The Business of Keeping Promises

Announcing Wickr's Security Promises Program

Chris Howell, Wickr CTO

With so much happening in the news, it is increasingly harder for consumer – whether businesses or end users – to trust technologies we all rely on. With eroding confidence that our information will be kept safe and private, how do the security teams earn and build trust and transparency into their platforms? What is it that establishes trust?

We tend to generally calculate trust in terms of positives and negatives: there are reasons to trust and reasons not to trust, and we just do the math. All of our reasons, be they positive or negative, stem from an assessment of performance against two key standards: keeping promises and being honest (including fixing things when promises are not kept).

So what about software industry and our trust in technology we use? If you think about it, the entire industry was originally built on a model that promises nothing. Take a look at any software license agreement written since 1990s. They’re all the same: no promises to protect your data and no way for users to assess the software’s performance against any trusted standards. Understandably, for a while, the industry prioritized growth and velocity over security.

However, it has produced an accountability vacuum where in the case of a breach, all responsibility (and often the presumptive blame) falls on the customer. The largest breaches of just the past year – from Equifax to Yahoo to Target – offered no real remedy or much transparency to those affected. We almost never know what applications or technical components the hacker exploited to get in. That’s rarely in the headline. And, of course, sometimes the shame sticker is applied unfairly.

We are at a point where the existing security and architectural decisions that the industry makes in building products have started to erode the trust that consumers have in the technology industry as a whole. It is time to start the change. It is time that software companies start making promises and standing behind them openly and honestly.

Today, Wickr announces our Customer Security Promises program designed to offer extreme transparency about how we build and test the platform against key security promises we make to our users. With that, we aim to provide customers with the ability to assess our performance towards the security and privacy standards that form the foundations of trust.

Purposefully, we put ourselves out in the public by setting a clear bar to which we hold ourselves accountable: both internally – with our engineering and product teams, and externally – with the public and our users. We also see this program as an open invitation to our customers that they too should hold us responsible and expect transparency about how we improve on our promises.

Rather than relying upon point-in-time security assessment, Wickr and NCC Group developed an iterative and transparent process that attests to Wickr’s commitment to protecting critical data and communications. This level of assurance is what organizations sharing sensitive information, including NCC Group, want to see from providers to facilitate assurance of their supply chains and that secure by default practices are being followed.
— Ollie Whitehouse, Global Chief Technology Officer at NCC Group

Our customers want us in the trust business. They want us in the business of keeping promises. Perhaps, if we all start by being clear about what we can promise and honest about what we can deliver, maybe then software companies can change the model and start earning back the trust among their users.  

R Z