A disgruntled airline passenger posts a video rant. A parent inadvertently reveals where a bank CEO’s kids go to school. An employee accuses an oil and gas executive of sexual harassment.
Each of these can be a PR nightmare, but they are also clear security risks. In an era defined by instantaneous social sharing, unprecedented transparency and 24/7 news coverage, Chief Security Officers (CSOs) find themselves with a new job: communications.
Today’s security teams have much less time to control the narrative. CSOs are expected to know key details immediately and prepare responses more rapidly. And responses often include talking points, which means coordinating with corporate communications, PR, marketing and others.
In short, CSOs need to develop a security-focused communications strategy. Here are three goals to consider as you create your own framework.
Frame the Story
When breaking stories have a security angle, it is vital for CSOs to help frame the discussion. The challenge is providing enough context to help external audiences understand what is happening, without offering details that compromise the security response or add complexity.
For example, in the most serious cases – email hack, data center outage, terrorism – messages should alleviate panic that could expose other people or locations, or incite copycat behavior. By the same token, CSOs need to manage expectations among investors and analysts to prevent a security risk from threatening the company’s finances or brand reputation.
The best way to do this is to pre-emptively align with corporate communications and marketing. Establishing a process up front gives you the chance to determine which group will lead the effort, what technology platforms will be used to receive updates and deliver responses, what your goals are for turnaround time, and how various groups will coordinate on deadline.
Keep in mind, there are positive use cases too. When companies help with relief efforts after natural disasters, it is just as important to tell the right story and tell it quickly.
Ultimately, these efforts will help CSOs integrate more closely with communications professionals across the business and avoid sending mixed messages that make a bad situation worse.
Create a Culture of Security
The second goal of your communication strategy is internal. Delivering the right messages to internal stakeholders has a dual benefit. It strengthens enterprise security and raises the profile of your team and the value you provide.
For employees, this may involve communicating more regularly about security responsibilities, such as badging and access control. For leadership, it will likely mean responding to incidents much faster. The C-suite and the board are social media consumers too. If they aren’t already, they will soon be asking more detailed questions earlier in the process.
Start with an assessment of how information flows between your GSOC or security team and other departments. CSOs need to know how details and updates about security risks are sourced and vetted. What is the threshold for involving corporate communications or the marketing team? Is there a process for alerting different parts of the company, and if so, how many steps are involved?
To gain even more efficiency, consider adding a corporate communications liaison. Many security leaders have found it helpful to have someone who “lives in both worlds,” and can quickly identify ways to fill information gaps in both the response to breaking incidents as well as to ensure internal awareness about security policies and procedures.
Manage Transparency
A third goal is mitigating the transparency of the social media era. When everyone in your company is using social media, security issues are much more widely known – including threats that never materialize. This shortens the time CSOs have to act before rumors create noise and additional workload for already overtaxed security teams.
The good news is, social media can help. CSOs can use real-time social media alerts to learn about incidents sooner and gain extra time to develop a response. Social media can help CSOs understand what stakeholders are saying. It can be used to deliver messages quickly and globally. And it can provide a record of how information travels during incidents, which can inform training and create a productive feedback loop.
A Final Thought
Whether your focus is external, internal, or all of the above, a security-driven communication strategy should ensure process standardization, assist with cross-functional coordination, establish a clear division of labor, and set your internal clock for when to reach out to various audiences.
But hope is not a strategy, and without one, CSOs run the risk of not having a good answer when the CEO asks if your talking points are ready for the press conference.