Communication Gaps in Security and Privacy
Communication strategies work a lot like compound interest — the longer you wait to invest, the less value you accumulate over time. For a security and privacy communications professional, the more time you can spend getting to know a team and their environment, the more insights you can provide them about potential risks and opportunities. You become attuned to their culture and sensitive to signals for concern.
This is one of the reasons I advise security and privacy communications professionals to stay active in the technical community even if no one else in their communications organization engages with relevant communities. It’s also why I advise against communication strategies that only consider security or privacy once there’s a fire. The best incident preparedness efforts I’ve been part of helped avoid crises because we anticipated how something might play out long before it became an issue.
Communication Ecosystem
If you consider the most public aspect of most communications, media relations, as the spark for public dialogue (whether positive or negative), then the question is whether there is sufficient fuel and oxygen to actually ignite and sustain a fire (for better or worse). How you communicate, inside and outside your organization, on a daily basis determines how much fuel exists to ignite either a positive or negative spark. Your relationship with the broader community controls the supply of oxygen.
In my experience, one of the most common causes of completely avoidable security and privacy crises is the lack of understanding this relationship between media, internal communications, and community engagement. You cannot effectively build, repair, or sustain influence over business strategy or your reputation in an industry without a deep understanding of these overlapping priorities. In fact, I’ve found no other factor as important to determining the full impact of an incident or opportunity, than an organization’s dexterity in navigating this chemical reaction.
No communication effort happens in a vacuum. You are always compared to someone else in terms to technical capabilities, business readiness, ethics, and transparency. If you are not yet the industry standard by which others are measured, you better be prepared to outshine that benchmark in as many areas as you can before the spotlight shifts to you — — and as I mentioned previously, this approach requires communications professionals to dig deep with technical organizations and provide proactive counsel on an ongoing basis.
Self-Inflicted Crisis
Products you build specifically for security or privacy purposes are only half the battle. Your reputation and subsequent influence are also determined by data practices present across all products and services. Nowhere is this more visible perhaps than at companies boasting a lengthy list of “privacy settings” while enabling their business to exploit, manipulate, and obfuscate data practices from public view. More often, however, security and privacy teams simply lack the oversight and mechanisms to shape business outcomes outside their immediate purview.
This is how even well-intentioned companies let things slip through the cracks — — products that mistakenly over collect user data, service integrations with inadequate or unchecked security configurations, over-permissioned mobile apps — — all common symptoms for organizations where security and privacy are a priority for some teams, but not all teams. Companies (and government agencies) that claim these as priorities, must be able to demonstrate the authority of these functions to impact the business.
Too often, this authority comes only in the aftermath of a damaging or embarrassing incident unless security and privacy teams proactively establish their influence in advance. Below are a few moments where proactively putting someone inside your process to exercise internal and external influence makes all the difference to avoid or minimize the impact of an incident.
Product and Engineering Reviews
Product managers and engineering leads are committed to their projects like Frankenstein to his monster, often with similar results. Simple tweaks can often make a big difference and save projects from becoming skeletons hidden in a closet or unnecessary risks for an organization, but only if someone is there to ask the right questions early and often. Don’t hold your breath for lawyers or compliance teams to do this, you need to think beyond legal requirements and consider the perception of your choices because once you launch, perception is all that matters.
When I worked in-house, I insisted on sitting with the engineering teams rather than the communications organization because I knew where I needed credibility to be effective. When potentially controversial ideas arose, I asked the appropriate project lead to write a blog post about what they were considering and why. I provided them with a list of anticipated stakeholder questions that the blog post needed to address with complete honesty and technical evidence. I set the expectation that if the project advanced, the blog post would be published publicly under their name to ensure full transparency about any policy or design decisions. Even I was surprised by how effectively this technique put problematic projects to rest or led to a more thoughtful approach. Holding people accountable by name matters, but it only works if you’re inside the process.
Incident Preparedness
Don’t limit your focus to crisis response. Think about how you teach and support strong communication habits among your teams and cross-functional partners all the time. Do you consider relationship management as an ongoing action item after every tabletop exercise to ensure decisions can be made well and quickly by the right people informed with the necessary information? A simple way to build this capability is to follow the same communications response procedure for all security incidents whether it’s a bug bounty report, insider threat, or intrusion investigation.
Identify which organizational relationships facilitate the outcomes you need and which ones put a wrinkle in the process. Then iron them out NOW. You may even discover that no one has the necessary authority or ownership of a critical function to get things done. If your security team can’t get simple bug bounty tickets closed by certain engineering teams or are unable to effectively enforce service-to-service authorization requirements on an ongoing basis, guess which teams will drag their feet during a serious incident? If your privacy team’s first attempt at relationship management with technical teams is the lead-up to a regulatory deadline, you will struggle to build momentum in time. Make friends before you need them.
Organizational Resilience
One of the most frequently overlooked aspects of security and privacy is the impact of intense uncertainty and high-stakes for the teams that respond, clean up, and rebuild in an industry of constant change. Whether it’s a security incident or a seemingly routine re-organization, the emotional labor required of security and privacy professionals is rarely considered by business leaders, corporate communications, or legal teams in their various “strategic” planning. Getting the facts straight, sharing lessons with the community, and acknowledging actions that help prevent further escalation matters a hell of a lot to the people who show up everyday to protect your assets and your customers. They are invested in your success and stick around to help knowing you’ll likely scapegoat them anyway.
If you’re not already talking about mental health with your security and privacy teams, start now. Ideally, you’re also tackling incident preparedness with cross-functional teams so these individuals aren’t constantly tasked with swimming upstream against business inertia but in the absence of influence, at least give them adequate support and communications training so they can find fulfillment and emotional safety amidst the challenges.
There are still too many security and privacy organizations, including in-house and vendors, who view communications as an eleventh hour mouthpiece to broadcast decisions after the fact. What a waste!
Communications professionals have unique insights and expertise that can help you make better decisions to build influence and productive reputations for your team. Don’t wait until you think you need communications help — ask about the value they can contribute now and earn interest on your interest.