Trustworthy Response to Product Vulnerabilities Demonstrates Leadership
I applaud Google for taking extraordinary steps to protect and service their customers by offering free replacements for the Titan Bluetooth Security Keys. Such product recalls can be expensive, time consuming, and prolong negative stories in the news cycles, yet it is the right thing to do.
Many companies would choose instead to downplay such vulnerabilities, deploy patches which are ineffective or severely impact usability, invest in counter-marketing stories to distract audiences, threaten legal action against researcher to suppress public visibility, or perhaps simply spin the news stores to minimize the brand impact. Actually managing the risks for the benefit of the customer can become a forgotten objective.
The rapid innovation and go-to-market pace of modern electronics precipitates the risks of vulnerabilities. There are practical tradeoffs between security validation and market competitiveness that drive industry best-practices. No matter how diligent the work is to harden products, it is likely that some unknown weaknesses may exist or be discovered.
The moment of truth is when vulnerabilities are discovered. Most big suppliers have product security response or assurance teams. Their policies, decisions, and actions speak volumes about the ethos and responsibility of the organization. Crisis events test the true measure of companies’ commitments and their response exposes the nature of their security organization.
Doing the right thing is tough, but it has its rewards when customer security and experiences are prioritized first. Such ethical responses and transparency builds trust and customer/shareholder loyalty.
I think many companies, especially those with product security assurance/response teams dominated with lawyers and marketing folks, should take note. (hint: lawyers, finance, and marketing people should not lead security). Google is showing what real security leadership looks like: risk professionals working with security engineers and industry experts, making tough decisions in a timely manner, being open and transparent, and doing what is best for the customers regardless of the short-term costs or reputational impact. These are the hallmarks of a good risk mitigation team that is led by security professionals and supported by executive management.
Google responded to the recent Bluetooth vulnerability efficiently and chose to replace the effected products. Such a bold move speaks volumes about how serious, organized, and focused the company is on protecting its customers. Well done.
Google, you have set a high bar. Keep raising the standard and it will become evident which other companies have a marketing-approach to security, allowing consumers to appropriately decide which businesses to trust.