Looking in: the importance of internal communications during a cyber incident
During a cybersecurity incident it is easy to lose sight of an organisation’s most valuable asset, its people. One individual consistently at the forward edge of any organisation’s response and responsible for much of its internal reporting is the CISO. Operating at the nexus of the strategic and operational – their words and contributions scrutinised and pored over by executives, colleagues and, of course, clients – it is critical that CISOs are armed and resourced with the tools they need to communicate properly across all tiers of an organisation.
In November 2023, FTI Consulting conducted a survey of 787 C-suite executives at over 700 organizations with 500+ employees across FTI’s key industries. At senior leadership levels an average of 62% of 787 C-Suite executives told us they felt that their CISOs were not completely prepared to meet many of these communications challenges.
To address this, and other cybersecurity challenges, FTI identified that organisations expect to increase their cybersecurity budgets by an average of 23% over the next 12-24 months. When asked to break this down, 42% named employee training and security awareness as a priority item for this year. With that in mind what are some of key communications challenges faced by CISOs and how can these be addressed?
1. Adjust messaging for your (internal) audiences – do not rely, or anticipate, a single communications channel.
When discussing cybersecurity issues, whether during an incident or in peacetime, CISOs must communicate across all levels of an organisation adjusting their language, and style, to reflect their audience.
During an incident, the information investors will require may be different from the technical detail needed when speaking with client security teams. Colleagues may want detail around issues such as payroll, while client handlers will want to know whether customers are safe to reconnect.
No single message will suffice and, as our research demonstrates, just to meet the demands of a senior leadership team (SLT) – CISOs may be requested to deliver multiple messages across several channels. Extrapolated over the course of an incident, the effort and time demanded is often substantial. Preparing a CISO with key messages and an understanding of when and how communications should be adjusted and distributed ahead of an incident is, therefore, critical in reducing pressure on them and providing them space to remediate other pressing issues.
2. Communicate with clarity – exercise and condition internal audiences to the language they will hear.
Regardless of the audience, complex risk, articulated clearly, benefits all. Our research has revealed that almost one in three executives still do not understand technical concepts used by their CISOs while a similar amount have difficulty understanding the tangible return on cybersecurity investment.
The ability to translate detailed technical risk into a material or business impact is a fundamental requirement when conveying the realities of a cyber incident and avoiding complacency during a response. Taking the time to work through first, second and third order impacts of an incident with a leadership team is a useful way to ask: ‘so what?’ and understand the impact of an event in business terms.
Exercised best in a workshop, CISOs should take the time to familiarise executive audiences on likely scenarios before an incident occurs. This will reduce the time spent explaining concepts and likely costs in the heat of battle.
3. Encourage constructive dissent – facts will change so be prepared to challenge existing plans.
No matter how often attacks occur, each will be distinct and CISOs should not be afraid, and know how, to challenge a leadership team’s chosen course of action.
Incidents will impact departments differently and CISOs should take the time to forge relationships with different teams, understand how their departments works and use this detailed knowledge to inform decision making.
Once built, these relationships can be used to establish a planning red team – a role or responsibility that exists to challenge approaches. This will help teams avoid decision making silos, gain perspective and generate alternate solutions. When, not if, a response changes CISOs will be able to communicate this with the support of those around them.
Good internal communications are often an afterthought and yet they should be considered as, if not more, important than those that are external facing. A good technical response can be undone via poor internal communications – how else will those responsible for talking to key external stakeholders gain the knowledge they need to address the incident?
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2024 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
