An Interview with Sara Sendek, Former CISA Director of Public Affairs

1. You have the prestigious honor of serving as the first Director of Public Affairs for the Cybersecurity and Infrastructure Security Agency (CISA). As a new senior leader on FTI’s Cybersecurity & Data Privacy team, what learnings do you hope to pass on to the team?

When it comes to cybersecurity incidents and preparedness initiatives, communication is key. Cybersecurity is complicated and being able to articulate cyber issues in plain language isn’t an easy thing to do, but it’s critically important. Also, everyone has a role to play in cybersecurity, both in preparedness and incident response. A CISO alone can’t defend their organization’s network – it takes a comprehensive culture of cybersecurity to better protect an organization. From executives choosing to invest in cybersecurity to employees choosing to practice good cyber hygiene, decisions at all levels of the company are equally important. But first, everyone needs to understand the threats they face, why they matter, and what they, individually, can do to be a part of the solution. Adopting the mindset that cybersecurity affects all of us is key to creating a more secure future for individuals and organizations alike.

2. During your time with CISA, you helped lead the government’s communications response to major cybersecurity incidents, including the SolarWinds cyber attack. Any crisis communications lessons learned or key takeaways from these types of large-scale incidents that you’ll be bringing to FTI’s Cybersecurity & Data Privacy Communications team?

SolarWinds was unlike anything we had seen before. At the onset of the incident, there were still several unknowns, including how widespread this attack was and how long it would take for various entities to recover. At CISA, we prioritized transparency and information sharing to help our partners across both government and industry understand the threat and how they could protect themselves. But the challenge was sharing the information we had, while acknowledging and underscoring the unknowns. That meant not getting ahead of ourselves or putting CISA in a position where we would need to walk back details, but instead, consistently updating our materials. As our knowledge of the attack evolved, so did our communications. At FTI Consulting, we advise our clients to adopt a similar philosophy – engage with your stakeholders in a transparent manner, commit to providing updates as they become available and avoid saying things that may ultimately be inaccurate. Forensic investigations take time and the details of an attack, such as the root cause, the data exfiltrated, and the scope of the incident will likely be unclear from the onset.

The response to the SolarWinds compromise also relied on an unprecedented level of coordination between government and industry. Without the transparency of private sector partners, the impact to the US government may not have been discovered as quickly. The incident really reinforced the importance of government and private sector working together towards a collective defense. I hope to impart some of this experience at FTI Consulting, as we often work with entities in the private sector suffering cyber attacks that necessitate close collaboration with government agencies and regulators.

3. Now part of the private sector, how have you leveraged your government crisis communications experience to help clients?

As I said earlier, cybersecurity relies on a collective defense. No one entity can do it alone and it requires trusted relationships between the government and the private sector. These relationships are something that haven’t always been as strong in the past. Private sector partnerships lacked a certain level of trust with the government for many years, and the government did not previously hold the best track record for sharing information back to the private sector either. But working at CISA, I have seen firsthand the hard work being done to build these trusted partnerships across every sector. I’m really excited about CISA Director Jen Easterly’s new Joint Cyber Defense Collaborative (JCDC), which aims to be the front door for private sector collaboration. As a somewhat new member to the private sector and recovering government employee, I hope to act as a bridge and encourage these partnerships to continue.

4. Certain ransomware actors are contacting stakeholders or media as a way to apply pressure and increase the chances that the victim organization pays the ransom. Has this changed your tactics or mindset when advising clients?

This is a very fascinating and alarming trend that we have seen on an increasing basis lately. Ransomware actors will often contact employees or customers of an organization via phone, text message, or email in hopes to apply pressure on the victim. For customers or employees who don’t know what is going on, this creates a sense of panic, and ultimately puts more pressure on the victim organizations to pay a ransom. While it’s difficult to prepare anyone to be on the receiving end of a phone call from a criminal ransomware actor threatening to sell their information on the dark web, the best defense is to make sure your client is prepared for the possibility and armed with the necessary tools to respond.

A preparation tool we implement is alerting clients to these tactics and preparing responses to a wide range of potential scenarios. Whether it’s phone calls, contacting reporters, phishing attacks or DDoS attacks, we want to make sure these victim organizations are ready for anything that can come their way. Different ransomware actors are known for utilizing certain intimidation tactics. So, we take what we know from previous matters and apply that to the current situation. What sort of methods do we know these threat actors use or might use, and how do we make sure our client is prepared to respond accordingly? These are key resilience measures, and if the worst-case scenario does happen, the victim organization is in a stronger position to respond and recover, mostly due to our experience having seen this play out many times.

5. As we kick off 2022 and organizations reflect on the past year, what is your advice on how they can be better prepared when considering their crisis communications response?

Have a plan. I know this isn’t anything revolutionary, but resilience is key. There is no such thing as being 100% secure, so have a plan for what a bad day could look like and who on your team needs to be equipped to respond. Designate those roles and responsibilities ahead of time. And remember that the communications workstream is paramount. These situations evolve quickly and how you are communicating both internally and externally is incredibly important to preserving trust and reputation. Organizations are best served when they can get out ahead of a crisis and communicate clearly and often. However, there is a delicate balance, because while these situations tend to rapidly evolve, you do not want to find yourself in a position where you need to walk back statements. It can create unneeded confusion or more problems down the line – including the potential for litigation should certain problematic statements be indefensible.

Additionally, keep your communications team in the loop. Involving them in all high-level meetings helps them better understand and strategize where the messaging needs to be. I’m a huge advocate for always bringing your communications team into the conversation. These are the people on the front lines, talking to your customers, your stakeholders, and the media. One of the biggest unforced errors I see time and time again, is a communications team isn’t brought into a conversation and is left defenseless when a reporter asks them questions and knows more about the situation than they do. A communicator’s job is to know what to say and when, but they need to have all the facts to do that job well.

To learn more about the FTI Consulting Crisis Communications team, click here.