Earlier this month, I attended Tech Show London at the behemoth that is the ExCeL. Aside from getting my hands on a free waffle, I listened in on a particularly illuminating session on comms in cybersecurity – now the basis for this piece.

Cybersecurity and the CSI Cyber Effect

How long is a piece of string? That was the first answer when panellists were asked about some of the common comms challenges faced in the cybersecurity sector. But seriously, what are some of the key challenges?

Firstly, public perception. Cybersecurity has been given the Hollywood treatment, with films and TV shows depicting impossibly attractive actors somehow cracking MI6’s firewall in minutes. Are these scenarios actually possible? Maybe. Regardless, the Hollywood effect has muddied our understanding of what cybersecurity professionals do, why it’s important, and what an actual threat looks like.

In reality, cybersecurity is just about taking care of things; it’s foundational, it’s normal, it’s part of the everyday. But building it into the day-to-day running of a business isn’t as straightforward as it seems. In fact, one of the panellists noted that, in his experience, a lot of companies don’t have a cybersecurity crisis comms plan in place until an incident actually occurs.

It’s going to be difficult to embed cybersecurity across a business if there’s a lack of internal comms, and absolutely zero external comms plans in place. But, as one panellist noted, comms is the number one life skill to have – so how can it be deployed here?

Bridging the internal comms gap

Improving comms in cybersecurity starts internally, by bridging the comms gap. When asked about how this can be done, one panellist said that the answer lies in relationship building, as it trickles down into every area of a business. Another argued cybersecurity should be embedded into projects; it might not be the most exciting aspect, but it is needed. And, of course, the importance of language came up – if an organisation develops a shared language of risk management, it can be incredibly beneficial.

Interestingly, one person said that they would like to see more difficult and awkward discussions happening, especially in the event of an incident. Sure, they’re uncomfortable, but a shared ownership of risk is needed, and being conscious of risk should be normalised across every area of a business. And if a breach occurs, trace it back to see what mistakes people are making to ensure that they don’t happen again.

Never neglect crisis communications

Bridging internal gaps is crucial, but the driving force behind a lot of the session was the need for a crisis comms plan. Think about it: we wouldn’t dare leave our homes without first locking the front door. We don’t even think about it because it’s engrained in us to just do it. The same line of thinking needs to be applied here, and having a comms strategy in place for incidents and breaches has the potential to either make or break a reputation.

In a nutshell, an airtight crisis comms strategy looks like:

• Keeping communication lines open. Externally speaking, it’s important to keep the customer informed, even if there’s nothing to say. Not every detail needs to be shared but keeping them in the loop shows that you’re taking an incident seriously. Internally speaking, I’ll paraphrase what one of the panellists said: the organisations that handle incidents most effectively are the ones that can wake up at 3am and already know exactly who to call. And the ones who are being called will already know why, where the comms plan is, and the next steps to take.
• Redefining messaging. It’s not just about processes. Stressful situations can impact articulation and make even the most unwavering spokesperson fluster, so prepare base responses in advance, stick to them, and update them as and when necessary.
• Living and breathing the plan. Crisis comms is not a box ticking exercise, and a plan should not sit on a shelf gathering dust. Rather, treat it like a fire alarm: build an organisational culture that constantly tests the plan under various scenarios. Keep it updated and drill it into the workforce. Live and breathe it; you never know when you’ll need it.

You may not be munching on a waffle right now, but hopefully you’ll have read this and come away with some important insights. The bottom line? Both internal and external comms have a major role to play in cybersecurity, and if you don’t yet have a crisis comms plan in place, it’s never too early to start working on one.