The Dicey Question Of Transparency After A Cyberattack

Solar Winds is said to have gone public the day after it learned from cybersecurity company FireEye about the spectacular beach it had suffered. “I’ve never had a client,” said one 20-year veteran information security attorney, “in all the investigations I’ve done, either under attorney-client privilege with another law firm or myself as the attorney, say, ‘Let’s go public,’ when they don’t know the results of the investigation yet.” The company was widely praised for the move, but there is disagreement about what constitutes a best practice in this situation.

Earlier this year, a study conducted by the Ponemon Institute queried security officials in organizations worldwide, and found 64 percent of respondents said it was “highly important for their technology provider to be transparent about available security updates and mitigations, and 47% said their technology provider doesn’t provide this transparency,” as reported in an article in TechTarget.

Sharing is not an either-or proposition. A government website and a variety of industry/security company/government partnerships provide a way to share information short of a fully public release.