CERT

CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

Crisis Communications During a Security Incident

Key Message: Business leaders need to be prepared to communicate with the media and their staff during a high-profile security incident or crisis.

Executive Summary

It is easy to get caught by surprise when a high-profile, public security incident occurs and your organization is involved. Developing and exercising a communications plan in advance of any incident can help business leaders deal effectively with situations in a truthful and honest manner. This is accomplished by working with communications, media relations, and public relations professionals.

In this podcast, Kelly Kimberland, public relations manager for Carnegie Mellon's Software Engineering Institute and CERT, discusses the importance of having communications roles and responsibilities, strategy, plans, and processes in place and ready to go when a security incident occurs.

PART 1: CRISIS COMMUNICATION PLANNING AND RESPONSE

In handling security incidents, a crisis communications plan:

  • defines and sets expectations
  • defines the process for what needs to be done, including roles and responsibilities
  • defines key messages that need to be conveyed to different audiences based on the nature of the incident
  • provides names and contact information for media and press contacts
  • provides names and contact information for experts that may be needed to speak to the media
  • in essence is the organization's handbook or playbook for dealing with a crisis

Such a plan needs to be consistent with and reflect the organization's strategy and objectives.

Interacting with the media may involve:

  • establishing solid relationships well in advance of any security event
  • researching the incident that members of the media are asking about
  • getting the word out proactively for potential or current incidents that may not yet be public
  • contacting reporters (or their editorial desks), news services, newspaper and TV outlets, and other media outlets
  • providing organizational contact information for further inquiries

Public relations (PR) challenges during a crisis situation include:

  • coordinating and logging all of the requests for interviews
  • handling and "triaging" phone calls and email requests
  • matching media requests with the appropriate and available internal experts who are ready to be interviewed
  • making sure that all of the information provided to the media is accurate and does not inadvertently escalate the situation

PART 2: ACTIONS BUSINESS LEADERS CAN TAKE

Be proactive: Involve corporate communications and PR staff at the earliest possible time when a situation becomes known.

Prepare key messages: Work with PR staff to describe the situation truthfully and honestly to both external and internal audiences.

Build the relationship: Meet with PR staff regularly to set crisis strategies and gain a better understanding of how to handle crises in the future, based on past experience and the experience of others.

Practice: Run tabletop exercises and drills of example crisis situations that may arise.

Communicate: Make sure senior leaders, mid-level managers, and staff are all aware of the organization's crisis communications strategy, plan, and contact list.

Be flexible and adaptable: Use the defined process as the foundation, but be prepared to shift gears as required.

And when something goes wrong:

  • Mobilize the team.
  • Rethink strategies to get back on track.
  • Anticipate alternatives in response to possible changes in direction.
  • Proactively communicate about what's going on versus responding reactively.

Stay current: Attend a media relations or crisis communications training workshop at least once every two years. The role-play for dealing with tough questions is excellent preparation.

Resources

Public Relations Society of America. This site is for PR professionals and includes useful crisis case scenarios.

Institute for Public Relations

Copyright 2007 by Carnegie Mellon University