection of customer data and information.

Going beyond the requirements of cybersecurity certifications

In this context, industry standards and certifications can provide a useful assurance of a company's commitment to baseline cybersecurity. Clearly where those certifications are required by law, vendors need to show their adherence to them. They are also valuable when establishing a baseline that may be contractually binding when companies engage in business with each other to provide services to their customers. Customers may also use evidence of certifications during the procurement process to ensure manufacturers cover minimum requirements. 

However, using certifications as a ‘silver bullet’ to demonstrate a comprehensive approach to cybersecurity should be avoided. Certifications testify to a minimum baseline security at a specific point in time that a company adheres to, no matter if it is about corporate information security (ISO 27001, various cybersecurity export regulations, etc.) or product-focused security certifications (FIPS 140, ETSI EN 303 645, and various other country-specific standards)

In addition, standards and certifications by nature can often be broad to cover specific industries and their use cases, and, therefore, not always relevant to specialist use cases. For example, IEC 62443 focuses specifically on industrial automation and control systems, which is less relevant to physical security.

From a commercial perspective, certifications and adherence to standards can run the risk of being used as a checkbox feature and a strategy to gain competitive advantage during the procurement processes - the intention being to collect as many certifications as possible to strengthen the appearance of having a ‘good’ cybersecurity position. This is particularly the case if the standard and technical requirements are ‘locked’ behind purchase and not publicly available free-of-charge. 

Finally, advancements in technology, processes, and products often move much more quickly than the standardization process, which means that manufacturers that rely only on certification will fall behind innovations in technology. For instance, having IEEE 802.1AE MACsec network encryption in products significantly hardens network communication, but the technology or best practice of using MACsec for securing networks is not specified in current standards.

In short, while certifications and standards have some value, they should be regarded as a baseline and not a target, and as complementary to a vendor’s broader cybersecurity-related activities. 

Looking for evidence of transparency

When considering vendors, there are some clear proof points that demonstrate a commitment to transparency in product and software development and throughout the entire product lifecycle in relation to cybersecurity. These include:

• Providing customers with insights into the security activities and measures undertaken throughout a product lifecycle, from development, production, and distribution phases, to implementation, in service, and decommissioning. These insights should also include how the vendor’s entire supply chain itself is secured.   
• Publishing security policies and practices for both product development, and the vendor’s approach to internal company security. Having a clear, publicly available set of policies and procedures for protecting user data and information demonstrates the company's commitment to security and accountability.  
• Regularly undertaking independent security assessments and audits to help identify and address potential security weaknesses and provide customers with assurance that the company is taking security seriously. These can relate to assessments at an organizational level, such as ISO/IEC 27001 standard assessments, or at a specific product level, such as third-party penetration testing.
• Delivering products that make it technically straightforward for third-party individuals, organizations, and authorities to evaluate the products’ security posture. This includes not encrypting the device software or other activities to support “security-through-obscurity”. The provision of a software bill of materials (SBOM), which lists the ‘ingredients’ that make up every piece of software, is also essential. The SBOM details all the open source and third-party components present in a piece of software, the licenses that govern those components, the versions of the components used in the software, and the status of any patches required to maintain security.
• Transparency in reporting security incidents when these do occur, both in regard to the vendor’s organization, as well as its products. Vendors should have a clear vulnerability management policy in place. This will ensure communications about the nature of the incident, how it was initially discovered, the steps taken to address the vulnerability (including the actions required by customers), and the actions taken to prevent future incidents.
• Providing customers and partners with regular updates on the company's security posture. Information on any changes to security policies or practices not only helps them stay informed, but more importantly, enables them to quickly take action to secure their own products, services, and processes. In addition, allowing customers and partners to subscribe to a security notification service gives them the opportunity to respond to security issues in a timely manner.
• Actively encouraging customers and researchers to report potential security vulnerabilities they discover will help the company identify and address potential issues before they can be exploited. Being part of the CVE program to disclose CVE IDs and also establishing a bug bounty program demonstrates the cybersecurity maturity and transparency of the vendor and confidence in its secure development processes. 
• Supporting customers in a proactive product lifecycle management process, allowing them to plan for product decommissioning and replacement. Central to this is detailing the end-of-support date for device software as early as possible, ideally immediately after product launch.  

Every vendor should be committed to doing all it can to deliver products that support a customer’s cybersecurity requirements. Certifications and standards only go so far. Transparency is essential. Published practices and policies, regular independent security assessments and audits, and open disclosures regarding security incidents are more reliable ways to build trust in a vendor’s commitment to protecting data and providing products with strong cybersecurity.