5 rules for smarter cyber communications

With the Equifax data breach continuing to make headlines, we’re seeing yet further proof that the way you communicate in the aftermath of an incident plays a significant role in determining its ultimate impact. Executives responsible for cybersecurity need to understand how a good cyber communications function works, and they need to make it a regular part of any conversation related to information security or risk management.

While it may seem like this is the last thing a CSO should be thinking about, recent incidents prove that the stakes are way too high for communications planning and response to be delegated entirely to someone outside the security team. To put it another way—when things really go wrong, whose job is on the line, and who gets the bonus trip to DC? Hint: There aren’t many CMOs taking early retirement or being called to testify before Congress.

To save you the trouble of updating your resume and booking a flight to DC, here is a quick primer on what security professionals should know about cyber communications, and why it’s important.

1. Reputation resilience matters

It’s become cliché to say “it’s not if you get hacked, it’s when,” and yet the shift in mindset from security to resilience still hasn’t fully taken hold beyond the network perimeter. Consider this, you can’t build a resilient company without considering whether or not your reputation can also withstand the fallout from a cyber incident. Will your customers trust you enough to stick with you, or will they start to question your motives and credibility? The way you communicate during a response will drive those answers.

2. A new breed of crisis

A cyber crisis is not the same as a traditional PR crisis. You can’t follow the same rulebook that you do with a product malfunction or a CEO scandal. The anatomy of the event does not lend itself to dumping all the bad news and then cleaning it up as quickly as possible. The very nature of a data breach typically requires a lengthier process where information surfaces in stages. If the goal of a traditional crisis response is to avoid the slow drip of information, a cyber crisis response embraces it. This is one of those times where understanding that difference matters.

3. The best response is a good plan

There are basic communications functions that must be performed in the aftermath of a data breach, and at least 75% of them can be done beforehand. In the chaos of a breach, it’s important to minimize your team’s to-do list, and while key decisions still have to be made, the majority of the work that goes into informing them can be done ahead of time. Things like conducting a reputation vulnerability assessment, mapping scenarios by degree of impact, analyzing stakeholder groups, delineating roles and responsibilities, and drafting holding statements are all worth the investment of time and resources before something goes wrong.

4. Actually, the best response is to just respond well

Having a good plan doesn’t guarantee you’ll ace the response, because you still have to execute it well. In a cyber crisis response, any actions you take have to stick to the basic rules. You have to say something, it has to be accurate and consistent, there can’t be guessing and no half-truths. Anyone tasked with customer interaction needs to have an updated, standardized set of facts that actually tell people what’s going on, and, most importantly, the people affected have to believe that you actually care. At the end of the day, maintaining customer trust is paramount. Anything working against that trust is going to cost you in the long run.

5. Rebuild trust

When the most intense period of the crisis is over, and everyone is finally in clean-up mode, you may be ready to get back to business as usual, but its important to remember that people have pretty good memories. Your customers and/or clients may not have left you, but you still have to restore their trust. Think of this as a cooling off period where you have to work a little harder to earn their business, and anything that rebuilds trust and earns loyalty should be priority one.

We haven’t heard the end of the Equifax saga, but we’re already learning important lessons that will shift the dynamic of future response efforts. One of the biggest is that good cyber communications is the responsibility of the whole team. If you’ve never paid attention to that side of the house, then it’s time to start. Build a basic understanding of the rules of the road, and you’ll be prepared to ask the right questions when the time comes. Who knows, the job you save may be your own.