Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do.

When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication.

Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide on how to spin the PR team’s information. And usually, that approach is fine — until there is a crisis to be managed.

Cyber incidents present an unusual challenge to the PR team because, in this situation, they aren’t (or shouldn’t be) the lead communicators.

Cybersecurity mature companies will have an incident response team that includes decision-makers from every aspect of the organization: the CISO, legal, HR, IT, the C-suite, public relations and marketing. In a perfect world, the incident response team will have a well-rehearsed statement for the media, customers and vendors as part of a cyber incident’s aftermath.

Cybersecurity teams and PR too often not on the same page

We don’t live in a perfect world, and in the chaos following an incident, there are often a lot of disagreements between what the cybersecurity team can or wants to reveal and the actual PR approach.

Disagreements often arise from the fact that these two groups may be thinking about very different audiences when refining their messages, said Melanie Ensign, Communications Strategist, Founder and CEO of Discernible, the world’s first Communications Center of Excellence focused exclusively on security and privacy teams.

“Often what I see is that the PR team is speaking about what we say to journalists or what we put on social media or on our website,” said Ensign during a phone interview. “Then we have security teams who are thinking about their peers in the industry and don’t want to be embarrassed by any information released that could be technically inaccurate.”

Having different audiences means the two distinct groups have very different goals in their outreach. The cybersecurity team is focused on the incident itself: what caused it, how to fix it and how to keep it from happening again. The overall team goes into action to mitigate and remediate the problem as soon as possible.

The PR team’s job is to manage the damage and present a positive light in a worst-case scenario. They are the people pressured for an instant response, Ensign explained, and are expected to say things that will make customers happy and often are pushed into making it appear that everything will be fixed quickly.

This is when the disagreements happen. Both sides are doing their jobs, but cybersecurity teams think that PR teams raise expectations on solutions and the comments aren’t as detailed or technical as the cybersecurity team would like them to be. This can be confusing to customers who are seeing one set of comments from PR but are hearing something different from the cybersecurity team.

On the other hand, the cybersecurity team’s concern around a cyber incident is concentrated specifically on the incident itself. The PR team has to look at and communicate the bigger picture. Data breaches, ransomware attacks and DDoS attacks result in downtime for the organization. PR professionals are tasked to be the calming voice when a hospital is offline for hours or days at a time. They are the ones who have to balance communications around financial losses, details about compromised data and any legal issues.

Again, as Ensign pointed out, the biggest conflict between the two groups is different sets of end goals and the time frames for releasing different types of information.

Crisis management and PR’s role in supporting the cybersecurity team

PR after a cyberattack, however, isn’t normal PR; it is crisis PR. Therefore, it needs a different approach.

“Effective crisis communication requires transparency, accountability and empathy, as businesses seek to rebuild credibility and restore public confidence in the aftermath of a security breach,” wrote Evan Nierman.

This is, in part, the role of the communications members of the incident response team. To develop the skills needed to manage official corporate communications during a cybersecurity crisis, it is recommended that organizations build cyber ranges. A cyber range offers the tools and space for incident response teams to train and prepare for a crisis through exercises and simulations. In a cyber range, incident response teams can immerse themselves in realistic scenarios simulating a data breach or other cyber incident, allowing the team to learn how to manage a response and build an effective communication plan around it.

Another tool to help the PR and cybersecurity teams draft their message is the Cybersecurity and Infrastructure Security Agency’s (CISA) new regulations around reporting cyber incidents. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is required for those businesses that fall under the 16 critical infrastructure sectors, but it can also serve as a blueprint for all organizations that want to improve their crisis communications and need guidance to draft their message.

CIRCIA and cyber ranges will help any organization build its crisis communications, but perhaps the best way for PR and cybersecurity teams to stay on the same page throughout the entire emergency is simple conversations on a regular basis.

Ensign said that when she was in other jobs, part of her routine was a daily conversation with the security team. This regular interaction built a comfort level between her communications team and the cybersecurity team. And not everything that needed to be discussed was a high-pressure emergency. Sometimes, it was getting confirmation about a rumor spreading out on social media, and then if the media did call with questions, Ensign had the answer, preventing a potential negative news cycle.

But what if the PR team doesn’t have easy access to the security team?

“I think the most important thing is for the PR team to recognize that security really is not a snapshot crisis,” said Ensign. “It’s really issues management, reputation management.”

Staying united against the constant threat of cyber crises

There will always be cyber incidents, some minor, some major. The PR team has to focus on handling it in the public sphere. At the same time, the cybersecurity team needs to be vocal about their concerns. A message that makes the security team look weak could impact not only the company’s reputation but also hinder the recruitment and hiring of future security professionals.

“If PR teams are not well experienced in managing security incidents, they’re not automatically going to be thinking about things like a technical timeline or remediation steps,” said Ensign.

Yet, someone needs to be advising customers and the sales team on what to expect. “I think,” said Ensign, “that both teams could do a better job.”

Stay tuned for our next article in this series, How CIRCIA is changing crisis communication.