CYBER CRISIS MANAGEMENT

SUPPORTING CORPORATE CRISIS COMMUNICATION AND PUBLIC RELATIONS FIRMS WITH GREAT CONTENT, PRICELESS CONTEXT, AND TIME

The best way to manage a crisis is to not let it turn into one in the first place. In support of this mission, we:

  • Measure the brand, reputation, and sentiment of the corporate cybersecurity program, using the tools you already know and trust.
  • Maintain the cybersecurity content calendar, filling it with approved content that will hit the right tone and message with key stakeholders, from the customers to the boardroom.
  • Create long-term value for the business, all thanks to the work that you will be leading with the cybersecurity program.
“I’ve done a huge amount of work with our marketing and comms teams at [2 household name brands]. There’s definitely a need” — Top Silicon Valley CISO

There’s a huge need. But many CISOs don’t have the time or energy to sit down and really keep the converstion going. After all, explaining PCI, HIPAA, GDPR, ISO27001, SOCII, NIST, and countless other standards and frameworks that serve as the GRC backbone for your program is quite difficult,

Where ZecurityAscent steps in is being able to take that workload off your hands, freeing you up to be a great security practitioner and leader, rather than being pulled aside, day and night, to deal with crisis communications. In simple terms, we fill that glaring gap between cybercsecurity and marketing.

Ideally, though, this is about avoiding a cyber crisis in the first place. If one should occur, we will deal with it…together. But the real secret sauce is in building up your brand equity to a point where a crisis is outright avoided. And in so doing, building the best cybersecurity team and program possible.

The #1 question we get asked is…

“Don’t most companies already have a PR firm on retainer? “

Why yes, of course they do. But we don’t compete with them. And we certainly don’t compete with the internal marketing teams. Rather, we augment the capabilities of both, specifically where it comes to cybersecurity.

If you are a PR firm and wish to have us on retainer, that’s fine by us. Likewise if a customer says they would rather just pay us through you, then of course we are open to sub-contracting with you as needed.

Together, it’s our job to make the customer shine bright. Whatever that takes. This is exactly why we are not set up to be competitors, only the best potential of partner.

Key tips from around the world

How much does a data breach cost? Here's where the money goes.

Much of the conversation has been focused on what vulnerabilities exist and the technology impact…the focus seems to be very narrowly on the breach notification element and the post-breach protection mechanisms that need to be in place, but the board impact seems to be ignored.

Emily Mossberg (principle with Deloitte & Touch) | CSO Online

ZecurityAscent: Correct! The broad impact is being ignored. That’s what we see and hear on a daily basis. And with each new breach, there are few who are really challenging themselves beyond the initial breach notification.

And of course this only adds to the post-breach impact and costs for the organization, as the brand erodes and revenue is impacted. This is exactly what the boardroom cares about, but is often-times simply left unattended to.

For Today's Chief Marketers, Cybersecurity is a Key Campaign

When you start losing confidence in an organization, all the parts that rely on data become questioned by the individual. Organizations going through digital transformation lose.

Ponemon Institute | SecurityRoundTable.org

ZecurityAscent: Digital transformation of the business is generally viewed as essential to long-term survivabililty. After all, all business is digital these days. So no IT executive wants to see those efforts negatively impacted, as that will generally impact his/her very own brand. Confidence is lost at many levels,

For Today's Chief Marketers, Cybersecurity is a Key Campaign

The biggest problem is the destruction of your reputation and your brand. Those are the things that people tend to underestimate, because they’re not tangibly quantifiable in many ways. Make no mistake, though, reputation and brand erosion are what executives regret the most over time.

John Kindervag | SecurityRoundTable.org

ZecurityAscent: Cybersecurity revolves around concepts like the CIA (Confidentiality, Integrity, Availability) Triad. But look in just about any security book, blog, vlog, or podcast, and chances are brand protection is not chief among them.

And that’s okay, as long as the security teams let the natural defense team for the brand (marketing) do all it can, supporting them along the way.

Failing to Practice

Above all, a plan needs to be practiced with the full team. An incident response plan is a living, breathing document that needs to be continually updated and revised. By conducting a tabletop exercise on a regular basis, teams can work out any hiccups before it’s too late.

Michael Bruemmer | 10 mistakes companies make after a security breach | CSO online

ZecurityAscent: Let our Security Breach for Marketing Playbook be your guide. Even though it was built with the marketing team’s needs in mind, information security teams will benefit as well. It’s a jointly-developed and balanced plan to brige the inherent gap between IT and marketing.

ZecurityAscent doesn’t offer quick fix solutions. There simply aren’t any when it comes to breach response by marketing. It just means we all now have the opportunity to guide this transformation by the security and marketing organizations in each tabletop exercise, further growing their key capabilities.

Lack of Clear Communication

Related to the lack of a single decision maker, a lack of clear communication is also a problem. Miscommunication can be the key driver to mishandling a data breach, Bruemmer saids, as it delays process and adds confusion.

Michael Bruemmer | 10 mistakes companies make after a security breach | CSO online

ZecurityAscent: You’ve likely seen the immediate responses that make you cringe just a bit, such as a quote from the CISO says something along the lines of “well you see what happened was a user, despite our ongoing training efforts, clicked on a link in an email, so we are going to look at enhancing our training in that area”.

We only get one change to make a great first impression. This type of response would not hit the mark.

No Communication Plan

Companies should have a well-documented and tested communications plan in the event of a breach, which includes draft statements and other materials to activate quickly. Failure to integrate communications into overall planning typically means delayed responses to media and more likely more critical coverage.

Michael Bruemmer | 10 mistakes companies make after a security breach | CSO online

ZecurityAscent: Ah yes, the dreaded words from the media “We tried reaching out to [organization] but did not receive an immediate response”. No one really wants to hear that, least of all the media. And let’s just go ahead and include all the bloggers as well.

If the community doesn’t see or hear some reasonable degree of transparency, empathy, and vision, you can bet they will fill in the blanks to suit their own agenda. They will simply build themselves up by tearing others down.

No Remediation Plans Post Incident

If an organization makes additional investments in processes, people and technology to more effective [sic] secure the data, finding ways to share those efforts can help rebuild reputation and trust. Yet, many fail to take advantage of this longer-term need once the initial shock of the incident is over.

Michael Bruemmer | 10 mistakes companies make after a security breach | CSO online

ZecurityAscent: This is where the real work comes in. Who will collect, create, and convey the narrative you want and need most over the long term? Who, specifically, can help the audience align with your brand?

As you are on the road to recovery, document it. Tell the great story. When someone says something like “they literally wrote the book on how NOT to respond to a breach”, perhaps acknowlege that in the right way and go on to share how that may have indeed been the bottom, but you are now climbing back to the top. And then tall that story. That’s what people are most interested in over time. That’s what brand recovery is all about.

No External Agencies Secured

Sometimes a breach is too big to deal with in-house, and the type of breach may make that an unwise one. So it’s best to have external help available if needed. Incident Response teams…should at least be evaluated and considered when forming a business continuity/incident response plan.

Michael Bruemmer | 10 mistakes companies make after a security breach | CSO online

ZecurityAscent: Large organizaions are already likely to have technical response teams on retainer. And that’s good. Because really, who wants to go shopping for such help in the midst of a crisis? Who would even have the time?

But those technical resources are NOT what we are talking about here. Because we primarily work with your marketing teams on long-term plays that have real impact. In short, we are there with you long after the more technical clean up crews.

Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts

Beneath the surface

  • Value of lost contract revenue = 49.43% of the total
  • Lost value of customer relationships = 25.61% of the total
  • Devaluation of trade name = 13.7% of the total
  • Insurance premium costs = 2.38% of the total
  • Cybersecurity improvements = 0.83% of the total
  • Technical investigations = 0.06% of the total

Deloitte Advisory | How much does a data breach cost? Here’s where the money goes | CSO online

ZecurityAscent: So there’s the disconnect. IT organizations often feel that the investigations and new technical controls are a large part of the cost of recovery, when in fact they are just a drop in the bucket.

And this is exactly why the Cybersecurity Marketing Academy was started, as well as the Security Breach Playbook for Marketing. As security experts and leaders, we need to be seen leveraging every defensive meaure possible, including those that are not necessarily technical in nature.

It’s these soft skill that will ultimately have the greatest impact on the health of the business.

For Today's Chief Marketers, Cybersecureity is a Key Campaign

Marketers need to think about data security in ways we never have before. CMOs definitely have to think of how to protect their brand…

Maria Pousa | SecurityRoundTable.org

ZecurityAscent: Bottom line: The Chief Marketing Officers (CMOs) need all the help they can get from the cybersecurity teams. But they need it far beyond the initial breach notifcation. And as any CIO or CISO who has suffered through this before, that’s a distraction they would rather not have in the heat of battle.

IDC FutureScape: Security Products & Services Solutions Highlights

By 2020, over 80% of enterprises worldwide will invest in incident response retainers.

IDC | IDC Web Conference

ZecurityAscent: Translation: Don’t wait too long to lock up your key outside incident response services. As sure as there are limited cybersecurity professionals in the market, there will be increased challenges in finding and retaining the services needed.

Your Company Needs a Communication Plan for Data Breaches

Be sure that you know who your biggest advocates are when it comes to your customer base, partners, investors, and media pundits, as the tide of public opinion can turn very quickly during a cybersecurity crisis. Make sure you have relationships established with top broadcast, print, social, and security experts, as well as market influencers. Work closely with your external public relations (PR) and media partners and identify specialists in crisis management and communication who can be an extension of your internal team so that when a data breach happens, they will be at the table with you. This may mean investing in relationships that are outside of your primary communications plan, such as security bloggers who regularly comment on prominent breaches or third tier media with a tendency to sensationalize such topics.

Holly Rollo and Peter Tran | Harvard Business Review Crisis Management (hbr.org)

ZecurityAscent: Couldn’t have said it any bettter ourselves.

Your Company Needs a Communication Plan for Data Breaches

As time passes, communicate what was learned and what was done to improve security as a result. Make sure employees and major stakeholder audiences are provided messaging after the fact repeatedly. History has a way of being written. Remember, you can help control how the final chapter is written — as long as you write one.

Finally, don’t forget to dust off and revisit your plan often. Hackers are constantly trying to stay one step ahead of you. So, keep running simulations. Keep spokespeople fresh. Keep your communications plan up-to-date and at your fingertips. Your brand and your company’s livelihood depend on it.

Holly Rollo and Peter Tran | Harvard Business Review Crisis Management (hbr.org)

ZecurityAscent: Couldn’t have said it any bettter ourselves.

Cyber Crisis Playbook

Be fully prepared

Learn More at the Cybersecurity Marketing Academy?