June 14, 2019

Last Updated on January 15, 2024

When an emergency or disaster strikes your business, you need to start communicating about it immediately. Stakeholders won’t wait for answers to the basic question: “How does this impact me?”
For example, customers will want to know about any disruptions to operations. Government agencies and regulators will want to know how the community will be impacted. Employees will have concerns about everything from job security, to where and when to report for work, to whether there are physical threats involved.
You need to prepare a crisis communication plan in advance, so you can provide clear, accurate information to the right people at the right time.
Think about it. The crisis communication plan ensures you do three things: deliver the right information, to the right people, at the right time. Getting all three right in the wake of a disaster can save an “insane” amount of time, resources, and headaches. Missing on even one can multiply the devastating effects of an already challenging disaster.

The Right Information

This may be the trickiest part of a crisis communication plan, “What information do you share?” On this we take a page out of a marketing playbook and say, “know your audience”. As we said above, you have many key stakeholders in your organization: customers, vendors, partners, regulators, employees, etc. All of these stakeholders care about how a disaster has impacted your business in unique ways. Its crucial to communicate based on the needs of your audience, not on the needs of your organization.

View our free cybersecurity resources »

The Right People

Besides knowing what to say, you need to plan for who will say it. Though your crisis communications spokesperson may wind up on the evening news, this is by no means a glamorous position to be in, as both organizational and personal reputations can be at stake. He or she needs to be familiar with the overall context of what is being presented, and painfully familiar with the audience. Finally, your spokesperson needs to be intimately familiar with the tone of the message that is being conveyed on behalf of your executive management. Choose wisely.

The Right Time

The timing for disclosing information is critical. If you provide information too soon, things are probably still evolving, and evolving rapidly. Your statements will be superseded almost before you make them. You might even end up reporting a disaster that didn’t really happen.
But if you wait too long to address your stakeholders, they might find out from somebody else—which is never good. Especially with clients, you always want to be the first to tell them. It’s not just about customer service, but also integrity; and, admittedly, a bit of “CYA”: you want them to hear what you want them to hear, the way you want them to hear it.


How do you manage the process of communicating with customers, investors and other stakeholders? It can be a real challenge, which is another reason why you need a plan. For example, do you have multiple people each phoning some clients? If so, how do you ensure that messages are communicated consistently to each client, and of course not sounding scripted? How do you track who has received your messages and who is left to contact?
In short, crisis communications involve a lot coordination. First, you need to coordinate with senior management before you even engage your crisis communication plan. They’ll want to provide input on when to talk, who to talk to, and what to say.
Your plan also needs to involve your business continuity coordinator, who hopefully has up-to-date information on your recovery status and can help you share that information in the best possible light. You want to promote open dialog with stakeholders. It’s critical to avoid the perception that you’re trying to hide something, or that you’re ducking their questions or concerns.
Another reason you need to plan ahead is that communication in a crisis is cognitively hard. According to leading expert Vincent T. Covello, Director of the Center for Risk Communication and the creator of crisis “message mapping,” people under stress only hear and retain about 20% of what they’re told. Make sure your messages are clear, concise and repeated.
Keep your opening remarks very brief. Limit your statements to 3 key messages, each of which lasts no more than 30 seconds, for a total time of no more than 90 seconds. Confine your statements to the most critical information you feel your stakeholders need to know.
The figure below illustrates one way to apply message mapping:


You’ll also need to predict questions from your audience and have answers prepared. There are three basic categories of questions that you’ll be asked and need to prepare for:
1) Overarching
2) Informational
3) Challenging
Overarching questions are big-picture and high-level, like “What’s the most important thing the public needs to know?” Or “What is the overall impact and how long will it last?” Public officials may ask these types of questions.
Informational questions focus on your response game plan; e.g., “How did this happen?” “Were you aware of the situation before it blew up?” “What are you doing to make sure this doesn’t happen again?” Look for customers and employees to have these types of questions.
Challenging questions are the province of the media or investors. They may ask: “Why should we trust you?” “How did you let this happen?” “Who’s to blame and how will they be dealt with?” “Can we see your records, and if not why not?”
Being prepared for questions can help you avoid saying things like, “No comment”. That statement is not as safe as you might think. It generally implies you’re either withholding information or you’re confused. If you need more time, that’s OK but always keep to the agreed schedule. If you promise more information in two hours and you’re late providing it, you’ll lose credibility. It’s very unlikely you’ll ever actually catch up.
Because of the potential for positive or negative reputational impacts, crisis communications are as important to organizational viability as any other aspect of recover planning. No matter how well you execute on technical recovery, poor communication can cause stakeholders to lose confidence in you, which will immediately impact your bottom line.
In light of its importance, business continuity exercises should include crisis communications as part of the scenario. This is especially critical in scenarios like data breaches, since so many organizations are impacted by regulations or guidelines mandating tight breach reporting timelines.
For example, American Bar Association formal opinion 483 requires law firms to report to their clients in a “reasonable time” if a breach occurs. Likewise, the US federal government mandates that departments and agencies will report breaches up their chain of command within specific time-frames.
Crisis communications ties into not only breach notifications but also incident response (IR). In particular, ISO 27001’s Annex A controls catalog, A.16.1.2 directly relates to information security event reporting. The control states: “Information security events should be reported through appropriate management channels as quickly as possible.” Therefore, when Pivot Point Security builds IR plans for our customers as part of an ISO 27001 implementation engagement, we include crisis communications in their IR plan.
For assistance in developing crisis communications, or for help with creating a crisis communications appendix to your IR plans or business continuity/disaster recovery plans, contact Pivot Point Security.

For more information:
10 Steps of crisis communications
Guidance on creating your crisis communications plan from Ready.gov

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!