Helping information security programs shine!
A clear NEED, indeed…
Much of the conversation has been focused on what vulnerabilities exist and the technology impact…the focus seems to be very narrowly on the breach notification element and the post-breach protection mechanisms that need to be in place, but the broad impact seemed to be ingored.
Emily Mossburg (principle with Deloitte & Touche), from How much does a data breach cost? Here’s where the money goes. | CSO Online
And of course this only adds to the post-breach impact and costs for the organization, as the brand erodes and revenue is impacted. This is exactly what the boardroom cares about, but it often-times simply left unattended to.
When you start losing confidence in an organization, all the parts that rely on data become questioned by the individual. Organizations going through digital transformation lose.
Ponemon Institute, from For Today’s Chief Marketers, Cybersecurity Is a Key Campaign | SecurityRoundTable.org
The biggest problem is the destruction of your reputation and your brand. Those are the things that get destroyed, and those are the things that people tend to underestimate, because they’re not tangibly quantifiable in many ways. Make no mistake, though, reputation and brand erosion are what executives regret the most over time.
John Kindervag, from For Today’s Chief Marketers, Cybersecurity Is a Key Campaign | SecurityRoundTable.org
And that’s okay, as long as the security teams let the natural defense team for the brand (marketing) do all it can and help s them along the way.
Above all, a plan needs to be practiced with the full team. An incident response plan is living, breathing document that needs to be continually updated and revised. By conducting a tabletop exercise on a regular basis, teams can work out any hiccups before it’s too late.
Michael Bruemmer, from Failing to Practice | 10 mistakes companies make after a security breach | CSO Online
ZecurityAscent doesn’t offer quick fix solutions. There simply aren’t any when it comes to breach response by marketing. But that’s all good, as it gives us the opportunity to guide this transformation by the security and marketing organizations in each tabletop exercise, further growing the key capabilities.
Related to the lack of a single decision maker, a lack of clear communication is also a problem. Miscommunication can be the key driver to mishandling a data breach, Bruemmer said, as it delays process and adds confusion.
Michael Bruemmer, from Lack of Clear Communication | 10 mistakes companies make after a security breach | CSO Online
Was it really the user’s fault? Really? We only get one shot to make a great first impression, right?
Companies should have a well-documented and tested communications plan in the event of a breach, which includes draft statements and other materials to activate quickly. Failure to integrate communications into overall planning typically means delayed responses to media and more likely more critical coverage.
Michael Bruemmer, from No Communications Plan | 10 mistakes companies make after a security breach | CSO Online
If the community doesn’t see or hear some reasonable degree of transparency, empathy, and vision, you can bet they will fill in the blanks to suit their own agenda. They will simply build themselves up by tearing others down.
If an organization makes additional investments in processes, people and technology to more effective [sic] secure the data, finding ways to share those efforts can help rebuild reputation and trust. Yet, many fail to take advantage of this longer-term need once the initial shock of the incident is over.
Michael Bruemmer, from No Remediation Plans Post Incident | 10 mistakes companies make after a security breach | CSO Online
As you are on the road to recovery, document it. Tell the great story. When someone says something like “they literally wrote the book on how not to respond to a breach”, perhaps acknowlege that in the right way and go on to share how that may have indeed been the bottom, but you are now climbing back to the top. And then tall that story. That’s what people are most interested in over time. That’s what brand recovery is all about.
Sometimes a breach is too big to deal with in-house, and the type of breach may make that an unwise one. So it’s best to have external help available if needed. Incident Response teams…should at least be evaluated and considered when forming a business continuity/incident response plan.
Michael Bruemmer, from No External Agencies Secured | 10 mistakes companies make after a security breach | CSO Online
But those technical resources are NOT what we are talking about here. Because we primarily work with your marketing teams on long-term plays that have real impact. In short, we are there with you long after the more technical clean up crews.
Beneath the surface
- Value of lost contract revenue = 49.43% of the total
- Lost value of customer relationships = 25.61% of the total
- Devaluation of trade name = 13.7% of the total
- Insurance premium costs = 2.38% of the total
- Cybersecurity improvements = 0.83% of the total
- Technical investigations = 0.06% of the total
Deloitte Advisory, from Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts |How much does a data breach cost? Here’s where the money goes | CSO Online
And this is exactly why the Security Breach Academy was started, as well as the Security Breach Playbook for Marketing. As security experts and leaders, we need to be seen leveraging every defensive meaure possible, including those that are not necessarily technical in nature.
It’s these soft skill that will ultimately have the greatest impact on the health of the business.
Marketers need to think about data security in ways we never have before. CMOs definitely have to think of how to protect their brand…
Maria Pousa, from For Today’s Chief Marketers, Cybersecurity Is a Key Campaign | SecurityRoundTable.org
By 2020, over 80% of enteprises worldwide will invest in incident response retainers.
IDC, from IDC FutureScape: Security Products & Services Solutions Highlights| IDC Web Conference
Be sure that you know who your biggest advocates are when it comes to your customer base, partners, investors, and media pundits, as the tide of public opinion can turn very quickly during a cybersecurity crisis. Make sure you have relationships established with top broadcast, print, social, and security experts, as well as market influencers. Work closely with your external public relations (PR) and media partners and identify specialists in crisis management and communication who can be an extension of your internal team so that when a data breach happens, they will be at the table with you. This may mean investing in relationships that are outside of your primary communications plan, such as security bloggers who regularly comment on prominent breaches or third tier media with a tendency to sensationalize such topics.
As time passes, communicate what was learned and what was done to improve security as a result. Make sure employees and major stakeholder audiences are provided messaging after the fact repeatedly. History has a way of being written. Remember, you can help control how the final chapter is written — as long as you write one.
Finally, don’t forget to dust off and revisit your plan often. Hackers are constantly trying to stay one step ahead of you. So, keep running simulations. Keep spokespeople fresh. Keep your communications plan up-to-date and at your fingertips. Your brand and your company’s livelihood depend on it.
Holly Rollo and Peter Tran (Harvard Business Review), from Your Company Needs a Communication Plan for Data Breaches | Harvard Business Review Crisis Management (hbr.org)
YOUR NEXT STEPS?Simply call or email using the information provided below, letting us know you want to learn more about internal cybersecurity marketing.
Please reach out to us and let us know how we can help.
You can expect to hear back from us within 1 business day.
We never enter into any situation thinking that you are broken and we are there to fix you. And if we just happen to come in following a bad situation, such as a major data breach, it’s our empathy that shines through, not any judgement. Because, while we are certainly skillful security practitioners in our own right, playing Monday morning quarterback is not what we are bringing to the table. So please, rest easy.
What you will absolutely get from us is the masterful collection of artifacts and worthwhile tidbits around your security program, capturing your leading efforts down the path to excellence that might otherwise be lost, quickly turning that into content that you will be proud of. As we get to work, our goal is to create something so meaningful to you personally that you will want nothing more than to immediately skip right past your manager in order to go and show your family what it is that you do so well. If that’s our only measure of success, then we completely nailed it!
In other words, the only thing we have to sell you is, well, you. Now that’s cool.
Everyone on the front lines of security deserves a positive legacy. So as you look at the content produced on your behalf, simply ask yourself: Would I want to leave printed copies of this on my desk when when I move on to the next big thing, or simply take them with me. We sure hope and expect it will be the former.