Your logo and branded vulnerability aren't helping: How to disclose better
In 2000, I leapt out of journalism and in to security communications. I was relocating to the San Francisco Bay Area and, despite the downturn, tech was king. I also wanted to lend my unique albeit non-technical skill set to a technology that protected people or, at the very least, attempted to reduce harm caused by malicious behavior.
Instead, in the close to 20 years since, I've seen marketers fail on many high-profile occasions to properly extol the merits of a capable research team, and choose to sensationalize risk and, as a result, fail to reduce harm. Too many compromises have been made in disclosing bugs with grandiose antics that show how smart a research team may be, but also diminish an organization's credibility and leave users and systems more susceptible to attack.
During a keynote last month at Hack in the Box (HITB) Amsterdam, I dug into the role of the marketer, or non-technical business leader, in reducing harm. It's a topic I've long been passionate about, and have discussed at length in blogs, rants, and talks, but this time was different -- I had a chance to deliver this talk to a technical and research audience.