Repost - Public Relations and information security
Too much and you can over-extend and it can go "pear shaped". Too little and you can be branded as uncommunicative and unreasonable. For large corporations the linkage of a brand and any security issue can have a negative effect on share price and immediate financial repercussions.
A large vendor with great responsibility providing supporting infrastructure recently addressed a zero day vulnerability with no media release until the security patch was issued. This made security operations personnel and security aware individuals around the globe very nervous.
Here are some guidelines to consider for your organisation:
1. Tell the good stories on a regular basis. Issue a press release when customer visible or customer impacting security features have been implemented. For example if you introduce optional two factor authentication for customers, promote this competitive advantage. For example if you are a social media site a press release announcing successful implementing of password hashing of your database further to recent compromises at competitors would be a good story to tell. You will note some financial institutions even tout their fraud monitoring capabilities with television advertisements which reduce losses for them, and the potential inconvenience for you. The story may be: we're making security easier for you because we're monitoring your transactions for fraud, rather than giving you extra security controls to deal with.
2. Have a social media policy, press relations policy and educate your employees to not speak, and when they speak to "stay on approved message". I've experienced jaw dropping occasions where CIOs of major corporations share "bright ideas" (un-vetted by the corporation) that could be taken right out of context by the media. If you are a senior person in information security, ask to be consulted on any press releases, advertisements or planned presentations involving security, information exchange or third party relationships.
3. If you are communicating bad news, do it in a timely manner. Have a "canned" pre-approved factually correct press release that mentions that the organisation has been made aware of a security incident and is working on responding via prior established security incident management process and procedures, and that updates will be provide to protect affected stakeholders when actionable information is available. When information is available on the extent of a security incident, be as transparent as possible with affected stakeholders without outlining new/existing security controls and control gaps that could negatively impact on your security posture.
4. Think of the implications before you act. If there is a major decision coming up related to security, think about the public relations upside and downside as well as the legal exposure if the decision became publicly known. Before you call the cops on a security researcher or issue a cease and desist letter, think of the available options. When all else fails, quote the Google motto and "don't be evil".