Cybersecurity experts are urging a fundamental change in how organizations manage data breaches and security incidents. They believe that enhanced transparency and specific disclosures regarding the causes and nature of these events are essential for effectively reducing cyber risks.
During the upcoming RSAC Conference, threat research specialists Adam Shostack and Adrian Sanabria will advocate for increased incident transparency and the establishment of structured feedback mechanisms in cybersecurity. Their session, titled "A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency," is scheduled for Monday, March 23.
Shostack, the founder of Shostack and Associates, and Sanabria, the principal researcher at The Defender's Initiative, argue that the cybersecurity sector lacks formal processes for providing constructive feedback following significant data breaches or security incidents. They point out that such feedback is crucial for industries focused on safety, like aviation and healthcare.
In an interview, the researchers highlighted how incidents like plane crashes or medical errors receive intense scrutiny, which typically leads to new measures aimed at preventing similar occurrences. However, they note that the cybersecurity industry frequently views breach investigations as legal liabilities, rather than opportunities to learn and share valuable lessons.
Security Culture Change Needed
This prevailing culture inhibits organizations and professionals from extracting critical insights from security breaches that could help prevent future incidents, Shostack asserts. He emphasizes that the guiding principle should be, "If you've made a mistake, admit it and explain what happened."
Despite this, organizations often face accusations of negligence after a security incident. Sanabria explains that many successful attacks result from a series of small failures such as unpatched software, misconfigured tools, and inadequate monitoring rather than outright incompetence. "It's rarely one thing," he notes. "There are dozens of controls that should have stopped the attacker and didn't."
If organizations were to share the minor details of incidents instead of concealing them out of fear of shame, it could benefit the entire industry and help prevent future breaches, Sanabria argues.
Leading with Legal Liabilities
In the United States, laws and policies governing data breaches vary significantly among states and organizations. For instance, publicly traded companies must disclose major security incidents in SEC filings, but only if these incidents materially impact the company.
Shostack identifies two main reasons why the cybersecurity industry often fails to conduct thorough post-incident reviews. First, there are potential legal consequences for organizations that might be deemed at fault for the incidents. Second, there exists a cultural divide between engineers and lawyers within organizations. Lawyers are ethically bound to protect their clients' interests, while engineers must prioritize public safety.
When a cybersecurity incident occurs, legal counsel often advises CEOs against discussing it, fearing potential lawsuits. This approach contrasts starkly with how engineers typically operate. Shostack compares this to the response to traditional engineering failures, like bridge collapses or airplane accidents, where transparency and learning from mistakes are standard practices.
Without formal governance regarding the handling of security incidents, this cultural disparity continues to obscure many details surrounding breaches. Additionally, the absence of federal regulatory support for breach transparency exacerbates the issue. A previous initiative, the Cyber Safety Review Board, aimed to investigate major cyber incidents and provide real-time feedback, but it has not been functional since its members were dismissed shortly after the current administration took office.
The Data Is Out There
Despite the lack of formal oversight, there is an abundance of publicly available data on major security breaches for those willing to look. Sanabria has been reviewing public breach documents, such as congressional reports and regulatory filings, and asserts that there is a wealth of valuable information waiting to be discovered.
However, analyzing this data can be challenging, as breach narratives are often oversimplified or overlooked. For example, while the 2017 Equifax breach was initially attributed to an unpatched vulnerability, later investigations revealed deeper systemic failures, including communication breakdowns and inadequate testing.
Sanabria points out that while the initial headlines capture attention, the more profound lessons often emerge later, when the incident is no longer in the public eye. He emphasizes that comprehensive analysis of breaches is rarely conducted, and many lessons remain unlearned.
Some organizations have taken it upon themselves to publish detailed accounts of breaches to benefit the public. For instance, after a ransomware attack in 2023, The British Library released a comprehensive after-action report acknowledging mistakes and outlining lessons learned. In Canada, privacy commissioners published findings on a breach affecting educational institutions, highlighting systemic failures.
In the U.S., the Federal Trade Commission has also published detailed complaints related to breaches. However, these resources often lack the depth needed to provide actionable insights for cybersecurity professionals.
The Way Forward
To improve breach prevention, the cybersecurity industry needs better data and evidence. Without this, organizations risk investing in what Sanabria refers to as "busywork generators," which may not significantly mitigate real-world risks.
"Every other industry that cares about safety builds feedback loops to improve," he asserts. "Reducing risk is more of a gamble without data." The researchers caution that without formalized transparency and governance, the industry will struggle to assess whether organizations are genuinely improving their responses to security incidents.
To foster breach transparency and encourage improvements in cybersecurity, Shostack and Sanabria propose creating structured mechanisms for reporting breaches, including anonymized reporting and regulatory safe harbors for honest disclosures. Their aim is not to shame organizations, but to promote collective learning.
"Modern engineering is built on studying failure," Shostack concludes. "We don’t have enough of that in cybersecurity."
