I have seen this story play out time and time again. A company doesn’t have a good crisis communication plan, or incident management process, and then a breach occurs or an incident happens, and everyone is running for cover. Senior management wants to know what happened, how it happened, and who is to blame. Unfortunately, it takes hours or days to determine the cause on many incidents, and unless there is a solid crisis communication plan, everyone is trying to cover for their areas, and chaos follows. Meanwhile, the media is calling, trying to find someone in the affected company to get a statement. Legal and PR Communications folks within the company are trying contain the exposure to the press, and the internal cybersecurity team is running around trying to find root cause and work with the IT Group to mitigate the incident.
Oh, what a crisis manager would give to have had a bulletproof incident communication strategy in place in times like this – a strategy that covers compliance related issues, media communications and internal communications – to ensure timely delivery of appropriate information to both internal and external stakeholders. When is it time to speak? Check the incident communication plan and strategy! Who should be talking to whom? Check the plan!
- A well-prepared and well-executed communications plan can make the difference between accolades from the public, the press, and colleagues, or seeing your organization’s name in negative headlines, along with brand tarnishment.
- Keeping appropriate people informed and reminding them of their responsibilities to maintain the confidentiality of any related information can diffuse rumors or speculation. But not everyone should be included in a crisis management or cybersecurity incident process.
- Beyond the chief security officer and the chief information officer, organizations should include the legal department or counsel on the incident response team to help with complex legal and regulatory issues resulting from the crisis.
- Internally, a company should assign a SWAT team from key departments to assess and respond to incidents, and escalate to the crisis management team at a pre-defined point where it is determined to be an “incident” or “crisis”. This should be defined in the plan.
- Roles and responsibilities should be defined in the plan.
- Everyone who has relevant information should be encouraged to provide what they know about the incident to the designated incident manager, as defined in the plan. If you see something, say something, as the saying goes.
- The crisis manager should promote an atmosphere of constructive conversation to obtain the most accurate and up to date information about the incident. But everyone should be cautioned to keep the incident detailed confidential and not disclosed to persons who have no need to know.
John Kronick, Director of Security Services at PCM, Inc. Mr. Kronick has over 25 years of professional experience in providing strategic and tactical privacy, security, risk management, transformation and forensics assurance services to healthcare, governmental and commercial entities; including CISO roles at Gartner, CitiBank, Purdue Pharma and Estee Lauder, 3 years of significant expertise in public / private law enforcement liaison activities, 4 years in a “Big 4” public auditing firm (Deloitte), 8 years SOX, PCI and security compliance management, as well as 15 years of global security operations.