I will start this article with a pop quiz:
Let’s say your organization had a cyber event and the IT response teams did a great technical job. However, the company/agency communications response was poor.
Question: What will be the perception of the public, news media, social media, your stakeholders, and your organization’s employees, among others?
Answer: The entire response operation – including you and your staff – will be draped with failure.
Is this fair? No, but what does fairness have to do with anything.This is the way it is.
What does this tell you? IT must work with the Communications staff for all IT/Cyber events.
“What?” you say. “I’m the hotshot CIO or CISO or IT manager. I don’t need to worry about the news media. That’s Public Relations’ job.” Wrong. My little example – and my many years of experience – show that you need to work with your Communications staff before the next cyber event hits. Yes, it’s PR’s job; but only you can make them successful.
Again, you ask “Still, why should I care? That’s not my job.” And again, I point out, crisis communication is part of your- and your organization’s – overall cyber response and thus your job. Communications staff must be prepared for the challenges to be faced during your cyber crisis. Assuming you have a cyber response plan/team (and if not, you are doomed), does it answer the following questions:
- Is there a Communications position on your IT/Cyber Response Team (IT/CRT)?
- Who in the Communications group is notified when you declare a cyber emergency?
- Is a clear, accurate, and timely information flow established from IT/CRT to Communications?
- Who is the IT/CRT contact for the Communications staff to gather information, translate IT-speak into understandable English, and follow-up with information requests?
- Who on the IT/CRT Staff will be the technical spokesperson to explain the event and response (again, in understandable English) to management, employees, the news media, social media, government agencies, customers, and others?
- The above briefings could include addressing the media live and online. Are the IT/CRT spokespersons trained for this?
- Whenever you conduct a cyber drill or exercise, do you invite the Communications staff to participate? If not, why not?
You must also prepare your technical and executive response staff – the ones who supply information to the communications staff – to be ready to receive strange and unusual requests for information. If you’re the middle of a cyber-attack, your executives may receive questions about Russian collusion, conspiracies theories, damaging tweets, anonymous accusations, executive sleaziness, and topics that have nothing to do with your cyber-attack but somehow make it into the story. It’s also easy for one of your competitors to inject false technical rumors that indict you and your management to have somehow caused or ignored the cyber-attack. Now you have to deal with fake news, false rumors, shadowy accusations, a twitter torrent, and Facebook flashes in addition to the cyber-attack.
Again I ask: is this fair? And again I reply: No! Cyber event response clearly needs to focus on the technical aspects of response and recovery. But complete event response and recovery has a very important communications function that can impact the organization for years afterwards. Get the appropriate Communications people on the Cyber Response Team to relieve your technical people of this burden.
There is another major advantage of having the Crisis Communications Team working with you. They will have to deal with Legal, Human Resources, senior executives, employees, customers, and many others. They will have the news and social statements developed, approved, and released. Does anyone in IT really want to do that in the middle of a cyber-attack? I think not. Let the Crisis Communications Team deal with those arduous tasks while you resolve and recover the technical issues.
Can your Cyber Response Team deal with this? It is your job to find out and make it right. How will you know? I alluded to the answer above: Whenever you conduct a cyber drill or exercise, you must invite the Communications staff to participate. Yes, they probably don’t want to be there any more than you want them there. But you both must do the right thing and make it happen. Believe me, you will both learn much from each other and each will be better for the experience. Just do it!
A crisis – and in particular a cyber-attack – is going to be brutal. It’s not a matter of if you have a cyber-attack, it’s a matter of when. So work with your Communications staff now to be ready for the inevitable. This preparation is a win/win situation that you can’t ignore.
Shameless plug: Attend the “Crisis Management & Business Resiliency” Course at MIT next July. Many IT/Cyber managers have attended over the years. For further course information and registration details, go to:http://professional.mit.edu/cm
Dr. Steven B. Goldman is the Director of Crisis Courses at the Massachusetts Institute of Technology. He is an internationally recognized expert and consultant in Business Resiliency, Crisis Management, Risk/Crisis Communications, Pandemic Preparation/Response, and Crisis Leadership. His background is comprehensive yet unique in that he has been a professional engineer, corporate spokesperson, manager of media relations, business continuity planner, crisis responder, consultant, and a Fortune 500 Company’s Global Business Continuity Program Manager. You may reach him at Goldmans@MIT.edu