Yesterday I came across Rafal Los’ very good blog ‘Living in Glass Houses – #InfoSec Industry’s Culture of Shaming’. The blog follows a particular piece of coverage on the Adobe hack that victimised Brad Arkin, CISO of Adobe. I didn’t have a chance to read the piece before it was amended – but from what I understand, and from tweets I have seen in reaction to it, it was pretty aggressive.
As a Pr person, it’s an interesting balance – we want our clients to be commenting on every infosec news story around, sharing their knowledge, opinion and advice. But is every hack an opportunity? Hack is a sexy word – but not every hack is news worthy. It’s also sometimes easy to forget that at the end of it all, people’s jobs depend on the outcome and solution to these hacks and a media storm is the last thing you need to add to the problem. Pr and journalists alike should be able to relate – if we make a mistake that we have put out in the public eye, it can be pretty embarrassing. As long as we’re a part of the infosec community, the idea really is to be a help rather than a hinder, for both the interested reader and the infosec pros.
Within the community, responsible disclosure is a widely adopted practice. Sure it has been and continues to be debated, but ultimately it is for the good of the industry and maybe that is something to channel through to the media side of things too. As breaches become more common and more difficult, instead of the tried and tested theory of ‘the more controversial the better’, coupled with the incredibly fast pace of online journalism, maybe it’s time to just take a minute to check that we too, are sharing useful information rather than just jumping on the bandwagon. If there’s one thing that all these breaches are teaching us, it is this – security is hard to talk about and even harder to implement. Hopefully both sides can work closer together to find the right balance in the media.