How CISOs Can Master Cyber Attack Communications

Uploaded on 2024-12-30 in TECHNOLOGY--Resilience, FREE TO VIEW

The modern CISO's responsibility now extends far beyond technical leadership, particularly during cyber incidents, which includes investigations of anomalies prior to declaration of an incident. Effective crisis communication has long been a cornerstone of the role, crucial for maintaining organisational cohesion and stakeholder confidence.

In the wake of any incident, CISOs must balance transparency with strategic messaging, providing clear and timely updates that reassure, without overpromising.

The most important element of this communication is for organisations to have a formal and documented Crisis Communications Plan (CCP) which is critical to manage communications in all negative circumstances. In the situation of any cyber security incident or breach, that would necessitate both internal and external communications, potentially to internal stakeholders, and possibly to external customers, regulators, and even law enforcement depending on the severity.

By mastering this delicate communication balance through the use of a formal CCP, CISOs can steer their organisations through the turbulent waters of a cyber crisis, ensuring that response efforts are complemented by effective stakeholder communication and management.

Managing Uncertainty With Confidence

When a cyber incident takes place, the first question from executives is usually: “How bad is it?”– The reality is that the full scope of the attack may not be clear immediately, and the answer to this question can evolve over time. Early on during an incident, CISOs must communicate the uncertainty of the situation while also maintaining confidence towards rectifying the situation.

It’s important not to overstate what is known, but also avoid conveying indecision or panic. Explaining that the investigation is ongoing, and that initial findings may change as more data becomes available, helps manage expectations.

It is also useful to have previously communicated to executive management and other internal stakeholders what the levels of concern may be. This should involve prior training where key terms such as ‘Event’, ‘Anomaly’, ‘Incident’, ‘Compromise’, and ‘Breach’ are already understood. Understanding the scope of any cyber event goes a long way towards understanding what needs to be communicated, and to whom.

Focusing On Operational Impact

In the aftermath of a cyber incident, C-suite executives and board members typically prioritise understanding the business implications in lieu of the technical details. Their primary concerns often revolve around regulatory compliance, operational continuity, financial impact and the integrity of mission-critical systems. Rather than focusing on the intricacies of the exploit or malware variant used, senior leadership seeks clarity on operational and financial impact, recovery timelines, and the extent of disruption to core business functions.

As such, CISOs must be adept at swiftly translating complex technical information into clear, business-centric insights that address these key stakeholder concerns.

Whereas the CCP manages communications to regulators, employees, and customers, this level of communications is solely to drive business decisions by executive management. This approach ensures that decision-makers have the relevant information needed to guide the organisation's response and recovery efforts effectively.

When communicating with senior leadership during a cyber incident, CISOs should prioritise delivering concise, actionable information focused on impact to technical systems affected by the cyber event, and the consequential impact on business operations and customers. A well-structured update must include the status of critical services, containment and eradication of any hostile presence inside corporate systems, specific actions being taken to
address vulnerabilities once the situation is resolved, and a planned timeline for system restoration. Taking this approach demonstrates how the corporate security department is actively managing the situation, making tangible progress, and aligning its efforts with business priorities.

By providing such targeted updates, CISOs can effectively reassure executive stakeholders and facilitate informed decision-making during both the organisational crisis response and communications.

Keeping Stakeholders Frequently Updated

A crucial component of clear communication by CISOs is the frequency of updates. Regular communication in all situations, perhaps every 30 minutes in the early stages, provides reassurance and keeps everyone aligned. These updates don’t need to contain definitive findings but should focus on progress, such as recovery efforts or confirmed impacts. This will help prevent internal or external speculation and keep the situation under control.

Regulatory Compliance & Reporting

In the UK, cyber incident reporting is governed by key regulations that mandate timely disclosure of significant breaches. The Network and Information Systems (NIS) Regulations require operators of essential services to report incidents that substantially impact service continuity. These reports must be submitted to the relevant competent authority without undue delay, and no later than 72 hours after becoming aware of the incident. In addition, the UK Data Protection Act imposes strict reporting obligations for personal data breaches. Organisations must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that risks individuals' rights and freedoms. If the breach poses a high risk to affected individuals, they must similarly be informed without undue delay.

During a cyberattack, CISOs must quickly evaluate whether an incident necessitates regulatory reporting and work closely with general counsel, the Chief Compliance Officer, and if necessary, outside counsel. By leveraging advanced network telemetry and full packet capture, they can gather the detailed information needed to assess the incident's materiality, so that legal, security, and compliance can collaborate to meet reporting requirements while
effectively managing the incident.

Building Trust Through Effective Crisis Communication

Crisis communication during a cyberattack requires transparency and sureness. By focusing on operational impacts and leveraging network visibility tools, CISOs can ensure that they provide accurate and meaningful updates to stakeholders.

With the right preparation, understanding of regulatory requirements and tools to assess the attack’s scope, CISOs are better positioned to manage the crisis and mitigate long-term risks.

Mark Bowling is Chief Risk, Security & Information Security Officer at ExtraHop

Image: Inside Creative House

You Might Also Read: 

The Corporate CISO Role Is Evolving:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI To Its Full Cybersecurity Potential
What Are The Key Trends That Will Shape Tech In 2025? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

Atlantic Council

Atlantic Council

The Atlantic Council's Cyber Statecraft Initiative focuses on international cooperation, competition, and conflict in cyberspace.

SureCloud

SureCloud

SureCloud is a Governance, Risk and Compliance (GRC) and Cybersecurity Solutions provider.

Nexcom International

Nexcom International

Nexcom operates six global businesses - IoT Automation, Intelligent Digital Security, Internet of Things, Intelligent Platform & Services, Mobile Computing Solutions, Network & Communications.

TorGuard

TorGuard

TorGuard is a Virtual Private Network services provider offering secure encrypted access to the internet.

Ergon Informatik

Ergon Informatik

Ergon Informatik AG is Switzerland's leading provider of customised software solutions and software products including fraud detection and the Airlock web security suite.

NLnet Labs

NLnet Labs

NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as security in the area of DNS and inter-domain routing.

Penningtons Manches Cooper

Penningtons Manches Cooper

Penningtons Manches Cooper is a leading UK law firm providing high quality legal advice in areas including Data Protection, Cyber Security and Cyber Crime.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

ioXt Alliance

ioXt Alliance

The ioXt Alliance is a group of manufacturers, industry alliances and government organizations dedicated to harmonizing best security practices in a highly connected world.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

White Hawk Software

White Hawk Software

White Hawk provides code tamper-proofing solutions to protect mission critical software applications from malicious and Zero day attacks and reverse engineering at run time.

HARMAN International

HARMAN International

HARMAN designs and engineers connected products and solutions for automakers, consumers, and enterprises worldwide.

Let's Encrypt

Let's Encrypt

Let’s Encrypt is a free, automated, and open digital certificate authority, run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

Cypheria

Cypheria

Cypheria harness the expertise of elite military units and combine it with extensive digital combat experience to deliver unparalleled security solutions for organizations.

DeepTempo

DeepTempo

At DeepTempo, we build AI models and related software that protect enterprises and service providers from sophisticated cyber threats.