Helping information security programs shine!

 A clear NEED, indeed…

Much of the conversation has been focused on what vulnerabilities exist and the technology impact…the focus seems to be very narrowly on the breach notification element and the post-breach protection mechanisms that need to be in place, but the broad impact seemed to be ingored.

 

Emily Mossburg (principle with Deloitte & Touche), from How much does a data breach cost? Here’s where the money goes. | CSO Online 

Correct! The broad impact is being ignored. That’s what we see and hear on a daily basis. And with each new breach, there are few who are really challenging themselves beyond the initial breach notification.

And of course this only adds to the post-breach impact and costs for the organization, as the brand erodes and revenue is impacted. This is exactly what the boardroom cares about, but it often-times simply left unattended to.

When you start losing confidence in an organization, all the parts that rely on data become questioned by the individual. Organizations going through digital transformation lose.

 

Ponemon Institute, from For Today’s Chief Marketers, Cybersecurity Is a Key Campaign | SecurityRoundTable.org 

Digital transformation of the business is generally viewed as essential to long-term survivability. After all, all business is digital these days. So no IT executive wants to see those efforts negatively impacted, as that will generally impact his/her very own brand. Confidence is lost at many levels. 

The biggest problem is the destruction of your reputation and your brand. Those are the things that get destroyed, and those are the things that people tend to underestimate, because they’re not tangibly quantifiable in many ways. Make no mistake, though, reputation and brand erosion are what executives regret the most over time.

 

John Kindervag, from For Today’s Chief Marketers, Cybersecurity Is a Key Campaign | SecurityRoundTable.org 

Cybersecurity resolves around concepts like the CIA (Confidentialy, Integrity, and Availability) Triad. But look in just about any security book, blog, vlog, or podcast, and changes are brand protection is not chief among them. 

And that’s okay, as long as the security teams let the natural defense team for the brand (marketing) do all it can and help s them along the way. 

Above all, a plan needs to be practiced with the full team. An incident response plan is living, breathing document that needs to be continually updated and revised. By conducting a tabletop exercise on a regular basis, teams can work out any hiccups before it’s too late.

 

Michael Bruemmer, from Failing to Practice | 10 mistakes companies make after a security breach | CSO Online 

Let the Security Breach for Marketing Playbook be your guide. Even though it was written with the marketing team’s needs in mind, information security teams benefit as well. It’s a jointly-developed and balanced plan to bridge the inherent gap between IT and marketing.

ZecurityAscent doesn’t offer quick fix solutions. There simply aren’t any when it comes to breach response by marketing. But that’s all good, as it gives us the opportunity to guide this transformation by the security and marketing organizations in each tabletop exercise, further growing the key capabilities. 

Related to the lack of a single decision maker, a lack of clear communication is also a problem. Miscommunication can be the key driver to mishandling a data breach, Bruemmer said, as it delays process and adds confusion.

 

Michael Bruemmer, from Lack of Clear Communication | 10 mistakes companies make after a security breach | CSO Online 

You’ve likely seen the immediate responses that make you cringe just a bit, such as a quote from the CISO saying something along the lines of “well you see what happened was a user, despite our ongoing training efforts, clicked on a link in an email, so we are going to look at enhancing our training in that area.”

Was it really the user’s fault? Really? We only get one shot to make a great first impression, right?

Companies should have a well-documented and tested communications plan in the event of a breach, which includes draft statements and other materials to activate quickly. Failure to integrate communications into overall planning typically means delayed responses to media and more likely more critical coverage.

 

Michael Bruemmer, from No Communications Plan | 10 mistakes companies make after a security breach | CSO Online 

Ah yes, the dreaded words from the media “we tried to reach out to [organization] but did not receive a response”. No one really wants to hear that, least of all the media. And let’s just go ahead and include all the bloggers and pundits out there. 

If the community doesn’t see or hear some reasonable degree of transparency, empathy, and vision, you can bet they will fill in the blanks to suit their own agenda. They will simply build themselves up by tearing others down. 

If an organization makes additional investments in processes, people and technology to more effective [sic] secure the data, finding ways to share those efforts can help rebuild reputation and trust. Yet, many fail to take advantage of this longer-term need once the initial shock of the incident is over.

 

Michael Bruemmer, from No Remediation Plans Post Incident | 10 mistakes companies make after a security breach | CSO Online 

This is where the real work comes in. Who will collect, create, and convey the narrative you want and need most over the long term? Who, specifically, can help the audience align with your brand?

As you are on the road to recovery, document it. Tell the great story. When someone says something like “they literally wrote the book on how not to respond to a breach”, perhaps acknowlege that in the right way and go on to share how that may have indeed been the bottom, but you are now climbing back to the top. And then tall that story. That’s what people are most interested in over time. That’s what brand recovery is all about. 

Sometimes a breach is too big to deal with in-house, and the type of breach may make that an unwise one. So it’s best to have external help available if needed. Incident Response teams…should at least be evaluated and considered when forming a business continuity/incident response plan.

 

Michael Bruemmer, from No External Agencies Secured | 10 mistakes companies make after a security breach | CSO Online 

Large organizaions are already likely to have technical response teams on retainer. And that’s good. Because really, who wants to go shopping for such help in the midst of a crisis? Who would even have the time? 

But those technical resources are NOT what we are talking about here. Because we primarily work with your marketing teams on long-term plays that have real impact. In short, we are there with you long after the more technical clean up crews. 

Beneath the surface

  • Value of lost contract revenue = 49.43% of the total
  • Lost value of customer relationships = 25.61% of the total
  • Devaluation of trade name = 13.7% of the total
  • Insurance premium costs = 2.38% of the total
  • Cybersecurity improvements = 0.83% of the total
  • Technical investigations = 0.06% of the total

 

Deloitte Advisory, from Beneath the Surface of a Cyberattack: A Deeper Look at the Business Impacts |How much does a data breach cost? Here’s where the money goes | CSO Online 

So there’s the disconnect. IT organizations often feel that the investigations and new technical controls are a large part of the cost of recovery, when in fact they are just a drop in the bucket. 

And this is exactly why the Security Breach Academy was started, as well as the Security Breach Playbook for Marketing. As security experts and leaders, we need to be seen leveraging every defensive meaure possible, including those that are not necessarily technical in nature. 

It’s these soft skill that will ultimately have the greatest impact on the health of the business. 

Marketers need to think about data security in ways we never have before. CMOs definitely have to think of how to protect their brand…

 

Maria Pousa, from For Today’s Chief Marketers, Cybersecurity Is a Key Campaign | SecurityRoundTable.org 

Bottom line: The Chief Marketing Officers (CMOs) need all the help they can get from the cybersecurity teams. But they need it far beyond the initial breach notifcation. And as any CIO or CISO who has suffered through this before, that’s a distraction they would rather not have in the heat of battle. 

By 2020, over 80% of enteprises worldwide will invest in incident response retainers.

 

IDC, from IDC FutureScape: Security Products & Services Solutions Highlights| IDC Web Conference

Translation: Don’t wait too long to lock up your key outside incident response services. As sure as there are limited cybersecurity professionals in the market, there will be challenges in finding and retaining the services needed. 

Be sure that you know who your biggest advocates are when it comes to your customer base, partners, investors, and media pundits, as the tide of public opinion can turn very quickly during a cybersecurity crisis. Make sure you have relationships established with top broadcast, print, social, and security experts, as well as market influencers. Work closely with your external public relations (PR) and media partners and identify specialists in crisis management and communication who can be an extension of your internal team so that when a data breach happens, they will be at the table with you. This may mean investing in relationships that are outside of your primary communications plan, such as security bloggers who regularly comment on prominent breaches or third tier media with a tendency to sensationalize such topics.

 

As time passes, communicate what was learned and what was done to improve security as a result. Make sure employees and major stakeholder audiences are provided messaging after the fact repeatedly. History has a way of being written. Remember, you can help control how the final chapter is written — as long as you write one.

 

Finally, don’t forget to dust off and revisit your plan often. Hackers are constantly trying to stay one step ahead of you. So, keep running simulations. Keep spokespeople fresh. Keep your communications plan up-to-date and at your fingertips. Your brand and your company’s livelihood depend on it.

 

Holly Rollo and Peter Tran (Harvard Business Review), from Your Company Needs a Communication Plan for Data Breaches | Harvard Business Review Crisis Management (hbr.org)

Couldn’t have said it any better ourselves.

 

YOUR NEXT STEPS?

Simply call or email using the information provided below, letting us know you want to learn more about internal cybersecurity marketing.

LET'S CONNECT

Please reach out to us and let us know how we can help.

You can expect to hear back from us within 1 business day.

Our Commitment

We never enter into any situation thinking that you are broken and we are there to fix you. And if we just happen to come in following a bad situation, such as a major data breach, it’s our empathy that shines through, not any judgement. Because, while we are certainly skillful security practitioners in our own right, playing Monday morning quarterback is not what we are bringing to the table. So please, rest easy.

What you will absolutely get from us is the masterful collection of artifacts and worthwhile tidbits around your security program, capturing your leading efforts down the path to excellence that might otherwise be lost, quickly turning that into content that you will be proud of. As we get to work, our goal is to create something so meaningful to you personally that you will want nothing more than to immediately skip right past your manager in order to go and show your family what it is that you do so well. If that’s our only measure of success, then we completely nailed it!

In other words, the only thing we have to sell you is, well, you. Now that’s cool.

Your Legacy

Everyone on the front lines of security deserves a positive legacy. So as you look at the content produced on your behalf, simply ask yourself: Would I want to leave printed copies of this on my desk when when I move on to the next big thing, or simply take them with me. We sure hope and expect it will be the former.

Legacy. What is a legacy? It’s planting seeds in a garden you never get to see.

Alexander Hamilton

Hamilton, The Broadway Musical