Cyber incident response: crisis communication

The worst time to write a security incident response plan is during an incident itself. Anticipating adverse events and preparing playbooks for likely scenarios and testing them in advance are important facets of a wider cyber resilience strategy.

Incident response, however, is not only about technology, logs and forensic investigation – managing communication is equally important. It is often a compliance requirement to notify the relevant regulator and customers about a data breach or a cyber incident, so having a plan, as well as an internal and external communication strategy, is key.

Security incidents can quickly escalate into a crisis depending on their scale and impact. There are lessons we can learn from other disciplines when it comes to crisis communication.

One of the best example is offered by the Centers for Disease Control and Prevention (CDC). The resources, tools and training materials they have created and made available online for free have been tested in emergency situations around the world, including the latest Covid-19 pandemic.

CDC’s Crisis and Emergency Risk Communication (CERC) manuals and templates emphasise the six core principles of crisis communication:

1. Be first. Quickly sharing information about an incident can help stop the spread, and prevent or reduce impact. Even if the cause is unknown, share facts that are available.

2. Be right. Accuracy establishes credibility. Information should include what is known, what is not known, and what is being done to fill in the information gaps.

3. Be credible. Honesty, timeliness, and scientific evidence encourage the public to trust your information and guidance. Acknowledge when you do not have enough information to answer a question and then work with the appropriate experts to get an answer.

4. Express empathy. Acknowledging what people are feeling and their challenges shows that you are considering their perspectives when you give recommendations.

5. Promote action. Keep action messages simple, short, and easy to remember.

6. Show respect. Respectful communication is particularly important when people feel vulnerable. Respectful communication promotes cooperation and rapport.

Cyber security professionals can adopt the above principles in crisis situations during a cyber incident, demonstrating commitment and competence and communicating with transparency and empathy both inside and outside of the organisation.

Managing Stakeholders and Communication on Security-related Projects

Enterprises across the world are becoming more and more aware of security-related issues and their impact on the business, making them increasingly willing to address them. Although they are open to listening to the security professionals’ advice, the language the business speaks is different.

It is important for security specialists to understand the business requirements and communicate the value of security accordingly. Managing stakeholders and communication is therefore becoming one of the essential skills of the modern security professional.

One should understand that the earlier people are involved in a security project, the easier it is to get their buy-in. It is useful to spend some time on planning the communication prior to a project kick-off.

As a first step to such planning, a stakeholder register could be created capturing the contact information, expectations about the project, level of influence, and other characteristics, as in the table below.

stakeholder

As soon as the stakeholders are identified, a communication management plan should be created. One can engage the stakeholders to identify the best way of communication, its frequency, responsibility and a reason for sending.

communication

While managing a project, a security professional spends almost all his / her time communicating in various ways. Proper stakeholder engagement and communication planning can make the security-related projects run much smoother. At the end of the day, security professionals are there to help people to make the business more secure. This task can be achieved more easily when people are cooperating with the security professionals rather than trying to sabotage the project.