CUSTOMER CASE STUDY

Written By Melanie Ensign

Collaborating to Design a Holistic Incident Response Communications Plan

Like the instantly recognizable hammerhead, Discernible’s incident planning and response services are distinct and optimized for the environment.

Background

The overall number of data compromises in 2021 jumped more than 68% compared to 2020, according to the Identity Theft Resource Center, continuing the upward trend of cyber threats against organizations. Yet, only 26% of organizations have a cybersecurity incident response plan applied consistently across the entire enterprise, a figure that has remained low over the years, according to the Cyber Resilient Organization Study from IBM.  And, amongst the small number that do have a plan, 74% of those organizations reported inconsistently applying it.

Situation

A leading collaborative design platform proactively decided they wanted to be in the category of companies that were fully prepared to communicate effectively for a range of situations, with an end to end incident and response communications plan. Here’s how they did it.

The company has a robust and responsive cybersecurity program with an established response plan for its technical teams. They wanted to improve how they would communicate with internal and external stakeholders if an incident occurred – whether it was a breach, a vulnerability or other situation that required a quick, accurate and public response. 

In nearly every organization, communications professionals are on the front lines of managing the external response to a security incident.  Security teams are in the trenches working hard to make sure they prevent an incident before it happens or reduce the potential damage if it does.  Yet often, these two groups are siloed and only come together after a crisis has happened – and by then it’s usually too late.  

To avoid that all too common (and costly) scenario, the corporate communications team wanted to create a framework that empowered them to respond publicly to an incident in an informed and holistic way, “Knowing that security incidents can be relatively high profile and high stakes, we wanted to have a process and a framework in place that was inclusive and orderly, knowing that in those moments it can be chaotic. And we wanted it to not be chaotic,” said their Director of Communications. And given that collaboration is baked into their DNA – after all, their entire business is based on people connecting everyone in the design process – they knew they couldn’t do it alone.

Solution

To build their security incident communications framework, the company started with two basic principles: 1) it needed to be a collaborative effort and include stakeholders from across company disciplines, and 2) engaging an expert with experience in both security and communications was a must to help them get this right, the first time.

Discernible was brought in to guide the team from start to finish on how to build a foundation for incident response that is both flexible and comprehensive. This required, in part:

  • Identifying stakeholders that go beyond just comms, legal, and security. “A good response process is inclusive,” notes Discernible CEO Melanie Ensign.  Everyone from HR to customer support and even members of the Board of Directors and leadership team have a role to play because they all engage in critical stakeholder relationships.

  • Getting clear on exactly what they were trying to achieve for all their stakeholders including customers, employees, investors, and the security community. Even without knowing what the specific details of an incident might entail, Discernible worked with the team to identify individual principles they wanted reflected in security-related communication decisions and content. As a result of tackling this early, critical communication decisions could be made with cooler heads and long term judgment. 

  • Making sure every stakeholder knew and agreed to what their specific role was if an incident occurred.  This involved detailing exactly who was accountable for which communication tasks during an incident, from communications between security teams at peer companies and suppliers, to customer support and social media engagement.

  • Creating and pressure-testing a process and plan through table-top exercises and multiple instances of review, input and revisions. The hallmark of Discernible’s approach is that incident response plans are designed to address a variety of security-related incidents regardless of severity or impact. This allows security teams to align incident response communications to their day-to-day workflows, so even small low risk events present an opportunity to strengthen their response to major escalations

43% of plans do not fully designate internal incident response stakeholders
— 2019 Verizon Incident Preparedness Response Report

Through a series of working sessions and plan drafting facilitated by Discernible,  a foundational plan and process was created, including:

  • A communications RACI that was “optimized for speed,” which documents each stakeholder’s role and responsibility in specific communication decisions and outputs.

  • A communications response plan and process that works with the existing company’s tools (software, communication platforms, etc.), technical response plans, and is customized to the way the business works. 

  • A process for when the plan needs to change as the business needs change. 

I always admired Melanie’s ability to see through the clutter and diagnose the problem in a way that is very clear-eyed. When we needed to create something as no-nonsense as a process for how to respond to potential security incidents, we wanted to work with someone who was going to focus on the right path and give it to us straight – and that was Melanie.
— Director of Corporate Communications

Results

Today, the company has a documented communications response plan and process that represents every stakeholder who would ultimately be involved should an incident happen. “We have been able to pressure test it with third party incidents and it has worked very well. It is a living document, and it includes a plan for what to do and how to do it if our needs change,” said the Director of Corporate Communications.

After this experience, the company’s head of security said that “having a flexible, yet reliable communications framework that supports our technical response plan means our cross functional partners know in advance what to expect from our security team during an incident, how to best support our investigations, and how to quickly respond to external stakeholder needs.This significantly increases our efficiency in engaging with our partners to ensure they have the information they need as quickly as possible.” 

Key Takeaways

If your organization is considering creating a security communications response plan or updating an existing one, here are some points to keep in mind:

  • A plan that only addresses security breaches is limiting.  You need to prepare for a range of potential situations that will require coordination with other teams or third parties, not to mention an external response or a customer facing communication.

  • There is no “one size fits all” plan – so avoid the temptation to use one.  Every company is unique, and your plan should fit the business needs today and be flexible enough to adapt as the company changes.

  • Look at the plan holistically – it should include stakeholders from every part of the organization, not just security, legal, or communications.

###

If you would like to learn more about Discernible’s incident communications preparedness and response services, please contact us here.

Melanie Ensign
Previous

Communication Research Takes on the Myths of Privacy Compliance
Next

A CISO’s Guide to “Negative Megaphoning”