Top 10 Considerations for Effective Incident Management Communications
Communications are essential to the overall sustainability and success of cybersecurity centers and incident management teams, both in times of crisis and during normal operations. Due to the importance of communications, and the fact that communications planning is often overlooked, the SEI developed the Guide to Effective Incident Management Communications as a resource for cybersecurity centers and incident response organizations looking to improve their communications planning and activities. This blog post is adapted from that guide and it provides 10 considerations for effective communications planning, and considerations and best practices for communications responsibilities in support of incident response services.
Cybersecurity centers and incident response teams focus on mitigating threats by identifying, protecting, detecting, responding to, and recovering from cybersecurity incidents. These teams may be responsible for many different types of communications, ranging from communications with constituents to sharing information with the general public and the media. How organizations plan for and manage these communications and how they are received will influence trustworthiness, reputation, and ultimately the organization's ability to perform incident management services effectively. The guide provides considerations for various types of communications, including constituent, media, and crisis communications. It addresses best practices for the dissemination of timely and accurate information, including organizational considerations, types of communication and content, and examples of what should be included within communications plans.
We used two primary resources in creating and writing the guide: the Forum of Incident Management and Security Teams (FIRST) Computer Security Incident Response Team (CSIRT) Services Framework and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. While the primary audience of the document includes leaders, managers, and incident responders, as well as analysts of cybersecurity centers, computer security incident response teams (CSIRTs), security operations centers (SOCs), and critical infrastructure sectors, others may also find this document useful, particularly organizations and entities that interact with cybersecurity centers and CSIRTs when events and incidents occur; these include C-level executives, cybersecurity policy planners, information owners, public relations and communications staff, and media outlets.
Here is a quick look at our top 10 considerations for effective incident management communications:
1. Consider communications as a strategic initiative. For cybersecurity centers and incident response teams, communications and outreach will play a particularly significant role in reaching constituents, sharing information, building relationships, and fostering trust. Communications transcend all business and security processes, including those that occur under normal operations and during a crisis.
2. Have a reactive communications plan in place. Having an established communications plan will benefit your organization's ability to handle incidents, while attempting to maintain reputation, keep messaging simple and consistent, and ensure accurate and timely information is released to the appropriate audience.
3. Consider your messaging, reputation, and stakeholders as critical factors in the development of communications plans. For any communications plan, internal or external, during normal operations or in a crisis, there are key factors you must continually consider: messaging, reputation, stakeholder management, and accuracy and timeliness of information.
4. In your communications plan, clearly define and determine the following key components:
• establish the purpose
• determine the audience
• define roles and responsibilities
• understand and standardize the messaging
• determine and establish communication channels
• determine methods of distribution
5. Continually train to and test the plan. The first time the plan is tested should not be in the middle of a cybersecurity incident. All key stakeholders should undergo training, which can be conducted as a tabletop exercise or walkthrough of the plan. The plan should also be tested through a real-time simulated scenario to determine if it was designed appropriately or if there are any updates required.
6. Sharing information and communicating with the general public and/or your constituency is appropriate in many different scenarios. These scenarios can range from proactive communications to reactive communications. Each scenario may be unique, and careful consideration should be given to when to release information to the public and what information should be released. For example, consider who an incident specifically affects, the urgency and severity of the incident, and ability of your team to respond to public and media inquiries. Overall, the quality and timeliness of the information released will help establish and build trust with your constituency.
7. The mechanism of communication will also vary depending on the scenario. Consider different methods and mechanisms for publication, depending on the severity and urgency of the information, as well as the audience. For example, social media may be an appropriate publication mechanism to release information quickly and extend your reach to constituents. However, there may be times where a more formal publication mechanism (such as a whitepaper or report) would be more appropriate for additional technical details and mitigations.
8. Media management is a key component of communications planning. Carefully consider strategies and plans pertaining to managing and communication with the media. It is important to remember that the news does not wait for you to be prepared. The hours and minutes immediately after an incident are critical in media relations, and the financial stakes and risks only increase with the passage of time. The media may not be considered your organization or team's constituency or customer. It is more than likely that constituencies and customers are receiving information from the media, thus increasing the importance of a strategy to specifically address the media.
9. It is important that you understand media goals and how your own goals either align with or are contrary to the media's goals. The media need access to security groups or experts to generate stories about specific security problems or incidents and explain the risks and technologies involved. Security teams need the media to raise awareness and educate the public, inform the community and general public about specific problems and solutions, and to be recognized as the source of unbiased technical expertise for CSIRT services. While consideration 8 focuses on the need for a strategy to address the media management component of incident response, this consideration emphasizes the importance of understanding your environment so that you can effectively execute the strategy. Understand your environment and adequately factor these goals into your media management and communications strategies.
10. The way you interact with the media in a crisis will ultimately affect the level of trust your constituencies place in you. Anticipate media interest and work to develop a standard set of frequently asked questions (FAQs), so that your team has materials ready to provide to media outlets when required.
No One-Size Fits All Approach to Incident Management Communications
Like many cybersecurity challenges, there is no one-size-fits-all approach to incident management communications. When referencing the Guide to Effective Incident Management Communications, be sure to tailor the information to your own organizations, services, and constituents accordingly. Regardless of your environment, it will be critical to manage your message, influence the story, and be prepared.
Throughout the COVID-19 pandemic, the Security Operations Team at the SEI continues to develop guidance documentation and share best practices for cybersecurity centers and incident response teams around the globe. Guidance on topics, such as information sharing, sustainable and successful National CSIRTs, and Sector CSIRT development, are forthcoming.
Read Engaging the CSIRT Community: Cyber Capacity Building on a Global Scale by Angel Luis Hueca.
View our collection of resources in the SEI digital library on how to create and maintain a CSIRT, staff and train CSIRTs, and describe common issues CSIRTs face. Also included is information governments can use to develop and manage National CSIRTs.
View our collection of resources in the SEI digital library that detail the problems and challenges that national computer security incident response teams (NatCSIRTs) face in providing incident management capability to governments.