This article is the ninth in a series of articles by NAV CANADA vice-president and chief information officer Claudio Silvestri about talking to your board about cybersecurity.
Describe how, what, and who will communicate internally and externally when you have an event
Here is where you leave the safety and comfort of your IT world and enter the world of public and stakeholder relations and communications. If you thought doing IT was hard, well, strap yourself in — you’re not in Kansas anymore.
When communicating difficult, sensitive, and potentially damaging information internally or externally, you must rely on people in your organization who have the experience, skill, and authority to do so. Your job is to work with them by providing facts about the cyber event, updates as they are available, and impacts to the organization and all stakeholders.
The job of your communications team is to guide the organization along a line of messaging while balancing the negative side of your cyber event with the positives about how the organization is responding to the crisis to contain it, protecting stakeholders and addressing any harm.
They must do that while also ensuring the company is protected from long-term reputational harm and ensuring any potential legal impacts are not made worse through the actions, inaction, or words of the communication coming from the company.
In today’s world of social media, the line between the negative and the positive can be instantly blurred and take the reality of your cyber event from fact to fiction at the click of a mouse.
There are many advantages of social media for crisis communications, including speed and reach. But there are just as many disadvantages, including the inability to tell the full story or having to oversimplify messaging. The words of the organization’s representatives will instantly be communicated to a large audience and be interpreted in as many ways as your number of Twitter followers.
I am not an expert in this area by any means, and you may not be as well, but your public relations and communications teams are. They will have a protocol in place that should describe where and how communications are to unfold, who is responsible for issuing communiques, and who will be the face or voice of the company. The protocol will focus on how the company will manage and cope with the crisis and have a very clear communication flow through the appropriate channel to the intended audience.
Part of your cyber incident response plan will be focused on communications as described above. Depending on the impact assessment of the event, and how it triggers certain obligations your company may have, communications may need to begin right away or within a defined period of time.
As governments and regulators get more involved and continue to develop laws and policies related to cybersecurity, you should expect that the requirement to disclose events will be more probable and likely not on your terms.
Therefore, having things planned out and synchronized with your public relations protocol is essential in terms of being able to ensure communications begin to flow in a timely fashion, with as much accuracy and completeness as possible.
Work with your public relations team to understand what they need in terms of information in order to craft the communications. For example, they might have predefined and approved scripts that will be used by your spokesperson in the event of common cyber events such as a denial of service or the loss of sensitive or private company information. In this way, all that would be required is to fill in blanks in the script.
You should fully expect that beyond the initial communications you will be required to remain engaged to provide updates at whatever frequency is required or driven by the situation as it unfolds.
Crisis communication is a tricky business and requires a delicate approach. Your role is to provide facts about the cyber event and updates in terms of progress on dealing with it, while following the lead of your public relations and communications team.
However, there is one important aspect of your role here. Just as IT professionals are not communications experts, your communications team are not IT experts.
Just as when you are communicating to your Board, you must not use “IT speak” to describe the situation. Doing so will make it difficult for them to appreciate and understand what the company is facing from a business and stakeholder perspective.
When communicating facts about the cyber event, you must ensure they fully understand the reality and impacts so that they don’t misinterpret what you are telling them.
During a crisis, clear communication is often an early casualty. You must be clear with as much relevant factual information as you can provide, and you must test your communication team to ensure they have clearly understood the situation and real impacts, so they can accurately craft the words used to communicate the situation.
Next article in the series: “Cybersecurity essentials – Awareness and training“