Does Your Security Comms Strategy Need an Upgrade?

Written By Melanie Ensign

Shifting from crisis mode to a persistent demonstration of care through routine security communications 

A security team’s first encounter with a security communications professional is often tied to incident response: what, when, and how do we communicate the details of what’s happening to stakeholders? So it’s no surprise that the general understanding of security communications among security executives and their teams is rooted in crisis management. But it’s the decisions companies make before an incident occurs that are usually the most impactful in how an incident is perceived. 

Effective crisis management includes not only a timely demonstration that you care in the wake of an incident, but also a persistent demonstration that you still care for as long as stakeholders expect you to. This brings up a significant shortcoming I see with many corporate communications programs that perceive security only through the lens of crisis: exactly when do our stakeholders not expect us to care about safeguarding their data, securing their online experiences, and communicating transparently? In other words, why are we only talking to them now, in the midst of a crisis, about how much we care? Can our demonstration of caring ever truly stop? No, it must be persistent.

A persistent demonstration is both deliberate and organic. It’s about how you show up as a company and a security organization, ready to discuss the issues that matter to your stakeholders whenever they need it. Organizations unprepared to talk about security and privacy on a regular basis find that everyday blunders routinely escalate into a crisis before they’re remediated. Recent examples include rumors of keylogging by TikTok’s in-app browser and Patreon’s security layoffs. I discussed own goals in security communications before and you can read more about that here

Without a persistent demonstration that organizations give a sh*t about avoiding security crises– not just surviving them, each incident feels more significant than it should because trust and benefit of the doubt haven’t been earned. Moreover, when we choose to manage security communications one crisis at a time, stakeholders perceive a pattern of chaos as we’re flung into one crisis after another. 

Routine Communications for Mitigating Risk

In leading the security and privacy communications strategy for both small and global brands, I’ve found that ongoing attention to routine communications helps minimize both the volume and impact of potential crises. As a result, we advise our clients to prioritize routine security and privacy communications as one way to demonstrate persistent care. 

I consider the following routine tasks staples for any security or privacy communications professional to ensure there’s no doubt whether we’ve done all we can for our stakeholders:

  • Product/engineering design reviews: Put yourself in the review loop and read the docs. Does the proposed change demonstrate persistent care? If not, talk to the engineers and product managers behind the effort to understand their goals and help them identify alternatives or improvements. Most of the time, they want to do the right things, and pointing out how their new project will be perceived by stakeholders is a powerful exercise. I previously published a sample list of questions I consider when reviewing a new product or engineering proposal. 

  • Customer/sales communications: How often is your organization communicating to customers and prospects about security and privacy?

Do they only hear from you when things go wrong? Do you even know what your organization is telling them?

When things go wrong, it’s not impossible to maintain customer trust despite negative headlines, but you need to develop and nurture those relationships in advance. I recommend routine communications that help them understand the risks and proper mitigation techniques for using your product or service securely, as well as establishing dedicated communication channels to provide adequate (and accurate) support when an incident occurs.

  • Technical blog posts: Many organizations are eager to brag about their technical capabilities, but they miss red flags in the content they publish, creating opportunities for critics and even well-intentioned industry peers to point out security issues and vulnerabilities using your own words. Sometimes the fix is as simple as a word choice, sometimes it’s a more difficult conversation about whether a specific project is truly ready for primetime attention. A strong security and privacy communications strategy considers how content from across the organization contributes or distracts from your persistent demonstration of care.

  • Bug bounty communications: Misunderstandings and escalated emotions among external security researchers can cause a lot of noise for your organization and burn out your security team. Take the time to help them communicate effectively with this important stakeholder group and avoid/prepare for public tantrums that distract from your persistent demonstration of care.

Incidents happen, but if they’re the be-all-end-all of your security communications strategy, you’re missing the opportunity to earn trust and credibility from your most important stakeholders before something goes wrong. The scrutiny and urgency of a crisis makes it the worst time to introduce your security or privacy team to the world. Give them the opportunity to demonstrate how much they care before an incident happens.

- - -

Sign up for our monthly newsletter for more insights on security communications!

https://discernibleinc.com/newsletter-signup

Melanie Ensign
Previous

Words that Work: Persuasive Language for Security and Privacy Communications
Next

Beyond the Technical: Emotions and Negotiating in Security Leadership Roles