Security Watercooler: Communicating your recovery, with Jessica Lennard

This week we are trialling an idea around a virtual ‘Security Watercooler’. 25~30 min video calls to break up the day and showcase different viewpoints. Check out more about the concept here.

Today Robin Oldham was joined by Jessica Lennard to discuss the communicating your recovery. Here are the summary notes from the call:

For lots of security people ‘recovery’ has very technical roots: rebuilding and patching systems, addressing security vulnerabilities, and so on. NIST’s Cybersecurity framework explicitly calls out “Internal and external Communications following the recovery from a cybersecurity incident.” Public perception is an increasingly important part of recovering from a high-profile cyber security incident.

A large-scale data breach of cyber-attack wouldn’t be described by anyone in comms as the ‘softer-side’ though. Comms, IT and Security need good relationships to understand what the tech teams are doing so they can effectively communicate it. It’s best if these relationships exist beforehand - rather than trying to make friends, learn each other’s languages, and so on, during a crisis.

Comms teams are (usually) amongst some of the most loyal employees. They are the believers, the flag wavers. Their job is to be out there promoting the brand every day - so serious events can rock them - but also them in their element. (If it’s a good comms team; if not, then usually the lawyers take over and ‘no comments’ follow.)

Nothing beats having a crisis communications plan in advance. Include a map of stakeholders - key investors, regulators, consumers, media contacts. Appreciate that during recovery, people end up doing different jobs: regulatory and investor relations working closer together. Crisis teams leading customer call centre briefings, etc.

Start collecting data today on your brand and trust: that way you have a benchmark to compare pre/post-incident. Carry on testing this so you can understand how public sentiment is changing as your recovery unfolds. During a crisis a company from one participant on the call had been testing 1,000s of consumers on a daily basis during/after a large data breach.

Secondary data points you can measure include customer growth and churn, but these programmes may have been impacted by redeployment of resources or changes to programmes resulting from the incident.

If you have lost personal information as part of your cyber security incident then the Focal point of recovery will increasingly be from regulators: if you had done the right things in advance; the actions you took to protect your customers; your policies, processes and systems.

The wake of an incident can present opportunity (and require complete overhaul of the brand). In one example, trust in the company increased in the wake of an attack because they communicated clearly and regularly, and put their customers first.

In the comms world there has been a debate of who you put forward to be the face of a crisis. Established norms was to put one of your experts, rather than a shell-shocked CEO, though this is changing and the public expect accountability and ownership from business leaders.

Do not forget: ‘losing your own data’ is a really scary thing for people. Be empathetic. And…

Don’t forget your employees! They will likely ‘have been to hell and back’ for the company during a major incident. They may be suffering from ‘PTSD’ or extreme stress, they may have lost confidence in management, their projects or teams may be facing budget cuts, etc.

Make sure you are communicating consistently and clearly internally as well as externally. In both cases look for examples of where there have been heroic acts that can be appropriately celebrated. They can make your story more human.

Lastly, when the dust has settled, often everyone in an organisation is uniquely open to change. It can be massively humbling, but they absolutely know things have to change. Do take the opportunity to do a thorough lessons learned exercise. It’s been tough, but now it is what you choose to make of it.

You can follow Robin on LinkedIn and @RTO and Jessica on LinkedIn and @JessicaLennard.

Use this Google Form to register and receive joining instructions for future Security Watercooler sessions.

It has been a fantastic week with some fantastic insights and amazing experiences being shared. We’re going to take a break next week to reflect on your feedback and how we take Security Watercoolers forward.