CISO Challenges: Controlling the narrative by means of a communication policy

Researching the Ukrainian conflict, found this interesting article about the Russian propaganda and disinformation efforts. And inmediately, it reminded me of the need for a well planned and executed crisis communication policy. When a major cibersecurity incident strikes, it’s imperative to limit the negative impact of the crisis on the brand, products and overall reputation. In terms of crisis responsiveness, you need a three-pronged approach:

• Crisis management communication: Incident Handling & Response teams need fluid coordination within themselves, affected stakeholders, and continuous consultation with general management. Always remember to have an out-of-band channel at hand, because the adversary compromising your systems may have the ability of snooping on your communications. Also a non-digital copy of your crisis communication plan could come in handy because you may not be able to access your digital media when your systems are compromised.
• Reputational communication: your institutional image as presented in public & press relations, and social media. Choose carefully your outlets and never miss specialised media on your sector.
• Regulatory compliance: GDPR (72 hours after incident confirmed) and just yesterday, the US Senate passed the Strengthening American Cybersecurity Act, which requires critical infrastructure operators to report cyberattacks and ransomware payments to CISA within 72 hours.

Taking into account that a company experiencing a cyberattack has a duty to go public, it’s always better to do it with its side of the story, reassuring its shareholders, stakeholders, supply chain and clients. You should aim to “control the narrative” about the event, speaking your interpretation of the crisis before other players do.

So lets check how the Russian proganda efforts fare from a crisis communication management point of view:

• Planification and timeliness: Well orchestrated and planned, and delivered in a timely fashion.
• Alignment with organisational vision: taking into account that Russians talk about WWII as the “Great Patriotic War” and traditionally have downplayed the western contribution to victory over the Nazi regime, the emphasis on presenting the intervention as a de-nazifying operation seems consistent. It is also conveying the willingness to provide “solutions” to current “malfunctions”. (Please take into account the quotes when reading this).
• Tailoring to the audience / Prioritisation: Extremely tailored and mapped to different audiences. Efforts have been “prioritised” (sadly) against the victims, the Ukranian people. And Russian citizens, secondary targets somehow.
• Outlet / Channel choosing: Russia has covered all the bases in this regard. The breadth and depth of Russian propaganda apparatus is staggering.
• Transparency / Truthfulness: the obvious and deep cynicism of the spin diminishes its eficacy.
• Clear, short and actionable messages: absolutely. Most of them are aimed to foster the idea that resistance is futile.
• Reassuring the stakeholders: the internal message for the Russian citizens tries to portray the concept that there is an easy and fast fix to the crisis. And that “we do” and “we care”.

I would like to end on a personal note, expressing my deepest admiration for the resillience and spirit of all the peoples of Ukraine. I’m trying to do my bit, helping a group of Ukranian ex-pats to fact-check social media info. If you live in Spain, you can support the victims of this conflict, here.