By: Loren Dealy Mahler
President, Dealy Mahler Strategies, LLC
The last two years have given us a plethora of news headlines taking companies to task for incidents that exposed or directly compromised customer data. From very large events involving millions of financial records, to smaller events involving personal health information, the hits just keep coming.
As companies work to more effectively defend themselves (and avoid being the next ugly headline), the common refrain of “it’s not if, but when” is shifting the cybersecurity conversation from traditional defense to organizational resilience. This trend is leading companies away from an IT-centric approach by placing a greater emphasis on the overall ability of the organization to continue operating across functions, both during and after a crisis.
Asking questions about whether your business could continue to function, or whether a single event could derail the entire operation leads directly to whether or not you have a good incident response plan in place. Have you addressed the depth and breadth of your company’s functional capabilities, or have you limited your plan to systems recovery? Are you looking at resilience from a business perspective, or from an IT desk?
In oversimplified terms, most IR plans focus on finding, stopping and cleaning up threats to their network. They go heads-down on securing data, minimizing damage, and getting things back up and running. What is most often overlooked in this carefully choreographed plan for resilience, however, is protecting and restoring the one thing that can exponentially magnify the business impact of an event and drive costs through the roof – your reputation. How resilient is your reputation? If customers stop trusting you and take their business elsewhere, does it really matter that your network is clean?
This is also the one thing your security team has the least control over. Odds are someone else in your organization manages communications, which is why it’s imperative for your CISO – and other owners of your incident response plan – to understand how effective incident response communications should work. You have to be able to ask the right questions and incorporate the right elements into your plan, so you can confidently say that you’re prepared to protect the entire organization.
Getting this part wrong can weaken trust in your organization, test customer loyalty, and potentially change the entire event narrative, driving weeks of negative headlines – and higher long-term costs.
So what can you do to make sure you get it right? The answer depends on the structure and function of your organization. Every plan will be different, but there are a few good rules you can follow to make sure yours is on the right track.
- 1) Do Your Homework
In the immediate aftermath of an event, time is of the essence. How quickly you respond is just as important as how clearly and accurately you respond. Much of the information you need to make the right decisions about who to notify, when and how can be researched and gathered ahead of time. This includes a comprehensive stakeholder analysis, reputational risk assessment, and matrix of current communications channels. In the midst of an actual crisis, you won’t have time to try and gather information about how different types of data impact the company, who owns the Twitter feed, or to dig up the name of the new guy running the sales team.
- 2) Build the Right Tools
Once you’ve done the research and gathered the information, use it to build a better toolbox. One that will help you make better decisions under pressure. Create a scale to measure the real and potential impact of any event, and use it to determine the appropriate response. Build optional communications channels, so when you need to communicate something significant, you aren’t wasting a day setting up a landing page. Build a team that represents all priorities from across your organization, and make sure everyone knows each other and has their say in the process. Finally, draft statement templates, so you don’t waste valuable time arguing over basic vocabulary words.
- 3) Learn to Trust the Plan
The best plans are useless if no one follows them. Regardless of your planning process, you will still have to make decisions and execute orders that are appropriate to the specifics of the situation you face. Don’t let panic drive you to make bad decisions – or communicate the wrong messages. The easiest way to overcome panic is to trust in a reliable plan. Build this trust through regular, comprehensive training exercises. Make the effort to build scenarios that are realistic and really test both the plan and your team. Communications-related injections are great way to increase engagement and maximize learning outcomes – not to mention there’s an element of fun to planning them.
Overall, as cybersecurity becomes even more of a household name, increased public attention is turning up the heat on incident response management. The good news is that if you’re concerned your current plans don’t effectively account for this reality, it’s easy to assess what you’ve got and bridge the gap to a more effective plan.
When communication is done right, you can increase organizational resilience, lower the cost of an event, and protect your reputation long after the dust settles.
Loren Dealy Mahler is the President of Dealy Mahler Strategies, LLC, a strategic communications firm that advises clients on cybersecurity and defense-related issues, with a focus on increasing organizational impact and effectively managing risk.