Reputational Risk and Crisis Panel: Shared Assessments Summit

Breaches and crises can make or break business value for years to come, knocking billions off company valuation or even revenue. One of my favorite panels at the recent Shared Assessments Summit tackled the topic of post-breach communication.

Dan Chmielewski, Principal at Madison Alexander PR Inc., moderated the panel, which included:

  • Davia Temin, President and CEO, Temin and Company
  • Tom Davis, VP, Susan Davis International
  • Jesse Bryan, CEO and Creative Director, Belief Agency
  • Teri Robinson, Executive Editor, SC Magazine

The following are a few of Chmielewski’s questions:

Do Businesses Have Sufficient Awareness of the Reputational Risk in Crisis Communications?

Panelists were mixed on whether awareness of reputational risk is where it should be. SC Magazine’s Robinson thought it was low. However, Bryan of Belief Agency noted that younger managers at smaller companies understand the news cycle and the need for transparency.

Claroty

What Aare Some Examples of Successful and Unsuccessful Post-Breach Communications?

The panelists cited the Target breach of 2013 as a counter-example. In the figure above, I show the timeline of the company’s crisis communications and how its position deteriorated rapidly in one or two months. (For more detail on this timeline of what not to do, see International Business Week’s article on how cybertheft snowballed for the giant retailer).

Do Companies Need a Crisis Communications Plan and What Should it Look Like?

Panelists disagreed on the need for a Crisis Communications Plan. Temin and Company’s Temin  argued that although planning is OK, a plan is useless because a real crisis is never what you expected. However, Susan Davis International’s Davis felt a plan is an extremely useful exercise that any entity has to go through.

Together, the panelists came up with some great general guidance, amalgamated from my notes. “By the time Teri (Robinson) calls you up … it’s already too late for spin control. You never have the whole story, and you have to assume in today’s porous news environment that the journalist may know as much as you. Whatever you do, don’t lie. It is OK to say: ‘We don’t fully know yet, but I’ll call you back this afternoon.’ Lead with intent. Don’t make excuses. Take responsibility: Here’s what we did wrong, what we’ll do to fix it, and how we’ll continue communicating.”

To this excellent advice, I’ll come down on the side that one should have a crisis communications plan and it should define the thresholds for notifying executives, general policies on how to respond to different types of issues, and basic roles and responsibilities. In addition, any business under high or very high security pressure should have breach response, legal, law enforcement and PR contractual relationships or contracts established or on retainer.

Rocco Grillo, executive managing director at Stros Frieburg (an AON Company), was also at the conference. He pointed me to an article that goes further:

Organizations must have an incident response plan, exercise it against two to three likely attack vectors, and see how well the company reacts. … Be prepared to respond at your very best in a real breach scenario by conducting simulation exercises for different types of breaches that could affect your organization. Extend your plan and simulation exercises beyond the IT staff to … Legal, HR, Executive Management, and PR / Communications. Have a plan that includes your 3rd-party vendors [and SLAs for 3rd parties’ incident response].

Related Reading

Grillo’s recommendation to include third-party risk management in the incident process is worth noting, especially at a Shared Assessment Summit. Many breaches do result from a failure of third-party security, however, the fifth annual “Vendor Risk Management Benchmark Study: Running Hard to Stay In Place” found that fully 40% of companies still don’t have a formal risk management program in place.

My other Shared Assessments Summits recap, “Helping CISOs and Board Members Communicate on Risk,” discusses the need for resilience in managing disruptive risks, such as cyber risks. The preparation and execution of crisis communications are where the rubber meets the road.

Dan Blum

Avatar photo

Dan Blum

Dan Blum is Managing Partner and Principal Consultant at Security Architects. An internationally-recognized expert in security, privacy, cloud computing and identity management Dan Blum develops Security Architects Partners’ business partnerships, creates content and leads consulting engagements. Formerly, he was a Golden Quill award-winning VP and Distinguished Analyst at Gartner and one of the founding partners of Burton Group. As a Principal Consultant at Security Architects Partners and formerly at Gartner, he has led or contributed to projects such as: Cloud security and privacy assessment for a pharmaceutical company with a global customer base Full security assessment for a large U.S. health care network following negative audit results Security organization review for a major university Full security architecture for a large U.S. power company Independent evaluation of the U.S. government’s E-Authentication Program Directory services architecture for a Swiss bank Full security assessment for a Fortune 100 technology company Identity management and PKI architectures for a large pharmaceutical Recently honored as a Privacy by Design Ambassador, Dan has authored 2 books, written for numerous publications and participated in standards groups such as CSA, ISACA, OASIS and others.

dan-blum has 3 posts and counting.See all posts by dan-blum

Application Security Check Up