I’ve been helping a client understand the risk to their business as a result of the Symantec source code’s unauthorised disclosure. As expected we covered the loss of Symantec’s products integrity and the potential impact on the effectiveness of a significant element in its management of malware. Also the potential for the Symantec product to be used to distribute new malware. Would the developers of potential exploits do us a favour and lets us know we have a problem? Or would they stay quiet operating in the back ground gathering sensitive information or using the network to launch attacks against others? We worked effectively through these. Then I introduced a new vulnerability, threat and impact.

• Our reliance on our supplier for timely and accurate data when they have a vested interest in minimising the risk to themselves?
• That our supplier doesn’t tell us all the facts as part of their incident management including PR policy.
• How without information with demonstrable integrity the risk assessment may be unreliable resulting in greater exposure to risk.

There have been several examples, in the media, where organisations have stayed quiet and not told customers or those people that rely on them that there has been a breach of security. Symantec’s original breach occurred in 2006. Verisign suffered a security breach in 2010 but it’s only just become known. And Trendnet’s network of home CCTV’s able to be accessed by anyone online, but customers were not aware meaning that their home lives were broadcast for all to see.

I guess this article was my way of asking the question “whether your risk assessment should include your supplier?” But it also raised the question “shouldn’t security incidents at suppliers of products we rely on to manage these threats be brought straight to customers attentions?” Does there need to be greater transparency? Will we get it?

As a risk management specialist, when advising clients, I need reliable and accurate information. Could suppliers be relied on to provide quick and full disclosure of the facts? Should they? How would I reflect this within the risk assessment what controls could be put in place?
Now in defence of those that take their time to disclose, there is the problem of having nothing or very little to say, suggesting you’re not in control of the situation, or having to go back on any statement that you make when the investigation finds otherwise. Reporting of incidents like these isn’t uncommon. It’s almost a case of you’re damned if you do and you’re damned if you don’t.

My final thought is this. How important is transparency to trust in your business relationships? And, should you be able to rely on suppliers transparency when it undermines the integrity of the product you have invested in?