I was listening to podcasts about the Home Depot breach, and something occurred to me.
Home Depot isn’t talking much about the breach. And it’s driving security pros nuts.
But the general public takes silence as a sign that everything’s going great. So their silence is winning the PR battle in the court that matters, which is public opinion at large.
As a security pro, I want my colleagues at Home Depot to share, so we can all learn. We need to know what went wrong so we’re careful not to make the same mistakes. But a security pro has an obligation to protect the business. And not talking to anyone, stonewalling the media and the industry, if you will, seems to be working perfectly well for them.
As a journalist turned security pro, I find it interesting to watch this unfold. Slowly. It turns out I may be learning from the silence after all. That goes against my intuition because, generally speaking, it’s the side who talks to the press most freely who controls the story. So I’m very interested to see if Home Depot doing all the wrong things ends up being right. At this point, it looks that way.
I think the difference here is that Home Depot isn’t denying anything (futile, but it happens). They are just staying out of the spotlight – a completely different plan.
Denying that you were hacked, after the big headlines, would be a losing proposition. Staying quiet, and letting the next big news story take people’s attention, seems wise. You know that there is activity going on inside Home Depot. They are taking a different PR approach. As you say, it’s working so far.
Yes, yes indeed. An outright denial would probably open the door to bigger legal issues, since the lawsuits started right after the rumors. And, as someone told me a very long time ago, telling the truth makes it a lot easier to keep your story straight.