This story appeared on Network World at
http://www.networkworld.com/columnists/2011/053111-bradner.html

RSA: Maximizing customer harm

'Net Insider By Scott Bradner, Network World
May 31, 2011 01:24 PM ET

When news of the major RSA breach broke about two months ago I complained that the company was not being all that upfront in telling customers what the breach might mean to them (also see: "Ensuring mistrust"). Now we hear that the break-in at giant defense contractor Lockheed Martin may be an example of the fallout of the RSA breach (also see: "RSA tokens may be behind major network security problems at Lockheed Martin").

You would still be hard-pressed to find any useful information on the RSA website about the original breach. The only thing on the front page that seems to be related is a "new security brief" on "Mobilizing Intelligent Security Operations for Advanced Persistent Threats," which seems to be a bit of a "try to make money from what we did wrong" document.

Something real did happen at RSA, judging from a report in The Wall Street Journal that RSA is providing tens of thousands of free replacement SecurID tokens to Lockheed.

If you look hard enough on the RSA website you can find the April Fools' Day blog posting on the attack ("Anatomy of an Attack"). But RSA does not make it easy to find anything else relevant.

This is hardly the way I would want a major security vendor to act. As I write this, the Bloomberg cable TV channel is speculating on the likelihood that the Lockheed breach was, indeed, a result of the RSA breach. Not good press for RSA, made far worse, in my opinion, by RSA's refusal to come clean.

From press reports, RSA seems to be justifying its refusal to provide key information -- like what was actually stolen -- on the assumption that it would make things worse for their customers. That seems like a totally bogus rationale -- hey RSA, it looks like the bad guys who took the info know what they got. The main people in the dark are those who spent big bucks on your products. You are not telling them how deep the doo-doo is. You are also not saying that you will change the design of your products to make this type of breach unimportant in the future.

What should you do if your company gets hacked in a way that will impact your customers? A lot of companies just want the problem to go away and do not want to shine any light on the situation because it could show that the company does not know what it is doing in the area of security.

The "nothing to see here, move along" approach is harder now that most states require customer notification in the case of breaches that involve specific types of information, but some companies still try to follow that path.

A far better path to ensure long-term customer trust is to provide all the information you can that will not actually harm the customers.

Put an obvious link on your home page that customers can use to find out your side of the story and leave the link there until the threat is gone -- i.e., do not follow RSA's lead.

Disclaimer: Harvard is more of a leader than a follower but has not expressed any opinion on the RSA path. So the above advice is my own.