Who tells your security breach story?
The obvious answer to who is telling your story is basically anyone and everyone. But the real winning answer is that you do, of course. Because in the realm of crisis management for cybersecurity incidents there are basically only two paths: preparing your marketing for a breach or recovering from a breach. Here, we will focus primarily on the latter of the two and how mastering the objective will set your organization apart.
Each time there’s a large security breach announced, you can bet the commentary against that particular organization will be quite negative. Twitter and LinkedIn will, in particular, spring to life with every short snarky comment imaginable, followed up by more of the same tomorrow. One example comes to mind where, within hours of one of the largest security breaches on record (Equifax), a prominent CISO judgmentally tweeted out that they were literally “writing the book” on how not to respond to a breach. Ummm, okay. It’s only been mere hours and yet your ultimate opinion is that they not only were victims of one of the largest breaches on record but also have one of the worst responses ever? Still, let’s not beat up too much on that one CISO, because in reality there were probably dozens of retweets and hundreds more saying the same thing. You see where all of this is going: judgment is pretty darn cheap these days. But let’s put that on hold for a minute as we look at what they did right.
- Dedicated Web Site: Did they just have one press release or comment to the local press? No, they did not. They had a dedicated web page that could be updated time and time again with whatever info was considered relevant for their audience (customers, partners, media, bloggers, etc…).
- CEO Message: With great empathy, none other than the CEO had a video where a conciliatory and empathetic message was well received. If you are a stakeholder in any way, you surely appreciated this.
- Something to Offer: They gave away something of value — enhanced/premium credit monitoring. This is not to say that every breach requires something of real value to be handed out, but in this case it was a bit better than the more common credit monitoring offer. And it was certainly more valuable than nothing.
So if this is “literally writing the book on how not to respond to a breach”, then someone must be reading the wrong books. Because this is actually a good start to doing the exact opposite, which is setting an example on how to perhaps do it right. But that’s social media for you. You can’t control it. But you can laugh off the silliness and then stay the course that you set, especially when you know it to be right.
Call to Action
The real call to action is surprisingly simple: It’s writing your own story. Starting today, next week, or maybe, at the very latest, next month if need be, that story needs to be written. Even if you haven’t suffered a data breach, there’s only good to come from being fully prepared for one.
- Let them speak: The CIO, CISO, or those they have full faith in to deliver the message need to be seen and heard. This means ensuring they have content (presentations, social media posts..) that is as informative as it is able to restore confidence. It won’t happen all at once, but having them at IT conferences and other venues is an opportunity that must not be ignored. If you or they are feeling really bold, let the title for such content be “How not to respond to a security breach”. You have just started at the very bottom and people will be interested, so things can only go up from there. And go up they will. Fast!
- Be ye social: Social media is your friend. Take that picture of someone in IT security who is putting in a new security control, add some fun commentary to it, then send it out into the wild. Why, well because all of those on the ‘outside’ are doing that anyway, so they have ordinary content with little context. But you, oh you lucky one, you have access to rich content with total context? Because as the saying goes, content is king, but context is god. You win. They win. Heck, we all win!
- Focus on building up: Social media thrives on people building themselves up by tearing others down. So don’t fall into that trap. You will need even-keeled content creators who are either not emotionally connected or can truly separate themselves from perceived attacks. Then you need them working day in and day out on your behalf. Some negative comments need to be discovered and addressed. Properly addressed. Skillfully addressed. There’s no doubt about that. But unless your organizational brand was somehow built on such negativity, you’ll want to rise above it. Always.
Do you perhaps need help with your security breach story?