Outages and cyber incidents can have a direct impact on a company's brand, share price and jobs, according to Louise Roberts, managing director of Sphere Public Relations in Australia. She also noted that they can cost an “extraordinary” amount of money in lost income and fines.
For this reason, IT leaders, including CIOs and CISOs, should be actively involved in crisis communications planning and incident response. Roberts said the involvement of these leaders, in collaboration with other stakeholders, can lead to more effective management of a crisis.
“They obviously need to build a strong, resilient infrastructure and have all the cybersecurity protections in place,” Roberts explained. “But the entire company needs to be involved (in communications), including IT, because this really affects the company in the future.”
SEE: What Australian IT leaders can do now in the face of rising data breach costs
IT leaders are expected to participate in crisis communications.
Australia has seen crisis communication failures in recent times. These include the disruption of the national Optus network in 2023, which saw the telecommunications company criticized for not communicating well with the public, as well as the eventual resignation of its chief executive.
Roberts said the fundamentals of crisis communications are “tell everything, tell the truth and tell it now.” However, he added that this rarely happens, which can end up backfiring in the form of significant damage to an organization's brand, in addition to other impacts such as lost revenue.
IT and security leaders play a critical role in helping the CEO and the organization identify and rectify the problem; They must also support clear, accurate and prompt communication with key affected stakeholders, including customers and third parties.
CISOs have a clear communication role during cybersecurity incidents
The Australian Signals Directorate Information Security Manual places clear responsibility on CISOs to support and manage communications during incidents. It states that a CISO's role during a cybersecurity incident includes managing how internal teams respond and communicate with each other.
“In the event of a major cybersecurity incident, the CISO must be prepared to take on a crisis management role. They must understand how to bring clarity to the situation and communicate effectively with internal and external stakeholders,” according to the ASD.
How IT and security leaders should prepare to manage crisis communications
IT and security leaders should have an updated cyber or technology crisis communication plan. Roberts said this should be separate from a regular crisis plan and should include dedicated input from IT and cyber specialists.
PREMIUM: Scheduled outages managed with our planned outage checklist.
“I think some companies might be inclined to include incidents like cyberattacks in their overall crisis communications strategy, but that's actually not a good idea. “They are very different from a normal crisis because it can affect almost all areas and can often last a long time,” Roberts explained.
Planning must involve the entire business and be directed from the top.
Best practices have CIOs and CISOs work closely with senior stakeholders across the enterprise, including CEOs and boards of directors, to craft a cohesive, leadership-led crisis communications plan that can function in the event of a stressful incident.
There is currently “a bit of a disconnect” between IT and security leaders and boards, Roberts maintains, and CISOs are rarely included in board meetings. Roberts said that on cybersecurity, it would be best if CEOs and boards of directors were involved in implementing crisis communications plans from the top.
Organizations must define and document roles and responsibilities in the event of a crisis.
Organizations should form a crisis committee and document the roles and responsibilities, including the communication responsibilities of IT and security leaders. The documentation must include the names and contact information of commercial representatives and external advisors.
“For an e-commerce company, time is money and they may be losing revenue every second. They need to make sure the plan includes everyone's contact details and have defined roles so they know exactly what to do when an attack is discovered,” Roberts said.
Scenario exercises and prepared statements can help in real time
One of the best ways to ensure that security and IT teams are prepared to manage the communication aspects of a crisis is to conduct crisis scenario exercises. These exercises test the company's ability to deal with a crisis while making necessary communications.
Roberts suggests that it is advisable to create pre-prepared statements. “These are templates that are ready to go, you just need to insert some information. “Pre-prepared statements allow you to stay ahead and be available with information as quickly as possible,” he said.
IT and security leaders can improve crisis communication messages
Strong IT and security input can support stronger, clearer communications during an incident. In one cyber incident, for example, Roberts explained that while the spokesperson will most likely be a CEO rather than a CISO, CISOs can be heavily involved in advising them on what has happened and how the company will move forward.
“Often a CEO will come out and make a statement about a disruption or a cyberattack, and they have no idea what they're talking about,” Roberts said. “His lack of language from him to describe what's happening is highly criticized by people in the industry, because they don't make any sense and don't really reveal much,” he said.
Being prepared will make communications much easier.
A technology-related crisis, such as an outage or cyberattack, “is not a question of if, but when” for organizations, Roberts said. The best way for security and IT teams to handle communications during these events is to take a leadership role and be prepared in advance, she said.
“I think he's preparing, he's engaging, he's leading from the top,” Roberts said. “They should make sure they practice scenarios and that everyone knows their responsibility when an attack or outage occurs; being honest and open and talking to customers is essential.”