The cybersecurity reputation of an organization is a tricky thing. Why? Well, because it’s actually measurable through various qualitative and quantitative measures, yet scarcely mentioned until something goes wrong. Instead, the headlines read something along the lines of the CISOs’ No. 1 Concern in 2018: The Talent Gap. And all of this is against the backdrop that pretty much every other executive would say that their real lack of sleep, as it relates to cyber reputation, is the huge costs associated with the brand itself falling into pieces.
Thankfully, the corporate world is, at least, waking up to the reality that getting far out in front of the cybersecurity reputation is worth exponentially more than the investment. The gap between the marketing and security is obvious and being exposed as a great weakness for those who maintain that particular status quo. As highlighted exceptionally well in CSO Online…
Reputation resilience matters
It’s become cliché to say “it’s not if you get hacked, it’s when,” and yet the shift in mindset from security to resilience still hasn’t fully taken hold beyond the network perimeter. Consider this, you can’t build a resilient company without considering whether or not your reputation can also withstand the fallout from a cyber incident. Will your customers trust you enough to stick with you, or will they start to question your motives and credibility? The way you communicate during a response will drive those answers.
Loren Dealy Mahler | 5 rules for smarter cyber communications | CSO Online
Having this discussion is certainly a great thing for all organizations and many CISOs and CMO will surely see some part of their compensation plan being aligned specifically around the cybersecurity reputation. And for the public companies with board members looking to maintain the pride in the company they serve, we can expect this topic to come up with greater frequency and impact.
So What Can You Do?
So, building on Loren’s viewpoint, what can you do [to enhance/preserve/defend the cybersecurity reputation]? It’s a great question isn’t it? So relevant now that it should be anticipated time and time again from the key business leaders to IT and marketing. If not explicitly asked, then at least implicitly recognized through other lines of questioning.
- BEFORE: Above and beyond and standard/template crisis communication plan or tabletop exercise, invest early and often in the brand/reputation of the cybersecurity program. Key IT [and especially IT security] executives should be seen on social media and even speaking at conferences. Or, at the very least, ensuring that others from their organization are. Providing even nuggets of information around your progress toward GDPR, HIPAA, NIST Cybersecurity Framework, ISO27001 and other GRC proof points can pay huge dividends later on. Don’t have time to create the content? That’s okay. Just get a company that can do it for you (aka, ghost writing everything from social media, to blog posts, to creating and even submitting presentations for speaking engagements).
- DURING: In the midst of a crisis is really not a great time to be learning the ins and outs of social media, influencer marketing, etc.. So if you haven’t prepared yourself and the organization, you can expect two likely outcomes. The first is that general counsel will shut down any media presence you might hope to have. That’s unfortunate, but highly likely…for obvious reasons. And the second is that you simply won’t have the time, as other pressures our mounting. But if you do have outside help, preferably on retainer, they should now be creating all your content, per the cyber crisis playbook, and submitting it to you to just perhaps slightly modify post as needed. Whatever you are allowed to do, just make sure it’s to the benefit of the cybersecurity brand and reputation.
- AFTER: As Loren points out in the CSO Online article, the path to rebuilding trust is a long one. How long? Well, that depends on how long memories last (and Google has a really long memory). While the security team has maybe received a bit of extra investment and done some great work with it, subtly evangelizing that over and over again is a long game, not a home run. Continue to measure public and stakeholder sentiment as often as you can. Also consider that outside firms tend to be best at this, as they are not as “invested” in things as you might be. If you started out as virtual unknown or a 2 star organization before a big data breach, it’s going to take longer to get up to 4 or 5 stars. But doing nothing in this regard is really going to drag things out.
Remember, It’s Also Personal
The bottom line is that when people search on your brand (yes, even your very own brand) before, during, or after a cyber incident or all out cyber crisis, they want to see something other than an overly safeguarded, dry, corporate-speak, jargon-filled, and just plain boring press release or comments from the “company spokesperson”. Anyone invested in any way in your success wants to see something positive that they can empathize with so that they, too, can move forward and even help you out.