In the event of a security incident, it's critical that your response is both fast and accurate. Unfortunately, many organizations make the mistake of including one or more of the following three elements in their public statements, which impairs the credibility and trustworthiness of their response. By avoiding them, you can help ensure that your organization's response is taken seriously.

One of the most important aspects of my work is helping CISOs with what I like to call “the invisibility problem.” Many talented, hardworking CISOs try to do the right things to be seen: they present at quarterly board meetings and send their executive team regular updates about the security program. While these actions may check the boxes with their management and the Board, I don’t believe they are enough to build the credibility and visibility CISOs need to succeed - and obtain the resources required to protect an organization in a world of ever-expanding risk.

A reader asks, “How should brands talk about security threats from abroad without sounding xenophobic?”

Do you know which words are most effective for the context and audiences of your security and privacy communications? If you’re not sure, now is a good time to start measuring the impact of the language you use. Counting the number of times you distribute content or engage with stakeholders is a good measurement of why you’re so busy, but are your communications as effective as they could be? Want to find out? Let us know!

In leading the security and privacy communications strategy for both small and global brands, I’ve found that ongoing attention to routine communications helps minimize both the volume and impact of potential crises. As a result, we advise our clients to prioritize routine security and privacy communications as one way to demonstrate persistent care.

Discussions about emotions come up a lot in our incident preparedness and response work with clients because we’re always thinking about how different stimuli impact people’s expectations and ability to communicate effectively.

The popular saying “what doesn’t kill you makes you stronger” isn’t a guarantee. Traumatic or stressful situations can still destroy trust and motivation, cause irreparable damage to our health, and push people out of the profession.

Not communicating about security until it escalates into a crisis is a self-fulfilling prophecy. Instead, security communicators should constantly be on the lookout for critical turning points that can determine the direction of the organization’s future or cost them their reputation.

Why you should communicate with stakeholders about 3rd party security incidents even if you’re not exposed

Risk makes individuals, groups, and markets behave in certain ways. Our success as security and privacy professionals depends on our ability to help non-experts make risk-related choices. The study of risk communications examines the processes that determine how our communication with these stakeholders enhances or degrades their decision-making ability.

Today, I’m sharing a sample of questions I ask when reviewing a product or feature proposal.

Many of us have spent the past few months planning for the coming year and documenting the objectives and outcomes we want to achieve this year. I bet fewer folks spent time considering the specific people whose support, approval, or adoption we need to meet those goals.