Planning and managing a security program in today’s breach-a-day world is a monumental task. Though cybersecurity practitioners are more than familiar with incident response planning[i], the focus is often on identification and containment of an incident, who is involved (and who’s not), who to call when, and decision or authority trees. The topic of how to address communication—both internal and external—is typically an element of the incident response (IR) plan, but getting that communication right is frequently left up to circumstance, meaning that organizations know someone must do the communicating, but what and how it’s said depends on the crisis in question.
Executives at large companies may have taken media training to prepare them for such circumstances, yet the regularity with which we hear executives misspeaking when it comes to cybersecurity incidents is confounding. There is no one right answer as it relates to communication during a cybersecurity crisis, but again and again we hear companies saying categorically the wrong things—e.g., lying about the number of customers/victims affected, blaming one person at the organization for the breach)— thus worsening the situation. Organizations could significantly improve the experience of an incident for their companies, themselves, and customers by keeping a few common-sense rules in minds.
Knowing when to say “when”
In fairness to anyone speaking to the media, be it about a security incident or a new product line, media are trained to uncover the juiciest story and turn it into something that will garner the most attention in the shortest amount of time. Thus, even media-savvy individuals must choose their words carefully when discussing sensitive subjects—like a data breach. On top of that, it’s easy to get spun up about a subject when those around you are overreacting (e.g., asking leading questions) or pressing for answers that are not yet available.
However, it’s important for anyone speaking to the media about a security incident to remain cool, calm, collected…and on script. Doing so requires advanced planning. It might seem ultra-important to address public concern quickly, especially when a breach has impacted large numbers of customers, but delivering the right message at the right time will ultimately serve the organization (and possibly even the individual delivering the message) better in the long run. Though customers and media may push for “all the information immediately,” anyone who has ever worked a security incident knows that learning exactly what happened isn’t something that happens overnight. Therefore, whoever is communicating about the incident must be very careful not to overstate or understate the scope and severity of the incident.
It’s a Goldilocks and the Three Bears conundrum—communication must be “just right.” This means being disciplined with the information offered to the press. While sounding too vague and offering platitudes like “We take customers’ security seriously” doesn’t do anything to sooth stakeholders’ fears (or imaginations), having to backtrack against statements like, “This breach impacted 7 million customers” when it really affected 37 million makes the organization look incompetent. It’s definitively better to admit that the number of affected customers is TBD than to hedge your bets and hope that stakeholders are forgiving (Pro tip: they’re not very).
Similarly, the tone of a message, especially the first message delivered, will be used to define how an organization is portrayed (regardless of how things evolve over time. It can be very hard to shake first impressions). Security practitioners are so used to playing defense—literally and figuratively—that it’s easy to fall into a defensive mode when asked about what went wrong. Whether it’s the instinct to blame one errant person in the organization for not installing one patch or to point out how much easier it is for cyber attackers to find one vulnerability than it is to defend an entire ecosystem, sounding defensive is never a good media strategy; it generally backfires and only serves to fuel the media fire.
Controlling your own chaos
Most importantly, organizations that have experienced a cyber incident should avoid—at all costs—letting that incident play out in the press. Perception becomes reality, and what’s written on the internet stays on the internet. It’s worth the effort, regardless of how difficult and/or time-consuming it is, to focus on crisis communication before, during, and after an incident.
As with IR planning (i.e., “IR preparation”), an organization’s best bet is to not only identify who is authorized to speak to the media before an incident hits but to delineate what that person is authorized to talk about. Is it OK to hold a press conference and talk about how many people were affected in a breach? Is that true for all press conferences, or should that type of statement be avoided until sufficient information is gathered? Is a press conference or media interview held within 72 hours of the declared/discovered incident an appropriate place to say what systems and data were affected, and how they were accessed? When does it become OK? How much detail is appropriate in a public forum? Will certain statements ignite or assuage people’s fears? How a message is delivered—i.e., what words and with what tone—really does matter in the court of public opinion (and perhaps with your regulators and lawyers).
Drafting mock scenarios that spokespeople can practice before communicating publicly can prove extremely useful. Highlight the types of talking points that can and should be covered in any given media instance, knowing that as a forensic investigation uncovers more facts, more information may be able to be shared. Think of incident communication as an additive exercise rather than an opportunity to say everything you know all at once. Security incidents are pressure-filled enough without offering up misinformation that can turn a bad situation into a nightmare.
[i] which should really be considered “incident preparation,” given that a large part of incident response (IR) planning is putting pre-incident actions/strategies/capabilities in place
If you're looking to enhance your leadership skills and learn to align security with business priorities, attend MISTI's Security Leadership Exchange, May 20-22, 2018 in Ponte Vedra Beach, FL.