How CISOs Can Master Cyber Attack Communications

Uploaded on 2024-12-30 in TECHNOLOGY--Resilience, FREE TO VIEW

The modern CISO's responsibility now extends far beyond technical leadership, particularly during cyber incidents, which includes investigations of anomalies prior to declaration of an incident. Effective crisis communication has long been a cornerstone of the role, crucial for maintaining organisational cohesion and stakeholder confidence.

In the wake of any incident, CISOs must balance transparency with strategic messaging, providing clear and timely updates that reassure, without overpromising.

The most important element of this communication is for organisations to have a formal and documented Crisis Communications Plan (CCP) which is critical to manage communications in all negative circumstances. In the situation of any cyber security incident or breach, that would necessitate both internal and external communications, potentially to internal stakeholders, and possibly to external customers, regulators, and even law enforcement depending on the severity.

By mastering this delicate communication balance through the use of a formal CCP, CISOs can steer their organisations through the turbulent waters of a cyber crisis, ensuring that response efforts are complemented by effective stakeholder communication and management.

Managing Uncertainty With Confidence

When a cyber incident takes place, the first question from executives is usually: “How bad is it?”– The reality is that the full scope of the attack may not be clear immediately, and the answer to this question can evolve over time. Early on during an incident, CISOs must communicate the uncertainty of the situation while also maintaining confidence towards rectifying the situation.

It’s important not to overstate what is known, but also avoid conveying indecision or panic. Explaining that the investigation is ongoing, and that initial findings may change as more data becomes available, helps manage expectations.

It is also useful to have previously communicated to executive management and other internal stakeholders what the levels of concern may be. This should involve prior training where key terms such as ‘Event’, ‘Anomaly’, ‘Incident’, ‘Compromise’, and ‘Breach’ are already understood. Understanding the scope of any cyber event goes a long way towards understanding what needs to be communicated, and to whom.

Focusing On Operational Impact

In the aftermath of a cyber incident, C-suite executives and board members typically prioritise understanding the business implications in lieu of the technical details. Their primary concerns often revolve around regulatory compliance, operational continuity, financial impact and the integrity of mission-critical systems. Rather than focusing on the intricacies of the exploit or malware variant used, senior leadership seeks clarity on operational and financial impact, recovery timelines, and the extent of disruption to core business functions.

As such, CISOs must be adept at swiftly translating complex technical information into clear, business-centric insights that address these key stakeholder concerns.

Whereas the CCP manages communications to regulators, employees, and customers, this level of communications is solely to drive business decisions by executive management. This approach ensures that decision-makers have the relevant information needed to guide the organisation's response and recovery efforts effectively.

When communicating with senior leadership during a cyber incident, CISOs should prioritise delivering concise, actionable information focused on impact to technical systems affected by the cyber event, and the consequential impact on business operations and customers. A well-structured update must include the status of critical services, containment and eradication of any hostile presence inside corporate systems, specific actions being taken to
address vulnerabilities once the situation is resolved, and a planned timeline for system restoration. Taking this approach demonstrates how the corporate security department is actively managing the situation, making tangible progress, and aligning its efforts with business priorities.

By providing such targeted updates, CISOs can effectively reassure executive stakeholders and facilitate informed decision-making during both the organisational crisis response and communications.

Keeping Stakeholders Frequently Updated

A crucial component of clear communication by CISOs is the frequency of updates. Regular communication in all situations, perhaps every 30 minutes in the early stages, provides reassurance and keeps everyone aligned. These updates don’t need to contain definitive findings but should focus on progress, such as recovery efforts or confirmed impacts. This will help prevent internal or external speculation and keep the situation under control.

Regulatory Compliance & Reporting

In the UK, cyber incident reporting is governed by key regulations that mandate timely disclosure of significant breaches. The Network and Information Systems (NIS) Regulations require operators of essential services to report incidents that substantially impact service continuity. These reports must be submitted to the relevant competent authority without undue delay, and no later than 72 hours after becoming aware of the incident. In addition, the UK Data Protection Act imposes strict reporting obligations for personal data breaches. Organisations must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that risks individuals' rights and freedoms. If the breach poses a high risk to affected individuals, they must similarly be informed without undue delay.

During a cyberattack, CISOs must quickly evaluate whether an incident necessitates regulatory reporting and work closely with general counsel, the Chief Compliance Officer, and if necessary, outside counsel. By leveraging advanced network telemetry and full packet capture, they can gather the detailed information needed to assess the incident's materiality, so that legal, security, and compliance can collaborate to meet reporting requirements while
effectively managing the incident.

Building Trust Through Effective Crisis Communication

Crisis communication during a cyberattack requires transparency and sureness. By focusing on operational impacts and leveraging network visibility tools, CISOs can ensure that they provide accurate and meaningful updates to stakeholders.

With the right preparation, understanding of regulatory requirements and tools to assess the attack’s scope, CISOs are better positioned to manage the crisis and mitigate long-term risks.

Mark Bowling is Chief Risk, Security & Information Security Officer at ExtraHop

Image: Inside Creative House

You Might Also Read: 

The Corporate CISO Role Is Evolving:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI To Its Full Cybersecurity Potential
What Are The Key Trends That Will Shape Tech In 2025? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Rackspace Technology

Rackspace Technology

Rackspace Technology is a leading provider of managed services across all major public and private cloud technologies. Secure your IT environments with powerful cloud security solutions and support.

CloudCheckr

CloudCheckr

CloudCheckr is a next-gen cloud management platform that unifies Security & Compliance, Inventory & Utilization and Cost Management.

Software Factory

Software Factory

Software Factory develops custom-built high-performance software solutions and products for applications including industrial cyber security.

Cyber 2.0

Cyber 2.0

Cyber 2.0 is the only system in the world that blocks all forms of cyber attack within the organization, including new and unfamiliar attack methods.

Asoftnet

Asoftnet

Asoftnet are specialists in IT security, IT forensics, IT service, websites, applications and mobile solutions.

Connectria

Connectria

Connectria provides cloud hosting, remote monitoring, and compliant cloud security solutions and services to enterprises, medium and small businesses.

CyberSN

CyberSN

CyberSN is your essential partner in cybersecurity workforce risk management offering solutions that empower leaders to diversify, acquire, retain, and develop their cybersecurity teams.

Veridium

Veridium

Veridium is a leader in single step - multi factor biometric authentication, designed to safeguard enterprises’ most critical assets.

SecureTech360

SecureTech360

SecureTech360 is a cybersecurity and IT consulting firm whose principals have extensive experience in Cybersecurity and Information Technology.

Gotham Digital Science (GDS)

Gotham Digital Science (GDS)

Gotham Digital Science is an international security services company specializing in Application and Network Infrastructure security, and Information Security Risk Management.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

White Tuque

White Tuque

A new way to protect your organization. White Tuque is your partner in identifying threats, understanding your risk, and ensuring your business remains resilient.

Fairly AI

Fairly AI

Fairly AI is on a mission to democratize safe, secure, and compliant AI across the enterprise.

Defence Labs

Defence Labs

Defence Labs is a cybersecurity company specialising in cost effective penetration testing for small-to-medium sized enterprises.

Interlynk

Interlynk

Interlynk's #SBOM and # VEX-powered platform automates and continuously monitors first-party and vendor software supply chains and helps meet #FDA, #CRA, #GSA, and #DoD compliance obligations.

RedLattice

RedLattice

RedLattice are at the cutting edge of tool development and AI-assisted vulnerability research in cybersecurity.