Keep Calm and Plan On: Expert Advice on Incident Response Communications

Q.  What’s the difference between security communications and incident response communications? Or is there a difference?

Ideally speaking, security awareness communications and internal incident communications should both be proactive. They need to be in place long before there's an incident, in order to build muscle for employees to be able to respond to an incident and know how to spot security vulnerabilities. So that’s what they have in common.  

However, there are some important differences for incident comms, there are more guardrails around what can be said publicly about a security incident. The incident could be related to an insider threat or there could be legal considerations that restrict how much can be communicated.

Also, incident response communications usually follow a “playbook.”  Not every company has one but it’s a really good idea to put one together. Usually these are targeted, based on the audience, type of incident, etc. That way you have a plan and sustainable system in place for what you need to communicate and to whom - like to execs vs. external partners and so on - and you spell out how often you will be updating them.

On the other hand, internal security comms are often designed to tell employees what they can do, and at a high level, what the company is doing to address risk.

Q. What do companies sometimes overlook when putting together an incident response communications plan?

The best companies involve their information security, IT or tech support teams, and their physical security teams in building playbooks and running drills. Often, IT and physical security teams are overlooked when creating a playbook, even though there are overlapping  communications that need to happen during an incident. For instance, I mentioned earlier the example of insider threat - your playbook should include physical and information security guidelines to staff and also users affected during incident triage. While the teams may not use the same playbook per se, their plans should speak to one another and be consistent where possible.

Another mistake I have seen is that playbooks are created, but when an incident happens, no one can find it. This one is tough because (particularly for highly sensitive information) some of the content may be confidential. So you don’t want to put it on a SharePoint or something like that.  Ideally, it sits somewhere where anyone who is on-call or anyone who is a cross-functional partner of the security team should be able to access it at any point, usually with a short URL or a shortened link so that they know exactly where to go. 

A few other tips: Avoid using jargon and acronyms without defining them, no matter who the audience is, no matter how technical they are. It can cause confusion at a time when you need clarity. And avoid long emails for incident comms. Keep it brief, and include a short executive summary at the top with the most pertinent information, including mitigation status and an expectation of when the next update will be shared.

Q. Beyond the obvious, how do Incident Response Communications plans help security teams within an organization?

When done well, a good incident response communication plan inspires confidence in your leadership team; You need your security leaders to communicate well with each other and key stakeholders during a crisis. It’s also important not to overpromise and under deliver in your plan. You should set expectations around the cadence of communications - because in the beginning of an incident, there are always a lot of unknowns. Saying “we’re not sure what’s going on but we’ll keep you posted” is not a plan and it’s not what executives want to hear. Ideally, you are honest and brief, and commit to a timeline for keeping folks up to date.

The best thing that a security team can do to build that credibility is to have a well-baked plan that includes cross functional partners; for instance your  legal, public policy and external comms teams, etc. Their job is to communicate externally, and the more you’ve developed that relationship and incident response processes, the more they can help you when it matters.

Q. What is something communications teams can do before an incident happens to help things go better when one arises, which it inevitably will?

Be really proactive about getting time with executives and team leaders to educate them about the plan and playbook. These people are busy, but try to add it as an agenda item to an existing executive  meeting. You want to build relationships with the people who will be impacted when an incident occurs. Even though incident response as a function or responsibility may report several levels down, they need to know you have a playbook and that it addresses the most significant business risks.

I would also add that teams should invest in getting expert help from a resource like Discernible to build their communications plan process. So many companies - both large and small - do not have the internal resources to think through the various scenarios and put a workable plan in place. The best thing they can do is put in a little proactive effort now, so  when that dark security incident day comes (and it will!) they are really, truly ready.