Welcome to the Matrix: How Stakeholder Analysis Improves Communication During a Cybersecurity Incident

Listen to this podcast on iTunesSoundcloud or wherever you find your favorite content.

This week, Loren Dealy Mahler, president and founder of Dealy Mahler Strategies, returns to the podcast to share more of her cybersecurity incident response expertise. Following previous conversations about improving disaster response and the types of data to consider in a risk assessment, this installment explores the critical role of stakeholder analysis in crisis communication.

What Is Stakeholder Analysis?

Conducting a stakeholder analysis before a cybersecurity incident allows companies to collect 75 percent of the information they need in advance. While the term sounds daunting, Dealy Mahler puts it simply: Stakeholder analysis is a “comprehensive list of all the types of people who have a stake in the business outcome of your organization.” It covers both internal and external stakeholders to help companies quickly assess the reach of their post-incident response.

Who Needs to Know What About a Cybersecurity Incident, and When?

Internally, security teams need to tell executives about incidents while being mindful of differing geographic locations or specialties. They should also tell the board — as Dealy Mahler notes, it’s better to have them “unhappy and informed than having someone else tell them first.” Externally, stakeholder lists may include industry analysts, investors, industry groups, and customers and clients.

Dealy Mahler also discusses the importance of “making sure people have what they need to take action.” For the customer relations staff, this could mean developing a script to answer customer questions about a cybersecurity incident, while marketing teams may need to hold off on information security presentations in the wake of a breach.

The “when” is often in someone else’s hands — such as legal or HR departments — but Dealy Mahler recommends using “timelines and requirements overlaid with judgment.” For example, there may be stakeholders that don’t require notification within 72 hours after an incident, but doing so can help meet expectations and boost corporate reputation.

Companies should consider how they regularly communicate with specific groups and decide if that is the appropriate channel for crisis communications. For IBM, an effective strategy is directing users to an internal website that contains relevant, centrally managed information. Dealy Mahler suggests creating channels for the eventuality of a cybersecurity event and keeping them dark until they’re required.

Welcome to the Matrix

Dealy Mahler champions the use of a regularly updated “matrix” that categorizes these who, what, when and how considerations.

Cybersecurity incidents can happen to any enterprise, so planning ahead is crucial. Preparation starts with stakeholder analysis that helps define who needs to know about an event, what they need to know, when they need to know it and how best to tell them.

Find more valuable insights from Loren Dealy Mahler at the Communications War Room on CSO Online, and subscribe to the SecurityIntelligence Podcast so you never miss a new episode.

Mitch Mayne

Public Information Officer, IBM X-Force Threat Intelligence

Mitch is the Public Information Officer (PIO) for IBM Security X-Force Threat Intelligence, and is responsible for how...