How CISOs Can Master Cyber Attack Communications

Uploaded on 2024-12-30 in TECHNOLOGY--Resilience, FREE TO VIEW

The modern CISO's responsibility now extends far beyond technical leadership, particularly during cyber incidents, which includes investigations of anomalies prior to declaration of an incident. Effective crisis communication has long been a cornerstone of the role, crucial for maintaining organisational cohesion and stakeholder confidence.

In the wake of any incident, CISOs must balance transparency with strategic messaging, providing clear and timely updates that reassure, without overpromising.

The most important element of this communication is for organisations to have a formal and documented Crisis Communications Plan (CCP) which is critical to manage communications in all negative circumstances. In the situation of any cyber security incident or breach, that would necessitate both internal and external communications, potentially to internal stakeholders, and possibly to external customers, regulators, and even law enforcement depending on the severity.

By mastering this delicate communication balance through the use of a formal CCP, CISOs can steer their organisations through the turbulent waters of a cyber crisis, ensuring that response efforts are complemented by effective stakeholder communication and management.

Managing Uncertainty With Confidence

When a cyber incident takes place, the first question from executives is usually: “How bad is it?”– The reality is that the full scope of the attack may not be clear immediately, and the answer to this question can evolve over time. Early on during an incident, CISOs must communicate the uncertainty of the situation while also maintaining confidence towards rectifying the situation.

It’s important not to overstate what is known, but also avoid conveying indecision or panic. Explaining that the investigation is ongoing, and that initial findings may change as more data becomes available, helps manage expectations.

It is also useful to have previously communicated to executive management and other internal stakeholders what the levels of concern may be. This should involve prior training where key terms such as ‘Event’, ‘Anomaly’, ‘Incident’, ‘Compromise’, and ‘Breach’ are already understood. Understanding the scope of any cyber event goes a long way towards understanding what needs to be communicated, and to whom.

Focusing On Operational Impact

In the aftermath of a cyber incident, C-suite executives and board members typically prioritise understanding the business implications in lieu of the technical details. Their primary concerns often revolve around regulatory compliance, operational continuity, financial impact and the integrity of mission-critical systems. Rather than focusing on the intricacies of the exploit or malware variant used, senior leadership seeks clarity on operational and financial impact, recovery timelines, and the extent of disruption to core business functions.

As such, CISOs must be adept at swiftly translating complex technical information into clear, business-centric insights that address these key stakeholder concerns.

Whereas the CCP manages communications to regulators, employees, and customers, this level of communications is solely to drive business decisions by executive management. This approach ensures that decision-makers have the relevant information needed to guide the organisation's response and recovery efforts effectively.

When communicating with senior leadership during a cyber incident, CISOs should prioritise delivering concise, actionable information focused on impact to technical systems affected by the cyber event, and the consequential impact on business operations and customers. A well-structured update must include the status of critical services, containment and eradication of any hostile presence inside corporate systems, specific actions being taken to
address vulnerabilities once the situation is resolved, and a planned timeline for system restoration. Taking this approach demonstrates how the corporate security department is actively managing the situation, making tangible progress, and aligning its efforts with business priorities.

By providing such targeted updates, CISOs can effectively reassure executive stakeholders and facilitate informed decision-making during both the organisational crisis response and communications.

Keeping Stakeholders Frequently Updated

A crucial component of clear communication by CISOs is the frequency of updates. Regular communication in all situations, perhaps every 30 minutes in the early stages, provides reassurance and keeps everyone aligned. These updates don’t need to contain definitive findings but should focus on progress, such as recovery efforts or confirmed impacts. This will help prevent internal or external speculation and keep the situation under control.

Regulatory Compliance & Reporting

In the UK, cyber incident reporting is governed by key regulations that mandate timely disclosure of significant breaches. The Network and Information Systems (NIS) Regulations require operators of essential services to report incidents that substantially impact service continuity. These reports must be submitted to the relevant competent authority without undue delay, and no later than 72 hours after becoming aware of the incident. In addition, the UK Data Protection Act imposes strict reporting obligations for personal data breaches. Organisations must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that risks individuals' rights and freedoms. If the breach poses a high risk to affected individuals, they must similarly be informed without undue delay.

During a cyberattack, CISOs must quickly evaluate whether an incident necessitates regulatory reporting and work closely with general counsel, the Chief Compliance Officer, and if necessary, outside counsel. By leveraging advanced network telemetry and full packet capture, they can gather the detailed information needed to assess the incident's materiality, so that legal, security, and compliance can collaborate to meet reporting requirements while
effectively managing the incident.

Building Trust Through Effective Crisis Communication

Crisis communication during a cyberattack requires transparency and sureness. By focusing on operational impacts and leveraging network visibility tools, CISOs can ensure that they provide accurate and meaningful updates to stakeholders.

With the right preparation, understanding of regulatory requirements and tools to assess the attack’s scope, CISOs are better positioned to manage the crisis and mitigate long-term risks.

Mark Bowling is Chief Risk, Security & Information Security Officer at ExtraHop

Image: Inside Creative House

You Might Also Read: 

The Corporate CISO Role Is Evolving:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI To Its Full Cybersecurity Potential
What Are The Key Trends That Will Shape Tech In 2025? »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

Rambus Security Division

Rambus Security Division

Rambus Security Division solutions span areas including tamper resistance, content protection, network security, mobile payment, smart ticketing, and trusted provisioning services.

GTB Technologies

GTB Technologies

GTB Technologies is a cyber security company that focuses on providing enterprise class data protection and data loss prevention solutions.

mmCERT

mmCERT

mmCERT is the national Computer Emergency Response Team for Myanmar.

Assured Information Security (AIS)

Assured Information Security (AIS)

AIS is committed to providing our customers with critical information security products, services, and training. We support diverse needs throughout business and industry.

Egis Technology

Egis Technology

Egis specializes in the IC design, research and development, and the testing and sales of capacitive fingerprint sensor.

NetKnights

NetKnights

NetKnights is an independent IT security company which offers services and products for strong authentication, identity management and encryption.

CICRA Consultancies

CICRA Consultancies

Cicra Consultancies is a company that specializes in cyber security. Our major activities are guided by three main principles: Prevent, Investigate, Prosecute.

Sure Valley Ventures

Sure Valley Ventures

Sure Valley Ventures is an entrepreneur led venture capital fund focused on helping software entrepreneurs grow and scale businesses that will have a global impact.

Cynical Technology

Cynical Technology

Cynical Technology is a Nepalese cybersecurity company with expertise in security consulting, auditing, testing and compliance.

Cork

Cork

Cork is a purpose-built cyber warranty company for managed service providers (MSPs) serving small businesses (SMBs) and the software solutions they manage.

Linx Security

Linx Security

The Linx Identity Security platform enables identity, security, and IT ops teams to finally control the whole identity lifecycle.

WillCo Tech

WillCo Tech

WillCo Tech works to enhance national security and force readiness for military and commercial enterprises with a suite of software capabilities surrounding the human element of cybersecurity.

Pillar Security

Pillar Security

Pillar Security are building the unified AI security platform to identify, assess, and mitigate security risks across your entire AI lifecycle.

Forrit

Forrit

Forrit is the secure and scalable Content Management System (CMS) built specifically for large enterprises in highly regulated sectors.