Navigating the storm: A CISO's guide to crisis communication

During a crisis, many CISOs try to communicate in definitive terms. However, overconfidence can backfire, especially if the situation shifts unexpectedly. Mark Bowling at ExtraHop argues that the key is to strike a balance—being confident while remaining flexible and clear

 

Cyber-threats are escalating in frequency and complexity every day, and the role of Chief Information Security Officers (CISOs) has had to evolve to keep up. No longer confined to purely technical concerns, CISOs find themselves at the forefront of crisis management, especially during a cyber-attack. The ability to communicate effectively in these high-pressure situations has become a crucial competency, vital for maintaining organisational stability and preserving stakeholder confidence.

 

The cornerstone of effective communication during a crisis is for organisations to establish a formal, well-documented Crisis Communications Plan (CCP). This plan is essential for handling communications in challenging situations. Depending on the gravity of the situation, the plan should address both internal and external communication needs, potentially involving internal stakeholders, external customers, regulators, and even law enforcement in some cases. By skillfully navigating this complex communication process with a structured CCP, CISOs can guide their organisations through a challenging cyber-crisis and support response efforts with clear and effective stakeholder management.

 

Mastering uncertainty

When a cyber-incident occurs, executives inevitably want to know the extent of the damage. However, in the critical early stages, the full impact often remains elusive as CISOs face the challenging task of working with their team to stop the incident from becoming more widespread, all while conveying uncertainty of the full impact.

 

Industry experts emphasise the importance of striking a delicate balance in crisis communication. To set realistic expectations, CISOs should provide a range of potential impacts while emphasising current best estimates. It is also beneficial to have previously informed executive management and other internal stakeholders about the potential levels of concern to minimise how much education is required in the midst of handling an incident. This approach allows for transparency without undermining confidence in the security team’s ability to manage an often fluid situation.

 

Prioritising business impact

When a cyber-incident occurs, executives and board members tend to concentrate on the broader business consequences rather than delving into the technical details. Their attention is typically directed toward sustaining operations and evaluating financial risks. CISOs must translate complex technical information, like the specifics of the exploit being used, into straightforward, business-relevant information that addresses these concerns. This approach equips leaders to make informed decisions and effectively manage the organisation’s response and recovery efforts.

 

When briefing senior leadership, CISOs should provide concise, actionable information centred on recovery and business continuity. An effective update should clearly outline the status of critical services, the progress in containing and eliminating any hostile presence within corporate systems, the specific measures being implemented to address vulnerabilities after the incident is resolved, and an anticipated timeline for restoring systems. This demonstrates the security team is actively managing the situation, aligning efforts with business priorities and instills confidence the situation is being resolved.

 

Building resilience through communication

During a cyber-crisis, effective communication hinges on precision, transparency and a steady demeanor. By concentrating on how operations are affected and employing advanced visibility tools, CISOs can deliver updates that are both relevant and actionable. A well-prepared response strategy, coupled with a thorough understanding of compliance standards and attack diagnostics, equips CISOs to steer through disruptions while mitigating broader risks.

 

Regular communication is indispensable when managing a crisis. Early on, updates multiple times an hour can help maintain focus and provide reassurance. These updates should avoid speculative or incomplete conclusions; instead, they should share verified progress and address known impacts. This will help limit speculation and ensure clear messaging for all audiences.

 

Navigating regulatory waters

In the UK, cyber-incident reporting is governed by stringent regulations. The Network and Information Systems (NIS) regulations require prompt reporting of incidents affecting essential services. Similarly, the UK Data Protection Act mandates notification to the Information Commissioner’s Office within 72 hours for breaches that pose a risk to individuals’ rights and freedoms. CISOs must rapidly assess whether a breach meets regulatory reporting thresholds to avoid any additional costs that may come with a cyber-incident.

 

Leveraging advanced network telemetry and full packet capture technologies can provide the detailed information needed to evaluate the breach’s materiality, ensuring compliance while effectively managing the incident. Thorough forensic analysis is crucial not only for operational decision-making, but also for mitigating legal and regulatory risks. Understanding the full scope of the breach enables CISOs to respond appropriately, safeguarding organisational interests and maintaining stakeholder trust.

 

In this era of increasing cyber-threats, the ability of CISOs to communicate effectively during crises is not just a valuable skill, it’s a necessity for organisational resilience and stakeholder confidence.

 

---

 

Mark Bowling is Chief Risk, Security, and Information Security Officer at ExtraHop

 

Main image courtesy of iStockPhoto.com and BlackSalmon