Third Party Security Incident Response
Why You Should Communicate with Stakeholders Even If You’re Not Exposed
“The fundamental way of getting public approval is to deserve it.” - Arthur W. Page
Several weeks ago, our team was able to use the security incident at Okta to begin stress testing new IR communications procedures we recently developed for a few clients. What an amazing opportunity to confirm whether we’d hit the right chord for their organization with the protocols, roles and responsibilities, and operating principles designed for each one!
As a result of their preparedness, these organizations were able to quickly assess their exposure, communicate risk levels to business units, and thoughtfully engage with external stakeholders. Perhaps most importantly, the incident provided a relatively safe way to practice their new procedures with cross-functional colleagues who were primed and ready to engage at the time and depth most appropriate for their responsibilities.
I’ve since heard from a number of my contacts in the broader security community that they unfortunately faced significant resistance from business leaders, PR teams, and legal counsel when they attempted to communicate with employees and customers about their level of exposure, even when it was zero. I find this reaction both antiquated and revealing.
Antiquated because it signals a lag in competency and revealing because it exposes an organization’s deficient attitude toward transparency and trust.
Why Some Companies Still Stick Their Head in the Sand
Fear is the #1 cause I’ve observed among companies that decide not to engage in stakeholder communications unless forced into it by regulatory or contractual obligations. They’re nervous about potentially negative attention because they don’t know how to talk about security or privacy as a positive pillar of their brand. If they’re that concerned about people looking under the hood, maybe they’re justified in hoping no one will notice, but that strategy comes with its own risks. Not acknowledging that risk doesn’t make it go away.
The #2 cause is typically a lack of dedicated resources and ownership for relevant communications, meaning they don’t have anyone with the expertise or bandwidth to craft a cohesive strategy for stakeholders. It’s understandable that even well-intentioned brands don’t want to half-ass communications about security or privacy; but to an external stakeholder, the decision appears identical to that of the fearful organizations.
Benefits of Communicating When You Don’t Have To
Ultimately, companies that either run away from or seek to avoid engaging in conversations with stakeholders about their exposure to 3rd party incidents are missing important opportunities to build trust and credibility in advance of inevitable 1st party incidents during which all eyes will be on them. In my experience, it’s better to learn how to manage effective security and privacy communications before you become the primary target of public scrutiny.
In fact, establishing a reputation with stakeholders for proactive and helpful incident communications has given our clients tangible value for their business.
Build Customer Trust – Anticipate customer questions, demonstrate you care about them, and show you’re in touch with the latest developments by reaching out to your customers before they start sending out mass questionnaires. Even when your exposure level to a 3rd party incident is zero, show you’re a valuable resource to your customers by providing a basic overview of known facts, and reassurance that you’re monitoring the situation. At the same time, you can share details about previous engineering or business decisions that helped lower your exposure levels.
Pro tip: you can save your customer support and security assurance teams from having to respond manually to every individual request, while ensuring message consistency, by creating standardized, legally-approved information that can be shared publicly on your website or privately through a customer portal.
Improve Internal Literacy – If there’s one thing your c-suite, board of directors, and non-security employees have in common, it’s a lack of visibility into the value your security and privacy teams deliver when you’re not in the thick of a breach investigation. If you can’t bring your organization around to the position of communication proactively with external stakeholders, at least don’t squander the opportunity to educate people inside the company about your organization's relevance as a trusted partner and advisor.
For example, a real-world 3rd party incident is an important moment to remind everyone of the tools, controls, and best practices you’ve set up – as well as their role in actually using them. :)
It should have been an easy decision for organizations to remind their employees about when it’s safe to approve Okta sign-ins. Again, even if your organization doesn’t use Okta, how can you take advantage of the moment to direct employees’ attention on something you need them to do?
Normalize Communications – Finally, one day you’ll need all internal and external stakeholders to trust what you say and your competency in mitigating a 1st party incident. It happens to everyone. Everyone.
You will also need to avoid causing panic because, as we’ve discussed before, panic leads to poor judgment and decision-making. Normalizing stakeholder communications about security and privacy before a major incident reduces the risk of panic by establishing your organization as someone who has your shit together and can safely guide them through uncertainty.
Moreover, the best antidote against a negative and material news cycle is an informed customer base that trusts you. Consider periodic educational campaigns for customers about potential risks, how you’re addressing them, and any action they need to take. If stakeholders only hear from you about security issues when you’ve caused them or been forced to disclose them, don’t be surprised if you actually end up causing panic every single time. It doesn’t have to be this way – you can make security and privacy safe topics for your company to discuss any day of the week.
- - -
Sign up for our monthly newsletter here: https://discernibleinc.com/newsletter-signup
