Risk Communications: Recognizing Turning Points and Managing Decisions

Written By Melanie Ensign

I’ve written previously about how poorly the traditional crisis communications approach works for security communications. Today, I’m going to do it again. :)

Crisis Communications implies that what you’re communicating about is out of the ordinary or outside your standard operating procedures. In reality, security communications is a daily engagement not only because of the frequency of potential security incidents. From vulnerability disclosures and user account takeovers (ATOs) to legally-defined data breaches, security is a topic of daily interest to our most important stakeholders. 

Not communicating about security until it escalates into a crisis is a self-fulfilling prophecy. Instead, security communicators should constantly be on the lookout for critical turning points that can determine the direction of the organization’s future or cost them their reputation. These turning points are almost always punctuated by decisions; thus an effective security communication strategy isn’t merely about what to say in high-pressure situations, but how to manage the decisions that lead us into them. 

In fact, as I noted in a recent post about avoiding security and privacy outrage, it really all boils down to the individual decisions organizations make and whether our stakeholders – the people whose opinions and behaviors have the ability to impact our success – understand our decisions and support how we made them, even if they disagree with our specific conclusions. This is where a lot of organizations get tripped up because they’ve fallen to the misconception that transparency of the decision itself is equivalent to transparency of the decision-making process. 

Especially when it comes to decisions that function as turning points, transparency about how decisions get made is paramount because the determining factor in nearly every case I’ve seen is whether or not the process (not the conclusion) meets the expectations of our stakeholders. And when your decision-making process is perceived opaque or unfair–either because you failed to adequately explain it, or because it truly is flawed–individual decisions are now vulnerable to attack and discredited. 

Over the past two years, Discernible has been engaged by dozens of security and privacy organizations to diagnose security communication issues, architect tailored solutions, and lead the execution for these customized programs with both internal and external stakeholders. 

  • Align with organizational values and communicate which ones have the most weight when making decisions; if you can’t prioritize your values, you don’t truly have any.

  • Set standard criteria for who is involved, why, and their role. Consider adopting a decision-making framework like Marcy Swenson’s The Matrix

  • Document the process, including who is responsible for the final decision whether it be determined by consensus, executive power, or majority rule. 

  • Be consistent in how decisions are made (unless your process sucks, then fix it and communicate the changes ASAP). Nobody likes surprise decisions. 

Below are a few additional tips for communicating your decision-making process to avoid creating an incident

Tips for Communicating Your Decision-Making Process 

  • Don’t get defensive – Passing shade on someone for not understanding or daring to question your decisions and peek behind the curtain is so Facebook and Wizard of Oz. If you’re confident you made the right call based on the situation, be mature enough to explain it plainly even to folks who disagree with you. Finding common ground is critical to negotiating productive relationships.

  • Be helpful – Don’t try to gaslight people with so much unnecessary information that they give up before an effective engagement can happen. Not everyone is going to agree with every decision you make, but it’s important for long-term relationships and your reputation that even those who dislike you do so based on facts, rather than poorly managed communications.  

  • Find humility – No one feels bad for companies facing hard choices. Recognize your privilege and don’t try to downplay the influence your decisions have on others. Ignoring this fact is an easy way to miss turning points that can escalate into an incident.

  • Seek more perspectives - The most often cited cause of frustration with decision-making among internal stakeholders is the feeling that decisions are made behind your back even then they impact you. Here are a few questions we address with our clients when deciding who needs to be involved in the process:

    • Who has to carry out the course of action decided?

    • Who will it affect if something goes wrong?

    • Are you willing to take responsibility for a mistake?

    • How much time is available to spend on this decision?

    • Is there a deadline for making a decision and what are the consequences of missing this deadline?

    • Is there an advantage in making a quick decision?

    • Will spending more time improve the quality of the decision?

  • Assign ownership - Assign an owner for the decision-making process. They are responsible for ensuring the process is followed, documented, and completed, but not for making the decision themselves. Stuff without owners doesn’t get documented. 

  • Document & share - Make it easy to find your process documents and specific decision-making procedures and considerations. Current and future employees will significantly benefit from the ability to review and learn from your choices instead of having to repeat the same mistakes in order to learn the same lessons. 

Melanie Ensign
Previous

Security and Privacy: If You Want a Seat at the Table, You Have to Earn It
Next

Third Party Security Incident Response