How would you handle crisis communications following a major incident, given that CISOs/CSOs are often blamed?
Sort By:
Oldest
Founder/Chairman/CTO in Telecommunication2 years ago
Crisis communications are difficult but the information aspect goes back to transparency and humility. Transparency and humility are admirable character traits, but they’re also powerful tools in our space when it comes to deflecting stuff like that. If you already have trust when a breach happens, you're in a better position to explain what's happening and have consensus. It should just be about what's actually going on. But that's just not how it works in a marketing and social media context, so you have to be able to steer that stuff and those tools are good ones to begin with.Sr. Director of Enterprise Security in Software2 years ago
You may not even know the name of a particular company’s CISO, but when they have a breach, suddenly you do. And suddenly you have an opinion on this individual who you may or may not have ever met. People remember who handled it well and who could have handled it better, but how do you even prepare for that?
Senior Information Security Manager in Software2 years ago
Sometimes it's more than a matter of how you handle it. You have to find out what tools the CISO was given: What was his budget? Spaf's law is a concept by Gene Spafford from Purdue, and it states that if you're tasked with security and you don't have adequate budget or people, then your role in the organization is to take the blame when things go wrong. And that's why people say the CSO is chief scapegoat officer.The media often tries to find simple answers, but these are complex issues. You have to look at the big picture because every company could be breached every day. It's just a matter of time, luck, and other things.
Founder/Chairman/CTO in Telecommunication2 years ago
The CISO being the actual root cause of the problem is probably a rare thing.