Should IT and Security Teams Play a Role in Crisis Communications? – Source: www.techrepublic.com

Outages and cyber incidents can have a direct impact on a company’s brand, share price and jobs, according to Louise Roberts, managing director at Sphere Public Relations in Australia. She also noted they can cost an “extraordinary” amount of money in lost revenue and fines.

For this reason, IT leaders, including CIOs and CISOs, should be heavily involved in crisis communications planning and incident response. Roberts said the involvement of these leaders, in collaboration with other stakeholders, can lead to more effective handling of a crisis.

“They obviously need to build robust and resilient infrastructure and have all the cybersecurity protections in place,” Roberts explained. “But the whole company needs to be involved (in communications), including IT, because it really affects the company into the future.”

SEE: What Australian IT leaders can do right now about rising data breach costs

IT leaders are expected to be involved in crisis communications

Australia has witnessed crisis communication failures in recent times. These include the Optus national network outage of 2023, which resulted in the telco being criticised for not communicating well with the public, as well as the eventual resignation of its CEO.

Roberts said the fundamentals of crisis communications are to “tell it all, tell the truth and tell it now.” However, she added this is rarely what happens, which can end up backfiring in the form of significant brand damage for an organisation, in addition to other impacts like lost revenue.

IT and security leaders have a critical role in helping the CEO and organisation both identify and rectify the problem; they also need to support clear, accurate and fast communication with key affected stakeholders, including customers and third parties.

CISOs have clear communications role during cyber security incidents

The Australian Signals Directorate’s Information Security Manual gives clear responsibility to CISOs to support and manage communications during incidents. It states that a CISO’s role during a cyber security incident includes managing how internal teams respond and communicate with each other.

“In the event of a major cyber security incident, the CISO should be prepared to step into a crisis management role. They should understand how to bring clarity to the situation and communicate effectively with internal and external stakeholders,” according to the ASD.

How IT and security leaders should prepare to manage crisis communications

IT and security leaders need to have an updated cyber or technology crisis communications plan in place. Roberts said this should be separate from a regular crisis plan, and should include dedicated input from IT and cyber specialists.

PREMIUM: Managed scheduled outages with our planned outage checklist.

“I think some businesses might be inclined to roll incidents like cyberattacks into their general crisis communication strategy, but that’s actually not a good idea. They are very different from a normal crisis because it can impact almost every area and can often go on for a very long time,” Roberts explained.

Planning should involve the whole business and be led from the top

Best practice sees CIOs and CISOs working closely together with senior stakeholders from across the business, including CEOs and boards, to bring together a cohesive, leadership-led crisis communications plan that will be able to function in the event of a stressful incident.

There is currently “a bit of a disconnect” between IT and security leaders and boards, Roberts argues, with CISOs rarely included in board meetings. Roberts said that in cyber security, it was best if CEOs and boards were involved in implementing crisis communications plans from the top.

Organisations should define and document crisis roles and responsibilities

Organisations should form a crisis committee and document roles and responsibilities, including the communications responsibilities of IT and security leaders. The documentation should include the names and contact details of business representatives and any external advisers.

“For an e-commerce business time is money and they can be losing revenue by the second. They need to make sure that the plan involves everyone’s contact details, and they’ve defined roles so that they know exactly what to do when an attack is discovered,” Roberts said.

Scenario exercises and prepared statements can help in real-time

One of the best ways to ensure IT and security teams are prepared for managing the communications aspects of a crisis is to run crisis scenario exercises. These exercises stress test the business’ ability to deal with a crisis while undertaking necessary communications.

Roberts suggests that creating pre-prepared statements is advisable. “These are templates that are ready to go, you just need to insert some information. Pre-prepared statements allow you to be on the front foot and be available with information as quickly as possible,” she said.

IT and security leaders can improve crisis communications messaging

Strong IT and security input can support stronger and clearer communications during an incident. In a cyber incident, for example, Roberts explained that, while a CEO rather than a CISO would most likely be the spokesperson, CISOs can be highly involved in advising them on what to say has happened and how the company will be moving forward.

“Often a CEO will come out and make a statement about an outage or a cyber attack, and they’ve got no idea what they’re talking about,” Roberts said. “Their lack of language in describing what’s happening is then very much criticised by people in the industry, because they’re not making any sense and they don’t actually reveal very much,” she said.

Being prepared will make communications much easier

A tech-related crisis like an outage or a cyber attack is “not a matter of if, but when” for organisations, Roberts said. The best way for IT and security teams to handle communications during these events is to take a leadership role and be prepared ahead of time, she said.

“I think it’s being prepared, it’s being involved, it’s leading it from the top,” Roberts said. “They need to make sure they practise scenarios and everyone knows their responsibility when an attack or an outage does occur; being honest and open and talking to customers is critical.”