I applaud Google for taking extraordinary steps to protect and service their customers by offering free replacements for the Titan Bluetooth Security Keys. Such product recalls can be expensive, time consuming, and prolong negative stories in the news cycles, yet it is the right thing to do.
Many companies would choose instead to downplay such vulnerabilities, deploy patches which are ineffective or severely impact usability, invest in counter-marketing stories to distract audiences, threaten legal action against researcher to suppress public visibility, or perhaps simply spin the news stores to minimize the brand impact. Actually managing the risks for the benefit of the customer can become a forgotten objective.
The rapid innovation and go-to-market pace of modern electronics precipitates the risks of vulnerabilities. There are practical tradeoffs between security validation and market competitiveness that drive industry best-practices. No matter how diligent the work is to harden products, it is likely that some unknown weaknesses may exist or be discovered.
The moment of truth is when vulnerabilities are discovered. Most big suppliers have product security response or assurance teams. Their policies, decisions, and actions speak volumes about the ethos and responsibility of the organization. Crisis events test the true measure of companies’ commitments and their response exposes the nature of their security organization.
Doing the right thing is tough, but it has its rewards when customer security and experiences are prioritized first. Such ethical responses and transparency builds trust and customer/shareholder loyalty.
I think many companies, especially those with product security assurance/response teams dominated with lawyers and marketing folks, should take note. (hint: lawyers, finance, and marketing people should not lead security). Google is showing what real security leadership looks like: risk professionals working with security engineers and industry experts, making tough decisions in a timely manner, being open and transparent, and doing what is best for the customers regardless of the short-term costs or reputational impact. These are the hallmarks of a good risk mitigation team that is led by security professionals and supported by executive management.
Google responded to the recent Bluetooth vulnerability efficiently and chose to replace the effected products. Such a bold move speaks volumes about how serious, organized, and focused the company is on protecting its customers. Well done.
Google, you have set a high bar. Keep raising the standard and it will become evident which other companies have a marketing-approach to security, allowing consumers to appropriately decide which businesses to trust.
Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services.