The Case for Why Better Breach Transparency Matters

At this year’s RSA Conference, threat‑research veterans Adam Shostack and Adrian Sanabria will make a compelling case for systematic breach transparency. Their argument draws on a simple premise: when aviation, medicine or public‑health agencies investigate failures openly, they generate actionable insights that prevent recurrence. Cybersecurity, by contrast, often treats a breach as a confidential legal matter, leaving the broader community blind to the chain of small missteps—unpatched software, mis‑configurations, weak monitoring—that enabled the attack. By publishing detailed post‑mortems, the sector could replicate the safety loops that have proven effective elsewhere.

The reluctance to share stems from two intertwined forces. First, U.S. breach‑notification laws vary widely, and publicly traded firms disclose incidents only when material impact is evident, creating a loophole for selective reporting. Second, corporate lawyers routinely advise executives to silence discussion to avoid liability, while engineers instinctively seek to improve system safety. This cultural clash stalls the creation of a unified feedback mechanism, and the short‑lived Cyber Safety Review Board illustrates how fragile any top‑down regulatory push can be without bipartisan support.

Despite these obstacles, a wealth of publicly available breach documentation—court filings, regulator complaints, after‑action reports—remains underexploited. Sanabria’s research shows that mining this “pile of gold” can reveal patterns invisible in headline summaries. The next step is to institutionalize anonymized, delayed disclosures and offer safe‑harbor protections for organizations that act in good faith. Such a framework would balance privacy, legal risk, and collective learning, turning isolated failures into a shared knowledge base that drives more effective controls and reduces the overall cyber‑risk landscape.