Skip Navigation
Get a Demo
Resources Blog Opinions & insights

Trust issues: The two sides of Say:Do

Why maintaining a 1:1 Say:Do ratio is key to building and maintaining trust with customers

Robb Reck
Originally published . Last modified .

This is part three of our introduction to Red Canary’s Trust program. In part one we introduced the idea of Trust, why Red Canary takes it so seriously, and the concepts of Proactive Transparency and Say:Do. We followed that up by diving into Proactive Transparency in detail. Now we get to follow up by talking about Say:Do and why maintaining a 1:1 ratio is essential to building and maintaining trust.

The Say:Do ratio

The first side of Say:Do is incredibly simple, and maybe obvious: Do what you said you were going to do. This is something you probably learned as a small child. When you say you’re going to do something, you do it. Living up to the expectations we set with our stakeholders is essential to deserving their trust.

That said, we are imperfect people, living in an imperfect world. Of course there will be times when we can’t complete what we committed to. In those cases, it’s essential that we reach out to our stakeholders and let them know that we are going to miss a commitment, why we’re missing it, and what we’re going to do to keep things on track.

In this way we’re building the trust that when we say we will do something we either get it done, or there’s a darn good reason, and we’ll let you know why, well in advance of missing our commitments. This is how you avoid breaking trust.

The second side of the Say:Do is less obvious, but it is just as important. In order to keep that ratio at 1:1 we need to ensure that for everything we do, we let our stakeholders know what’s coming. We avoid surprises, even happy ones. Happy surprises are great for birthday parties, hail mary touchdown passes, and lottery tickets, but they surely do not build trust. Communicating what is coming gives us more opportunities to build that association. The bigger the sample size, the stronger the impact of a 1:1 Say:Do.

Additionally, happy surprises do not give our stakeholders the opportunity to build their own plans around what we are going to do. It might be lovely to have your SaaS vendor come out with a new feature that you’ve wanted for years, but if it takes a quarter for you to change your internal processes to take advantage of it, it would have been a whole lot more useful to know it was coming months in advance.

Putting it all together

A well executed implementation of Say:Do makes a relationship forecastable, and consistent. When you add that to a proactively transparent approach to communication you’ve got a relationship that gives you:

  • a well understood description of what to expect today
  • confidence that if something breaks, or stops working the way you expect, your partner will proactively reach out and let you know
  • a clear roadmap showing what’s going to change in the near future
  • a track record that shows that the partner will deliver on that roadmap
  • enough notice to take advantage of changes as they come
  • the relationship capital to deal with bumps in the road as you find them

What this looks like in a growing company

There are plenty of opportunities for companies to embrace and exhibit a 1:1 Say:Do ratio. A few examples of areas where we can see companies succeed or fail include:

Maintenance windows

This is a simple and powerful way for a company to set an expectation and achieve it. Maintenance windows are a commitment that the provider will do their best to make all disruptive changes in a particular time frame, so that customers can plan around it. On the one hand, companies can fail here by continually needing to do “emergency” fixes outside the maintenance window. This reveals to their customers that they either don’t take their commitment around the window seriously, or that they have quality issues causing a constant stream of out-of-process changes.

The other end of the spectrum is companies who have a large maintenance window that they don’t use. This inconveniences customers by setting aside time when they plan to be disrupted, but end up unaffected. While it sounds good initially, it reveals that the provider doesn’t understand their own needs and should re-evaluate what a healthy maintenance window looks like, so their Say:Do is aligned.

Hiding the details

Some leaders obscure the details of what their teams do, for a number of reasons. Sometimes it’s to allow flexibility (if I don’t commit to specific things, I can pivot as I deem appropriate), due to lack of planning, or to avoid accountability. But in the end, it means that stakeholders don’t know what to expect from that leader.

Security teams are often guilty of this, as we have so many moving parts, and we’re always evolving. Who knows what attack is going to hit us next week? It requires additional work up front, and sometimes will result in difficult prioritization conversations, but starting those prioritization conversations is how business leaders lead. A theme I’ve heard throughout hundreds of conversations over the years is that CISOs want to have a seat at the table with other business leaders. That’s part of what this means: opening up our security program for their inspection.

Product roadmaps

One of the key ways vendors can build trust with their customers is by presenting a 1:1 Say:Do on their product roadmaps. A healthy discipline includes showing the major milestones over the next ~12 months, so customers can start to prepare for those new capabilities. Companies can fail here in two ways:

  • Overcommitting: Including too much detail on the roadmap means that any disruption or re-prioritization to product delivery causes the roadmap to fail. This type of failure causes customers to doubt your word in the future, and consider your company to be unreliable. This reality leads many companies to err toward…
  • Undercommitting: Your company can do tons of great work on new capabilities and announce those new capabilities into the market when they are released. The problem here is that for the months/quarters/years before it’s released, customers cannot build their own plan to leverage those new capabilities. It delays when customers realize that value, and the company misses the chance to build trust.

How Red Canary embraces the Say:Do ratio

Achieving a 1:1 Say:Do ratio takes more than integrity and transparency; it also takes process maturity that allows us to know what’s coming in the next few quarters, so we can communicate about it now. At Red Canary we are on our own maturity trajectory, and we’re incorporating Say:Do as a part of it. Several examples:

Organizational objectives

We identify and commit to organization-wide objectives and key results (OKR) that drive behavior throughout our company. These are created jointly by the executive team members and filtered down into each department to ensure everyone is pushing in the same direction. We have weekly executive team meetings to review how we’re doing at achieving these, and monthly we present those to the entire company.

Our roadmap

As a company full of security people, we have run into too many vendors who make promises they don’t keep and sell “vaporware.” In response, we have generally shied away from detailed roadmaps. As our company and product have grown though, we’ve recognized the need to provide our customers with more notice about what’s coming and when. We are now forecasting the major enhancements that will be coming to the Red Canary product over the next year, and creating opportunities for us to share this with customers.

Initiative tracking

The teams that report to me use a commitment and tracking system that allows us to go back at the end of the quarter and measure our Say:Do ratio. It gives us a simple number that reflects how we’re doing at doing what we said, and saying what we do.

This type of system comes with its challenges. It requires flexibility on the part of the leaders to realize that priorities will change, and commitments need to be flexible as a result, as long as issues are flagged early. It can also be gamed by those who would sandbag by committing to the smallest number of things possible. As a result, the objective setting process needs to be collaborative, and the check-ins along the way need to be transparent and regular.

In closing

Trust is a big, amorphous thing. We create various axes upon which we trust a person or entity. It’s almost impossible to answer a simple question like, “Do you trust Steve?” Well, I trust that Steve will not steal my money, but I don’t trust him to be on time for dinner. The combination of Proactive Transparency and Say:Do gives us a framework to say what it means to trust. We will be clear about what we do for you today, and what we will do for you in the future. We will let you as soon as something goes off the rails.

Look for more trust blogs coming in the future, as we dive more into aligning incentives and how trust can align or conflict with other functions across the company, like legal and marketing.


How AI will affect the malware ecosystem and what it means for defenders


Why Taylor Swift fans should work in cybersecurity


Drawing lines in the cloud: A new era for MDR


Couples counseling for security teams and their business partners

Subscribe to our blog

Back to Top