How CISOs Can Master Cyber Attack Communications

Uploaded on 2024-12-30 in TECHNOLOGY--Resilience, FREE TO VIEW

The modern CISO's responsibility now extends far beyond technical leadership, particularly during cyber incidents, which includes investigations of anomalies prior to declaration of an incident. Effective crisis communication has long been a cornerstone of the role, crucial for maintaining organisational cohesion and stakeholder confidence.

In the wake of any incident, CISOs must balance transparency with strategic messaging, providing clear and timely updates that reassure, without overpromising.

The most important element of this communication is for organisations to have a formal and documented Crisis Communications Plan (CCP) which is critical to manage communications in all negative circumstances. In the situation of any cyber security incident or breach, that would necessitate both internal and external communications, potentially to internal stakeholders, and possibly to external customers, regulators, and even law enforcement depending on the severity.

By mastering this delicate communication balance through the use of a formal CCP, CISOs can steer their organisations through the turbulent waters of a cyber crisis, ensuring that response efforts are complemented by effective stakeholder communication and management.

Managing Uncertainty With Confidence

When a cyber incident takes place, the first question from executives is usually: “How bad is it?”– The reality is that the full scope of the attack may not be clear immediately, and the answer to this question can evolve over time. Early on during an incident, CISOs must communicate the uncertainty of the situation while also maintaining confidence towards rectifying the situation.

It’s important not to overstate what is known, but also avoid conveying indecision or panic. Explaining that the investigation is ongoing, and that initial findings may change as more data becomes available, helps manage expectations.

It is also useful to have previously communicated to executive management and other internal stakeholders what the levels of concern may be. This should involve prior training where key terms such as ‘Event’, ‘Anomaly’, ‘Incident’, ‘Compromise’, and ‘Breach’ are already understood. Understanding the scope of any cyber event goes a long way towards understanding what needs to be communicated, and to whom.

Focusing On Operational Impact

In the aftermath of a cyber incident, C-suite executives and board members typically prioritise understanding the business implications in lieu of the technical details. Their primary concerns often revolve around regulatory compliance, operational continuity, financial impact and the integrity of mission-critical systems. Rather than focusing on the intricacies of the exploit or malware variant used, senior leadership seeks clarity on operational and financial impact, recovery timelines, and the extent of disruption to core business functions.

As such, CISOs must be adept at swiftly translating complex technical information into clear, business-centric insights that address these key stakeholder concerns.

Whereas the CCP manages communications to regulators, employees, and customers, this level of communications is solely to drive business decisions by executive management. This approach ensures that decision-makers have the relevant information needed to guide the organisation's response and recovery efforts effectively.

When communicating with senior leadership during a cyber incident, CISOs should prioritise delivering concise, actionable information focused on impact to technical systems affected by the cyber event, and the consequential impact on business operations and customers. A well-structured update must include the status of critical services, containment and eradication of any hostile presence inside corporate systems, specific actions being taken to
address vulnerabilities once the situation is resolved, and a planned timeline for system restoration. Taking this approach demonstrates how the corporate security department is actively managing the situation, making tangible progress, and aligning its efforts with business priorities.

By providing such targeted updates, CISOs can effectively reassure executive stakeholders and facilitate informed decision-making during both the organisational crisis response and communications.

Keeping Stakeholders Frequently Updated

A crucial component of clear communication by CISOs is the frequency of updates. Regular communication in all situations, perhaps every 30 minutes in the early stages, provides reassurance and keeps everyone aligned. These updates don’t need to contain definitive findings but should focus on progress, such as recovery efforts or confirmed impacts. This will help prevent internal or external speculation and keep the situation under control.

Regulatory Compliance & Reporting

In the UK, cyber incident reporting is governed by key regulations that mandate timely disclosure of significant breaches. The Network and Information Systems (NIS) Regulations require operators of essential services to report incidents that substantially impact service continuity. These reports must be submitted to the relevant competent authority without undue delay, and no later than 72 hours after becoming aware of the incident. In addition, the UK Data Protection Act imposes strict reporting obligations for personal data breaches. Organisations must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that risks individuals' rights and freedoms. If the breach poses a high risk to affected individuals, they must similarly be informed without undue delay.

During a cyberattack, CISOs must quickly evaluate whether an incident necessitates regulatory reporting and work closely with general counsel, the Chief Compliance Officer, and if necessary, outside counsel. By leveraging advanced network telemetry and full packet capture, they can gather the detailed information needed to assess the incident's materiality, so that legal, security, and compliance can collaborate to meet reporting requirements while
effectively managing the incident.

Building Trust Through Effective Crisis Communication

Crisis communication during a cyberattack requires transparency and sureness. By focusing on operational impacts and leveraging network visibility tools, CISOs can ensure that they provide accurate and meaningful updates to stakeholders.

With the right preparation, understanding of regulatory requirements and tools to assess the attack’s scope, CISOs are better positioned to manage the crisis and mitigate long-term risks.

Mark Bowling is Chief Risk, Security & Information Security Officer at ExtraHop

Image: Inside Creative House

You Might Also Read: 

The Corporate CISO Role Is Evolving:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI To Its Full Cybersecurity Potential
What Are The Key Trends That Will Shape Tech In 2025? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NCC Group

NCC Group

NCC Group is a global cyber and software resilience business operating across multiple sectors, geographies and technologies.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions is the manufacturer of the mobile device management solution Cortado MDM.

Code42

Code42

Code42 CrashPlan, is an enterprise SaaS solution that backs up all distributed end-user data on a single, secure platform.

Magic Software Enterprises

Magic Software Enterprises

Magic provide Mobile Device Management (MDM) for Secure Enterprise Mobility. Magic MDM overcomes the challenges of mobile device management security by protecting all of your devices, data and content

Cybereason

Cybereason

Cybereason provides attack protection with cutting edge EDR and XDR, and industry recognized consulting services to support organizations throughout any stage of the incident lifecycle.

Altius IT

Altius IT

Altius IT reviews your website for security vulnerabilities and provides a report identifying vulnerabilities and recommendations to make secure.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

Digiserve

Digiserve

Digiserve by Telkom Indonesia is an end-to-end managed solutions provider committed to empowering enterprises in Indonesia.

SecSign Technologies

SecSign Technologies

SecSign Technologies delivers user authentication, messaging, file sharing, and file storage with next generation security for company networks, websites, platforms, and devices.

Comparitech

Comparitech

Comparitech strives to promote cyber security and privacy for all. We are committed to providing detailed information to help our readers become more cyber secure and cyber aware.

SYN Ventures

SYN Ventures

SYN Ventures invests in disruptive, transformational solutions that reduce technology risk.

BAE Systems

BAE Systems

BAE Systems develop, engineer, manufacture, and support products and systems to deliver military capability, protect national security, and keep critical information and infrastructure secure.

Cryptr

Cryptr

Cryptr provides plug and play authentication to manage all your authentication strategies in one place with just a few lines of code.

DruvStar

DruvStar

DruvStar provides B2B cybersecurity around threat management to strengthen businesses across attack vectors.

Crispmind

Crispmind

Crispmind creates innovative solutions to some of today’s most challenging technology problems.