"A wrong decision is much worse than a bad decision". That was something a panel of industry leaders at InfoSecurity Europe and a majority of the 100-plus audience agreed, during a discussion yesterday (6 June) on firefighting in cyber-security.
"During the stage where the alert (of the incident) comes in, the people who verify that need to make the right call. If they go wrong, the media will pretty much inform you that things have gone wrong," said Amar Singh, CEO and founder of the Cyber Management Alliance, who moderated the discussion.
A ‘headless chicken’ approach is never desirable during the time of a crisis, said Becky Pinkard, CISO of Aldermore Bank. "That is not good for anybody. Bad decisions get made, things get suggested, proposed and communicated in a wrong way. You may have to backtrack, appear foolish, or even worse, you may create even bigger problems."
However, that does not mean the firm has to remain quiet until the threat assessment is done and the remedial measures are put in place, said Steph Bailey, managing director and senior partner at FleishmanHillard Fishburn. According to the PR professional, a lack of decision need not result in lack of communication.
Pointing out that the first alert usually comes from a journalist’s call for verification of the incident, the best thing to do is to get as much information as possible from that journalist, said Bailey. Find out the details of the issue, their deadline, who they work, and every possible information, so that your communications team would be armed with the right information.
"From our perspective, as soon as there is a vacuum, it is filled by usually your competitors or the media," she said. "Decisions-makers presume that you cannot communicate unless you are 100 percent sure of all the information, but actually there are things that you can say that allows you to take control and ensures that your narrative is there."
Facebook took five days to come up with a response on the Cambridge Analytica fiasco, while Norsk Hydro, during the data breach in March, had a steady stream of messages on Twitter and Facebook right from the beginning of the problem, addressing it and assuring that they were working on it, observed Aldemore Bank’s Pinkard ."I think it made a huge difference on the public’s perception on the ongoing issue."
The real audience in these situations is not the internal stakeholders or the auditors but the customers, said Bailey. They get ignored and customers often end up using social media to vent their frustration of their concerns being overlooked.
"Social media has absolutely changed the way we respond to a crisis," said Pinkard.
It is better to give people advance notice of a potential problem, even if the company has to say "sorry, false alarm" or "it wasn’t as serious as we thought," said Nigel Spencer, security operations vice president at Vocalink Real Time Payments. "Good communication, working with the regulator, having a practised plan and executing it well is absolutely critical to the ongoing viability of the business."
According to Spencer, being associated with a security incident is harmful for the career of the security professional and a business killer for the company. "Reputation is everything. Therefore, keeping people on your side as long as you can is absolutely critical."