Security incidents happen; that’s just reality. But how a company decides to handle an event says more about their values and priorities than their product. The recent Okta compromise, which came to light in March, reminds us of the damage inflicted when there is a lack of transparency between a security vendor and its customers. I won’t re-hash what’s already been said about customers not being notified right away; there is little to be gained with yet another article about Okta.
However, it’s disappointing that there are plenty of examples of companies choosing to go down the same path.
As a security industry, I feel that we need to focus more on the concept of “full disclosure”. Transparency and disclosure separates vendors who care about security from those that only care about near-term profits. This topic is so important that a May 2021 White House Executive Order on Improving the Nation’s Cybersecurity called for transparency from software developers and suppliers, including providing a purchaser a software bill of materials (SBOM) and participating in a vulnerability disclosure program that includes a reporting and disclosure process.