The Security Breach: Will you fight, freeze, or flee?
A cybersecurity breach for your organization is certainly a traumatic experience. And because of this the same options that hold true for any high-stress situation are now laid bare. We can choose to fight, freeze, or flee. But which option is the best? To answer that, consider how each of these scenarios might play out for your business.
First of all, as you are reading this, you are most likely in the fight category. You know that the top business leaders, certainly including the board and the CEO, are looking for the brand to be vigorously defended. Take for example, the former Equifax CEO’s response to their security breach, where he noted they:
“…will not be defined by this incident, but rather, by how we respond”
Richard Smith, Equifax CEO (former)
Organizations who understand this are well on their way to putting out fires and ensuring that things don’t flare up again. It’s more than the belief that action is better than reaction. It’s knowing that doing anything other than this is less than is expected. This is exemplified through real empathy for those who are impacted, especially the customers and business partners. Because without their belief that things are being corrected, they will simply move on. So these organizations will find a way to get the right message out, then keep generating the content and message that matters for as long as it takes, which is generally measured in years.
We have all heard the saying “deer in the headlights”, right? To be clear, this is NOT what inspires confidence — at any level. What this is basically saying, albeit quite subtly, is that someone has been caught flat-footed or otherwise unprepared to deal with this crisis. As marketing executives and leaders, you can’t afford to let this happen. So if the standard answer during a tabletop exercise is along the lines of “we will do a press release with all the standard details” and that’s pretty much it, then it’s time to admit that you are not prepared for the fight. Not even close. And if the term [tabletop exercise] is completely foreign, then there can be no doubt that an incident will not have the required marketing response.
In many cases, the legal team takes over any and all of the outbound messaging, especially with the largest organizations and/or security breaches. So this is where one of the first fights comes in. You want to fight the brand marketing fire for all it’s worth, but the legal department wants a freeze, electing to keep the fully qualified response team in the proverbial fire house. But with breach notification laws at the state, federal, and even international level (e.g. GDPR), the clock is already running. Oh did we say clock? Sorry. It’s a ticking time bomb. Yes, lawyers are inherently risk-averse and that’s what generally makes them great at what they do. But businesses take risks all the time and a proper response is absolutely worth that risk.
“Now where did I file that contact information for that recruiter?”
Oh sure, you can run. But seriously, is that what you want to see on your LinkedIn profile? Oh look, when the going got tough…
Sadly, this happens all-too-often. A security breach occurs and all of the sudden people are running for the doors. And in many cases it’s no wonder. After all, if you are in marketing and your hands are completely tied so that you can’t join the fight and really help protect the brand, then maybe it is time to flee. Because those who freeze are most likely going flee or get burned. It’s really not that complicated, although it kind of is. Could we all elaborate more on the characteristics of those who would either strategically or tactically flee? Of course we could. We all could. But why would we?
But which will you choose?
For the sake of humanity and the brand that took so long to build, both the business as well as your very own, we all hope that you choose to fight.
But as simple as it sounds, it’s actually more complex. It’s complex because when it comes to real action there’s an undeniable human element at play. People instinctively go toward the path of least resistance. In fact, it can be said that the majority gravitate toward the middle on most things. And if the middle of the spectrum here is freezing, then fleeing is most likely the very next step. A quick freeze, followed by an all-out run, is really no different than that poor deer in the headlights. This is exactly why it is essential to have the entire response plan documented, agreed up at the highest levels, then continually refined. Practice, after all, makes perfect. And such mastery is the hallmark achievement of the true professionals who will help save the day.
Will there be negative voices? Oh yes, on that you can be sure. They will be no matter what you say or do, especially in the cybersecurity realm where there are a great deal who don’t mind watching the world burn. And with social media, they will all have a voice, from the small to the mighty. And that’s okay, as long as your voice can come through as more empathetic, positive, factful, transparent, and sustained than theirs ever will be.
- Ensure that the plan is fully documented (here’s a great starting point) and owned by Marketing. This will include addressing any potential conflict with General Counsel (or perhaps IT leadership) head-on, preferably long before a security breach occurs. You’ve got this!
- Master your cybersecurity breach tabletop exercises, fully demonstrating that Marketing is now the top layer of organizational defense. Your playbook has everyone on the same page.
- Execute – Execute – Execute! Day in — day out. It’s work, but it’s great work in that it has impact and will pay off. You don’t get strong by going to the gym every once in a while, right? It’s time to fight. This doesn’t all have to be done in house, either. You can get the right talent to assist al-a-carte, on retainer, or both.