A company’s Chief Information Security Officer (CISO) is primarily tasked with protecting against and responding to cybersecurity risks, which continue unabated with ever more frequency and ferocity.
But as US Securities and Exchange Commission (SEC) regulations demand increased transparency, cyber incidents become more persistent, and media scrutiny continues to increase, communications and stakeholder management are quickly becoming necessary core competencies for CISOs.
Given their role in managing some of the biggest cyber incidents of all time, CISOs are also moving beyond device-packed backrooms to more prominent positions informing business strategy, which similarly requires deft communication skills.
Taken together, now more than ever, CISOs must consider communications a critical element of an effective cyber incident response. They must be prepared to deliver confident, strategic communications that work to bolster stakeholder trust and protect the company’s reputation.
CISO Communication Challenges
In addition to forensics and technical teams, CISOs faced with a cybersecurity incident today are tasked with addressing a long list of audiences. Employees expect to be filled in on the details of the incident and may even turn to the CISO for talking points they can use with customers.
Customers themselves, investors, vendors and the media may similarly expect direct engagement from CISOs. And regulators, executive leadership and the company’s board will often put CISOs on the spot to answer tough questions as they prepare for, respond to and recover from an incident.
Companies are often judged less on the scope and impact of the incident and more on how they handle it. From this perspective, a CISO’s ability to meet the nuanced needs of various stakeholder groups, while also delivering consistent, confident messages, can make or break how the company’s response is perceived.
Conversely, inadequate, inaccurate or inconsistent communications can invite significant consequences beyond reputational damage, including customer loyalty, market performance, perceptions of executive leadership and even individual job security. For example, Uber suffered a major data breach in 2016 that became public the following year. Joe Sullivan, Uber’s then-CISO, was later convicted of attempting to cover up the breach and not disclose it to regulators. His failure to effectively manage communications around the incident led to widespread negative coverage and regulatory action.
On the other hand, and even beyond just managing an incident, CISOs who can thoughtfully engage in public-facing communications can support positive reputational outcomes for their organizations.
For example, Pat Opet, CISO at JPMorgan, has been an active thought leader in traditional and social media, where he has driven industry conversations and even sparked debate around cybersecurity risk, accountability and resilience.
How to Become an Effective Communicator
As internal and external communications before, during and after an incident becomes table stakes, CISOs across industries should proactively work to become better communicators. Based on my experience working with CISOs from across industries helping to manage their communications response to cyber incidents, there are four key considerations that can help ensure a better outcome:
Ensure your company has a cybersecurity communications plan that is tightly integrated with your incident response plan
This helps CISOs and the entire incident response team operate in a more integrated and efficient manner, particularly by codifying:
- Key roles and responsibilities, including who is authorized to approve communications
- How to communicate if internal systems are down, as well as who will step in for key leadership if they are traveling or unavailable
- A relationship tracker that designates spokespeople the audiences with whom they are responsible for communicating
- Which platform/channel to use to speak to various internal and external audiences, along with draft communications templates that can be quickly tailored with real-life details and shared during a live incident
Test communications plans with a cybersecurity simulation exercise
Running simulated scenarios with leadership, including the CEO, legal teams, IT and HR will help to identify any gaps and ensure that the plan is fit to support CISOs through the ever-evolving range of incidents they may face. Weaving communications into other regular tabletops, such as those focused on traditional IT concerns, will also help communications be more tightly integrated with other protocols.
Participate in communications, media or presentation training
Communications is a learned skill, and even the most basic training can go a long way in ensuring your message is heard. Understanding how to manage challenging questions from the board, customers, investors, the media or other stakeholders; to articulate complex topics in clear language; and to balance transparency with confidentiality are essential skills for CISOs.
Training can not only support these needs, but also help CISOs in mapping stakeholders, understanding their priorities, and speaking to them in a way that resonates, all of which will prove critical during a crisis.
Training also helps protect stakeholder trust, and mitigate potential risks, such as providing too much detail to customers or giving conflicting messages to the media. But a one-and-done approach is not enough. CISOs should seek regular refreshers as new threats, channels and expectations arise.
Build a strong partnership with your communications counterparts
Whether it’s an in-house CCO or an outside communications firm, having a solid working relationship with communications leadership and advisors will set CISOs up for success.
A trusted communications partner is often instrumental in ensuring the technical and communications responses are seamlessly integrated, that they align with the larger strategic needs of the organization, and that the entire organization is working in lockstep to deliver a consistent response. Additionally, frank conversations that consider multiple perspectives help foster more well-rounded responses and mitigate risk.
Communications have become an essential part of a CISO’s role and can be the deciding factor in whether a cybersecurity attack harms or helps an organization’s reputation – in some cases, even more than the incident itself.
Building communications skills, staying prepared, and collaborating with communications experts can help protect both the CISO and the organization. The imperative is clear: organizations and CISOs cannot afford to wait – strengthening communications capabilities must begin today to ensure resilience during tomorrow’s crisis.