Resources Blog Opinions & insights

Trust Issues: Proactive transparency drives good business

Why you should tell your mom when you’ve scratched her car

Robb Reck

In October, I introduced myself as Red Canary’s first Chief Trust Officer and gave you the outline of what being trustworthy means to Red Canary. Throughout this series we’ll explore the key principles in more detail and discuss how concepts of trust intersect with other business realities. I thought it was right to start off this second post focusing on what I consider to be the essence of trust: proactive transparency.

Let’s define it

Proactive captures the concept that this is not a passive thing. When we are proactively transparent, we are not waiting for our customers to reach out and ask how things are going. Instead, we are providing them the information that matters as close to real-time as possible, and we’re making a point to be loud about the especially interesting things.

I find it easiest to see the power of proactive transparency (versus simple transparency) in analogy. Everyone loves a good tortured analogy, right?

security vendor trust proactive transparency

Imagine you give your 16-year-old son the keys to the car for the evening. Later, he comes home, goes to bed, and all is well. However, the next morning when you go to get in the car, you notice a scratch you’d never seen before. When you ask your son what happened, he admits he did it, but thought you wouldn’t notice. That behavior may be considered transparent; it’s a heck of a lot better than if he’d lied to you. But it’s not proactive transparency, and it might leave you feeling like you can’t trust him, and like you wouldn’t want him to use your car in the future (though you likely will; you’re such a softie).

Now, imagine that when your son came home from the drive and immediately came to you and said, “Mom, I’m sorry, I need to show you a scratch I caused on the car.” When he walked you out there and you saw it was a minor scratch that could likely be buffed out, your reaction would be to feel more trust, and believe that his behavior gives you more confidence that you can trust him in the future.

This is the power of proactive transparency: the willingness to have difficult conversations transforms the nature of the relationship. This is as true in business as it is in families. But it’s not easy.

The willingness to have difficult conversations transforms the nature of a relationship.

An organization-wide undertaking

A commitment to proactive transparency is not an initiative that can sit inside of one department or reside with just one leader. It’s an approach that requires cross-functional commitment to have the hard conversation and trade short-term discomfort for long-term relationships.

While the conversation about intentionally pursuing proactive transparency can come from anyone, the key to success is that it’s embraced as a core value and as a part of the norms of the company. When core decisions are being made, someone(s!) needs to be tasked with asking, “Is this a thing our customers would like to know?” That answer will generally guide you in the right direction.

A commitment to proactive transparency will quickly conflict with other priorities. Lawyers may want to minimize risk, marketing might want to focus only on the good news, sales teams might want to pretend software doesn’t have bugs or downtime. All of these conversations are to be expected and healthy. The key is dragging this tension into the light, and making a deliberate decision, versus pushing the easy button.

It’s an approach that requires cross-functional commitment and alignment on priorities.

What it looks like

Proactive transparency is all around you when you start to look for it. Health warnings on cigarettes would fit the bill, if they hadn’t been forced by the government (due to a decided lack of transparency previously). Restaurants that share not only calorie information, but food source information, are also embracing proactive transparency. Similarly, home improvement contractors who tell you up-front (before you’ve paid!) that they might not be able to get your materials soon are making a conscious effort putting themselves on the line for the betterment of the transaction or customer experience. And yes, kids who come tell you when they’ve messed up are being proactively transparent, too. Even when it’s quite possible you’d never have noticed if they hadn’t.

In the tech industry, proactive transparency shows up in status pages, public root-cause analysis for issues, robust publicly available security and privacy pages that explain in plain language what the company’s practices are, and companies that are willing to notify their customer about bad news, despite it not being required.

At Red Canary we recently experienced a real-world example of this, one that put our commitment to proactive transparency in the spotlight. We identified that—for several hours—the telemetry we’d been receiving for one of our customers was not being analyzed for detections. After recognizing the issue, we were able to quickly fix it and review the data to determine that there had been no missed detections during that time. It would have been the easiest thing in the world to call it “case closed” and simply move on. At that point, the customer had no idea there’d been an issue, and in fact, we’d confirmed that no harm was done.

As we discussed the situation, someone in the room pointed out that the customer thought they were covered for those hours and they weren’t; their expectations were not met. That was the direction we needed to help solidify for us that we would notify the customer of the issue, what we’d found, and what we are doing to ensure it doesn’t happen again.

A customer’s expectations should fuel proactive transparency in a company’s day-to-day.

A journey full of hard choices

Being proactively transparent is a journey we’ve been on for 7+ years. When you’re committed to building trust through proactive transparency, and you build it into your culture so it is part of every team, the number of hard decisions your team will make every day increases exponentially.

Status pages are a great example of this. When I purchase SaaS solutions, I want to know when that software is working and when it is not. That is part of the proactive transparency I expect if I’m going to trust a product.

So at Red Canary, we created a public status page years before most other security vendors had one. If you’re used to SaaS products, you’re used to them having a public status page. That is not true for most security SaaS products. Even in this day and age, many security vendors hide their status communication inside help portals and ticketing systems.

Once we had a status page, we realized that downtimes that affect our customers are often from other cloud services we integrate with. So in line with the great example from Twilio, another SaaS company that depends on many other products and services, we added dependent services to our status page.

Here’s where this gets really tricky: some of the companies we integrate with may not love that we’re telling our customers when their products are experiencing downtime. This transparency also increases the number of times we’re communicating to our customers (and competitors) that we are impacted, even when it isn’t our fault.

Partners and competitors may not appreciate your company’s candor and that’s ok.

This leads to hard conversations with our partners, our customers, and our customer-supporting teams. These are the hard conversations that come from proactive transparency. It would be far easier to not be proactive and to be less transparent; that’s the status quo.

But, the status quo hasn’t been working in security for the last several decades. So, it’s time to embrace a different approach. We’ve chosen one that is guided by core values of candor and honesty. That’s the behavior that is worthy of trust.

 

Embrace the tangles: Infosec career advice from a technical account manager

 

Getting started in cyber threat intelligence: 4 pieces of advice

 

Braving the blank page: advice and inspiration for new writers

 

Defending our schools against cyber attacks

Subscribe to our blog