📬 Mailbag: We know people don't believe us when we say security is our top priority. How can we be more authentic in our communications?
Authenticity in security comms isn't about perfect words, but consistent patterns over time. Only communicating when legally required gives stakeholders no baseline for trust. Credibility during incidents is earned through regular communication during normal operations.
Mailbag questions are submitted anonymously by our readers. Submit your own question for our team at discernibleinc.com/blog.
The real answer to this question is that if you're asking how to be more authentic during a high-stakes event, you're already too late. Authenticity is the cumulative result of consistent communication patterns your customers have observed over time.
I hear this question a lot when working with clients on product vulnerabilities, privacy policy changes, and incident disclosures. I’ve seen organizations actually telling the truth about their security commitments, but customers interpret their communications as damage control or corporate spin. It’s typical for companies in this situation to obsess over specific word choices as if the right combination of language will suddenly make customers trust them.
The problem is that many organizations only talk to customers about security when they have to. This means customers have no baseline for evaluating whether your communication is genuine. They have nothing to measure against, no established pattern to reference, no track record to inform their judgment. You've asked them to assume you’re being authentic despite providing no prior evidence to support it.
This is the same infrastructure problem I've written about before: effective security communication requires building relationships and credibility before you need them.
The Problem
Is your organization silent about security during normal operations, then suddenly ask customers to trust them during the worst possible moment? This approach fundamentally ignores how authenticity works.
Recent research on corporate social advocacy provides a framework that explains why this strategy fails. Specifically, Dr. Ejae Lee's study on perceived authenticity identifies four distinct dimensions that shape audiences' perceptions of organizational communication as genuine or performative: truthfulness, persistence, commitment, and congruence.
I’ll go into the details of each one in a bit, but before I do, I need to tell you that every single dimension requires a communication track record. Lee's research explains that perceived authenticity operates as a trust heuristic, meaning it’s a mental shortcut audiences use to evaluate the credibility of a communication quickly. But heuristics require historical data, and when customers lack that data, they default to skepticism. The same is true for your organization’s other publics, including employees, regulators, and partners.
The organizations that are seen as authentic during security incidents are those that have been communicating regularly about security all along, treating security communication as ongoing stakeholder engagement.
Now, let’s walk through each dimension and why it requires proactive communication.
1. Truthfulness: You Can't Be Consistent Without a Pattern
Truthfulness is about whether your current message aligns with your established identity (not the identity your brand team carefully curated, but the one referenced behind your back). Customers evaluate this by asking: "Is this consistent with how this company normally talks to us about security?" If you've never talked to customers about security before, they have no reference point. Whatever you’re trying to communicate now exists in a vacuum. Customers read it and think, “Do they really care about security and transparency, or are they only saying this because they got caught?” Without prior communication to reference, customers assume the latter.
When you announce mandatory MFA for customer accounts but have never previously explained your security philosophy, customers interpret it as reactive compliance rather than proactive protection. They lack the context to understand whether this reflects your values, so they’re skeptical of your motivations. Even though you’re now making a meaningful improvement to security, it points out what you could have been doing all along, but didn’t. (Remember the 2010s when every tech company thought announcing MFA within a breach notification would help them appear proactive? lol. Just do it now.)
AsI've written about framing security decisions strategically, the goal is to implement good security and to communicate those choices in ways that demonstrate your values before incidents force the conversation. Organizations that score high on truthfulness have established these communication patterns with things like:
- Regular security updates to customers about improvements, architecture changes, and threat landscape responses – not because anything went wrong, but because you're proactively building transparency and because if you were a customer, you’d want to know too.
- Consistent communication voice across normal operations and incidents, because you've practiced that voice in low-stakes contexts and it’s now familiar to your stakeholders.
- Documented security values that customers have seen demonstrated repeatedly through your ongoing communication.
When these organizations experience incidents, customers can compare these notifications to the company’s typical security updates. Yep – same level of technical detail, same direct language, and same protective focus. The consistency builds credibility.
Without a proactive, voluntary pattern, you're asking customers to trust that your crisis communication reflects your "real" values, even though you’ve given them no evidence of what those values look like in normal operations. It comes across as performative and inauthentic.
2. Persistence: One Statement Doesn't Demonstrate Commitment
Persistence reflects whether you maintain your position in the face of pushback, criticism, or consequences. This dimension evaluates whether you care enough to keep stakeholders updated throughout an incident or to disappear after the initial disclosure, because no single communication can evaluate persistence. Persistence is demonstrated over time through repeated follow-through, and for most organizations, the goal is not to make incidents a common occurrence, so you need to create more touchpoints.
When you say, “your security is important to us,” customers immediately question whether you’ve ever demonstrated that before. Without a track record of prioritizing security, your promise lacks credibility. Customers assume you'll fold once the news cycle moves on.
Organizations that score high on persistence have demonstrated consistent follow-through long before any incident. In my experience, this means:
- Established update cadences for security communications that customers can rely on, e.g., monthly security newsletters, quarterly transparency reports, and regular product security updates. Patch Tuesday is a long-standing example.
- Evidence of following through, even when inconvenient, such as publishing vulnerability disclosures on schedule, acknowledging security improvements that may not be externally visible, and updating customers about how you protect them even when they’re not thinking about it.
- Track record of transparency during uncomfortable moments, explaining service disruptions, acknowledging when you got something wrong, and explaining the fix.
When you've consistently demonstrated persistence during normal operations, customers are more likely to believe in the commitments you make in response to an incident. They've watched you maintain communication and transparency when it wasn't legally required.
This is why our consulting work starts with preparation and a foundation of proactive communication rather than crisis response statements. We’re intentionally not smoke-jumpers. We help clients establish incident communication protocols before they're needed, including pre-negotiating with legal what constitutes acceptable ongoing disclosure, identifying who owns strategic decisions and execution, and creating communication principles that maintain consistency even when the team is overwhelmed. We all know that trust isn’t built through mandatory notices.
3. Commitment: Protective Intent Requires Demonstrated Priorities
Commitment captures whether customers believe you're motivated by genuine concern for them rather than legal liability. This dimension specifically evaluates, "Are they doing this to protect us, or to protect themselves?"
Customers judge your commitment by observing your priorities over time (is anyone in your company tracking that?). What do you invest in when not legally required? What do you communicate about when nobody's forcing you?
For example:
- Organization A has never communicated with customers about security investments, threat response, or protective measures. They issue a breach notification that claims: "The security of customer data is our highest priority."
- Organization B regularly communicates about security architecture improvements, vulnerability reports from external researchers, and proactive threat defense – all without an incident.
When both organizations face incidents, Organization B's claim that security is a priority gains credibility because customers have observed them investing in and communicating about security, even when there was no crisis forcing them to do so. Organization A's identical claim reads as defensive positioning.
Organizations that score high on commitment make their protective intent visible long before any incident. Without this, any claim about caring for customer security sounds like crisis CYA, and customers will assume you're motivated exclusively by liability, since they've never seen you prioritize their protection when you weren't legally required to.
4. Congruence: Your Actions Must Visibly Match Your Words Over Time
Congruence is the alignment between what you tell people and what they can observe you actually doing. This dimension evaluates whether your security investments and behaviors align with what you claim to prioritize, and whether you communicate about security work during normal operations. If you don't, customers have no visibility into whether your actions match your stated values.
Let’s say you mention in a breach notification that you’re “making significant security investments to prevent this from happening again" (oof!). Obviously, customers will be asking, "Like what? And how will we know you actually did it?"
Six months later, customers see... nothing. No post-mortem report, no technical engineering discussions, and no visible security improvements in the product. Not even any updates on what changed.
From the customer's perspective, you made a promise and disappeared. They have no way to evaluate whether you followed through. Even if you made substantial security investments, the lack of communication means customers can't observe the congruence between your promise and your actions. Turning points that determine your organization's reputation go beyond public incidents and include all of the decisions about whether to communicate about the work you're doing to prevent them.
Building a reputation for congruence means making your security work visible to customers on an ongoing basis, such as:
- Sharing what you're actually doing on security. This doesn’t have to be a formal report; just regular updates on security improvements you've shipped, how you handled incidents (even minor ones), and what you're investing in and why.
- Visible follow-through on commitments, and don’t make commitments if you’re not able/willing to monitor and report on your progress.
- Public documentation of security improvements that customers can reference, including updated security pages, architecture blog posts, and changelog entries for security patches.
We regularly work with clients preparing post-incident reports, and there’s often a familiar tension between legal wanting minimal detail and customers wanting meaningful transparency. The organizations that maintain congruence are those that have established those boundaries in advance, often through ongoing communication that builds norms about what level of technical detail is considered both safe and credible. But even more fundamentally, these organizations have established the habit of communicating about security work during normal operations. When incident response requires visible follow-through, they already have the communication channels, approval processes, and stakeholder relationships in place to demonstrate congruence.
What This Means for Your Organization
The next breach notification, privacy policy change, or vulnerability disclosure you face will be evaluated against the communication pattern you've established with customers. If that pattern is silence punctuated by legal requirements, customers will read your crisis communication through that trust-eroding lens.
If you want customers to perceive your security communications as authentic, you need to build the infrastructure that makes authenticity possible:
- Establish regular security communication cadence with customers before incidents require it.
- Demonstrate persistence by following through on commitments during normal operations.
- Make protective intent visible by voluntarily communicating about security investments and decisions.
- Let customers observe congruence between your words and actions.
Communication patterns established during normal operations set your authenticity baseline, so when serious incidents do occur, customers have already seen your proven track record. This mirrors the same principle behind positive incident framing, building strategic communication capabilities before you need them, so you have options when the stakes are highest.