BSidesCT 2018 - Loren Dealy Mahler - Incident Response Communications

we're gonna get started with introducing our next speaker again we want to say thank you to all of our sponsors and make sure you visit their boots out right outside this this room and make sure you get your breakfast in the room next door so let's get started with our next speaker I want to introduce Lauren D Lee malar she leverages experience across national security corporate communications and crisis management and helps her clients grow their business through smarter communication strategies while protecting themselves through improved organizational resilience and Incident Response management so put your hands together for learn D Lee Miller thank you all right good morning good morning you have to say a big giant

thank you for anyone who would get up and be out here this early on a Saturday and I know we've all been out here for a while already so here we go round 2 will load up on coffee again after this or at least I will I don't know about the rest of you before you're old so I've been going for quite some time already um so to give you a quick sense this is not gonna be the same as the other presentations you're gonna hear today this is not technical this is not anything IT this is not systems and networks this is how do we make your jobs more secure and better and how are

executives in this space now how are seaso is how our CIOs how are people who want to move up the food chain in this space thinking and what are they taking into account so that they can be better at their jobs this day so we're talking about Incident Response communications specifically Incident Response obviously a big piece but we're talking about the one element that is quite often the most overlooked and that's when something happens how do you communicate so that you don't make everything worse I like say how do you avoid actually pouring gasoline on yourself when someone else is already lighting a match and throwing it at you so this is where we're gonna start a quick little

background on why I'm in this space and why I do this and as Roman was saying I come from a background in national security I spent a decade in DC Department of Defense see Capitol Hill all over the place in the day corporate communications in New York and missed the security I found the corporate space to be incredibly boring but really really enjoy helping companies organizations protect themselves and defend themselves so I went out on my own and I get to overlap all those fun things but from all those different perspectives have realized this is quite often a blind spot that harms organizations so whether you are in-house in a security team or in an IT role or you are with a company

a vendor who's providing these services being more familiar and more aware of this full sort of 360 view of security for a business actually will make you better so a little bit on the why this all matters and this right here kind of sums it up when you read about data breaches when you read about any type of cyber incident that happens the reason you're reading about it is because it sucks nobody reads about the little things nobody reads about the little bump that happened that's a typical Tuesday afternoon glitch in the system you read about the things that get to the level that's worth reading about and the really big things that you read

about over and over and over and over again you read about because somebody screwed up the response you don't read about it once you read about it 30 times 40 times you read about it you know we're still reading about updates on Yahoo and Equifax and things like that because they screwed it up so this right here by this little dumpster fire picture has been a permanent fixture in my Twitter feed from everybody and their mother who uses it to describe every new thing that happens because everything is basically a dumpster fire you can throw a match at a dumpster and it's not gonna catch on fire but if you pour gasoline on it yourself then you're gonna get a

big ol dumpster fire so that's what we're gonna work on and this right here some up smart communications from the beginning when you're doing a good incident response plan can actually improve organizational resiliency to make your company better capable of weathering a storm and you can also just avoid making everything more pain avoid making everything worse along the way and at the end of the day the job you save may be your own so we're gonna start with some fun facts communications it's not just for the PR team anymore going back to some of what dr. Scholl was just saying the idea of cybersecurity is a really fun word that everyone outside of our sphere and this

bubble here doesn't always understand like you're saying they want to spend all this money on products and all these like magic boxes that we pull off a shelf and we plug in and everybody's happy well it doesn't work that way but you know what the reality is everybody who doesn't understand it wants to talk about it and they usually have the money to spend on it so you have to help them understand what they should be spending their money on and help them understand the smart way to invest those resources so that they create an actually secure organization or as we'll see not just secure but resilient so communications you have to do it you have to embrace it

whether you like it or not not all communications are created equal there's the kind of communications that you need internally to convince somebody that you need the budgets that you need the resources that they don't just need to buy a million dollar box off the shelf but maybe if they spent some on some training or some people that it might actually have a better impact there's also the communications that we're gonna talk about today that we're gonna focus on which is specifically incident response specifically crisis communications but in a cyber setting so there's a difference there between the communications that your PR team will do that promote your company promote your organization that are marketing internal

where you're actually trying to build out your space and get the things you need in your organization and then there's the crisis piece which again everything we're talking about today the reason it matters and the reason that the traditional PR crisis response communications world isn't ready for a cyber event is because a cyber events not the same traditional corporate crisis you have a product malfunction you have a CEO scandal you have you know fraud what those things are they're not going to act the same as a cyber event and because they don't act the same the people that you typically say that team handles this I don't have to think about it isn't going to be handling it the

right way they're not going to be handling it in a way that is adequate to the type of an event that you are dealing with in the cyber space it won't play out the same way a cyber event it can depending on the size and scope can take days weeks months before you actually know what's happening is you're learning more information over time whereas a typical traditional corporate crisis happens quickly and you push information out and you're done you wash your hands you move on that doesn't work in your situation and if somebody on the communications team is trying to use that old playbook you're the ones who are gonna pay the price because they're

gonna bungle the response and that blows back on you so hey look at those numbers that are not actually numbers anymore sorry about that so technically this is number four but you can make it number one if you want that's fine they're all important so it's really important to remember whether it's number one or number four that everything is in a crisis we say crisis communications because that's the industry term that's what we use in the communications world it's a crisis everything's a crisis is it a little crisis or is it a big crisis but it's important to remember that you don't respond to them all the same way sometimes a molehill is really just a

molehill you can make it a mountain by screwing it up and by acting the wrong way and responding to it the wrong way but you don't have to sometimes it really is a mountain and you need to treat it like a mountain you can't just ignore it and pretend it's molehill because that's when you know you start pouring the gasoline so it's important to remember that there's different sizes shapes scopes of a crisis event number two that's nice so I swear to god these all said 5 1 through 5 when I finished this the first time around again why it's important to you is because at the end of the day no matter who was

responsible for that communications piece if it goes wrong the whole response goes wrong the slide we just saw all of those big headlines all of those individual dumpster fires were based on poorly managed responses that were quite often poor because they were communicated poorly you know who didn't get fired the chief marketing officer the head of communications the chief PR team lead whoever that is the person who gets fired is you there's always gonna be a scapegoat and it's very rarely the person who communicates badly so it's important for you to know the way that this should be done even if you're not the one in responsible for doing it because you are responsible for

putting together the security that responds for putting together the plan that responds to all of this so at the end of the day it is technically going to fall back on you so you need to be able to ask the right questions so resilience we said before everybody knows this every time I feel silly for saying this because it's so obvious there's always somebody who goes oh so I'm gonna keep saying it we're not looking at defense we're looking at resilience we're not looking at are you secure we're looking at are you resilient you can build up big walls you can build up all the defenses you want someone's getting in them it's not if

it's when bla bla bla again there's always somebody who looks surprised when they hear that if you are that person please don't nod your head and out yourself so again it's not about being secure it's about being resilient it's not about preventing something forever and ever and ever it's about making sure that whatever comes at you you got it you've got this your organization can handle this and move on it's not just enough to have a resilient network you have to have a resilient company you have to have a resilient organization you have to emerge from this event not only with a clean system but with a business that is still intact and functioning and that

means you still have customers that want to give you money for something because they still trust you you still have vendors that want to work with you you still have that hold client ecosystem that is willing to let you be a part of it all of those things matter and they all go back to protecting your reputation protecting the trust that that is built on does that make sense you can have a really great clean system and that's all um because you got you know your networks were super resilient but if no one trusts you enough to use them it's not a business it's a hobby hobbies don't make you a lot of money unless

they're like you know Etsy hobbies which there's probably not a lot of in this room let's be honest so reputation why does this really matter brand reputation we're gonna be on this slide for like five seconds cuz again there is very little about reputation that's actually relevant directly to your day-to-day work but again this is part of understanding the big picture of what everyone else is focused on so that you can be better at your jobs you have more awareness brand reputation is what drives your company's bottom line it's what makes people give you money for something products services advice whatever it is people pay you for something and you want them to keep doing that so you have to have a

reputation that says yeah I'm worth your time in your money reputations are absolutely built on trust you have to protect that trust at all costs that has to be one of the top things that is a priority regardless of where you are in your company's system where II where are you vulnerable this is an important question to look at when it comes to reputation we talked a lot and duck show was just talking about threat modeling risk assessments good cyber security programs are based on risk if they're not based on risk you're probably just buying boxes off the shelf and stacking them on top of each other and hoping you built a really strong wall out of that

and that's like Legos it's not the same because trust me Legos fall apart real fast and when you step on them so when you look at risks you have to look at where you're vulnerable what kinds of data are you protecting you know people always say what are your crown jewels and I think there's more to it than that that's that kind of overly simplistic but when you look at the most obvious kinds of valuable data that you have people immediately jump to the kinds of things that you see in headlines do we have social security numbers maybe not maybe we do we should probably do we have credit card numbers are we a retailer do

we have customer personal data do we have health information do we have IP are we a company that has the schematics to some weapon system or do we have the secret sauce formula to you know whatever new thing is out there those are the obvious answers those are the obvious things that you protect from a business priority perspective from a reputational perspective there's more to it and there's four things that I like to touch on that I think are important that are always overlooked one you may have all kinds of things internal to your systems that you haven't thought about you may have strategy documents you may have information about plans that your company is looking at are you

going to be going through an acquisition are you exploring different options are you looking at being acquired are you looking at acquiring someone else what kind of research have you already done that's on your system and should be protected what kinds of market research have you done have you done research on competitors in your space because that kind of information will be valuable to someone else and will be a little embarrassing if it gets out there to see what you really think about all your competitors the two that are the most often overlooked think about every single email that you have sent in the last week maybe the last month but I'm pretty sure the last week will be

sufficient for my point now imagine that every single one of those emails gets published tomorrow no context no opportunity for you to say oh no that's not really what I meant no no that's not really what I think about that person that has a reputational impact think about Sony the Sony hack just all their emails how many people were super embarrassed after that came out how much of an impact did that have on the business when you actually saw what they were talking about and thinking and decisions they were making internally that can have a huge impact both personally and professionally the last one that really really is often the the moment particularly if you are a

vendor if you are a small company if you are a professional services firm a law firm a PR company a consulting company a business manager a bank anything like that you are part of someone else's network you have connections to your clients you have connections to your customers you may not be interesting but you have access to interesting people the most valuable thing that you may offer someone else is access to a bigger fish and the last thing that you want to do if you're worried about protecting trust and having people trust you as a vendor who offers a similar service to ten other companies although obviously superior but they trust you because they pick you one of the best ways to reach

that trust and to harm that relationship and to convince someone they should go use the other guy is to let a bad actor into their system through your door you never want to be the weak link in the ecosystem and it's all an ecosystem these days there's very very little one-off here and there it's all an ecosystem you hear everything about third-party breaches you know the most obvious is target who would have thought there was anything interesting in an HVAC vendor system turns out there wasn't except there was a door into target which was pretty interesting so just remember that that access is something that has to be protected so there's a lot more that goes into risk

assessments and identifying vulnerabilities than just how many users do I have how many endpoints are there like you have to think about this from the full business perspective so what can you do this is reputational resilience and there's really three parts here and again these are important for you to understand even if they aren't directly in your area of responsibility these may not directly be your AOR but there is somebody who should be asking these questions and doing these things and because you are going to be ultimately responsible for how well they do them you need to be able to ask the right questions you need to know what they should be doing so you

can make sure you're protected by them doing it right so plan train respond pretty basic in the incident response space obviously you plan if you don't train to it your planning doesn't count and you have to actually respond you can have a really cool plan on the shelf but if you throw it out the window who cares you have to actually execute that plan appropriately we're gonna talk a little bit here this is we're gonna spend a little bit more of your time and I have no sense of timing where we are I guess okay so this right here I think is one of the more important places to spend a little time so there are three pieces to putting

together a good plan a good plan that takes into account reputation that takes into account the priorities of the other parts your organization and it starts with having the right team who needs to be in the room who besides just your small data security focused team needs to be a part of the decisions that are made about how your organization's gonna respond you need to know these people ahead of time you need to know who they are how to reach them how to reach them on a back-up plan because if all of your communications system is compromised you can't pick up the phone and call somebody how are they going to know they need to show up so when you think about

across an organization who needs to be a part of this team obviously you've got IT you've got your CIO you've got your C so you need to have obviously communications obviously because somewhere you're gonna have to talk to somebody about something and you need to do that in the right way so you need to communicate communications rep you need legal because as we know there's about 150 million different overlapping regulations and compliance requirements and every contract you sign may or may not have some variation of a notification clause in it and you need to make sure you are moving through that maze the right way you need to make sure that you are checking all those

necessary legal boxes and I'm not gonna go on and on about how important your lawyer is but they're super important so you need your lawyer you need HR quite honestly because you need to be able to communicate internally you need to be able to communicate internally among the employees your organization whether there's five of you or five thousand somewhere information has to be exchanged so that everyone's aware of what's going on to the extent that they need to be and anytime you're communicating like that internally to employees to staff HR needs to be involved because that's really in their world whether or not they're actually going to compose any of that or hit Send on any of those

communications totally irrelevant they need to be a part of that conversation so you're probably going to have depending on your organization how you're structured different business units someone in charge of different regions different audiences different customer base you need to think about who those people are gonna be ahead of time and you need to know who they are and you need to have updated information so that if some guys switched into a new job or left your company and went somewhere else cuz lord knows there's enough transition around this industry you need to know who that person is now god forbid something break you need someone at midnight and you realize they don't work for your company anymore and

then you have to spend the entire next day figuring out who works there now not helpful so you need your team and you need to know roles and responsibilities and you need to have this ironed out ahead of time I know that sounds silly because obviously when you all get in the same room everybody knows what legal does everyone knows what PR does but when it comes to an actual crisis event an event that is significant enough that it requires all these people in the room together you were gonna have streamlined processes you're not gonna go through the same 12 people have to sign off on every sentence before we say it to anybody because that's just gonna tank

you from the start you have to know what that approval chain is gonna look like you have to know who's gonna be in charge of getting information who's gonna be in charge of vetting information who's gonna be in charge of taking that information and writing it in English so that someone else can understand that all of those things have to be ironed out ahead of time and one of the big reasons is that you're gonna build tools this is something ahead of time that saves so much time because when when something occurs and you all know this when there's an event all the rules although we play nice together as a team everything's nice and orderly it goes

flying out the window nobody cares anymore everyone's running around trying to figure out what's happening what's going on is it my fault I hope it's not my fault let me make sure it's not my fault so you lose a little bit about that you know raw team spirit kind of thing because everyone wants make sure they're not the one taking the fall for something so when you think about that environment that fog of war if you will where it's just all a little fuzzy what can you do ahead of time that will help you make good decisions in that space what will help you make objective decisions that are good for your company based on the plan that you've built and

not decisions that are based on emotions and fear and uncertainty because that's what's gonna drive the train if you haven't already done this if you haven't already built these tools and these reference points to say here are the things that I need who do I need to talk to let me look at you know I'll talk about a couple of the tools here a minute who do I need to talk to what do we need to do what do we need to monitor let me get those things done ahead of time so that I can pull them off the shelf look at them and start moving down that road as opposed to let me think

what sounds important I don't know who's in that job is there somebody is this relevant to you know this business unit you've already made those decisions so you know and you can compare and it becomes a much more objective exercise that's when you make good decisions and not scary subjective decisions so anything that'll help you save time think about the kinds of decisions you're gonna have to make in that moment what do we know so ahead of time roles and responsibilities whose job is it to figure out what you really know who do we need to tell so ahead of time what can you build that will help you identify the full universe of people

that you may potentially have to talk to and identify the types of information they will need and the times you will have to talk to them that's a stakeholder analysis quite possibly not in your world if it is in your world I'm kind of sorry for your job description but somebody in your company should have been doing this they should have a stakeholder analysis from any other type of communications planning that they've done but making sure it's tailored to an actual cyber event is key so a stakeholder now everybody inside your company not to the individual but to the function that you will need to tell and everybody outside your company who has a stake and what

happens to you investors the board the media business partners vendors all of these people have to be included internally executives well are they you know do you get subgroups within this do you have executives who are responsible for different regions of the world they're gonna need different information than someone else do you have a sales team do you have a customer service center is there somewhere where everyone's gonna start calling when they figured out something happens someone's got to think about what those people are gonna say when they answer the phone they're the point into the sphere you got to make sure they're set up for success and to protect you so that big stakeholder analysis becomes essentially

a big grid and a reference point you pull it off the shelf you know the facts that you have of the situation at hand and you say okay based on what we know here's what we need to talk here's who we need to talk to and based on the information we've gathered here's the best way to talk to them here are the channels that exist for communicating with these groups and here's who's responsible for it you've already made those decisions because you've already put in the time that will save you the time and help you make those decisions and not forget anybody who needs this information another important tool goes back to the mole hills and mountains conversation

you need to have an a scale an impact scale that is appropriate for your organization there's no one-size-fits-all because something that impacts you may not impact someone else in the same way but you need to have that built out say one through five what counts as a one what counts as a two three four five specifically based on the impact your organization and at each of those points how are you supposed to respond who needs to be part of the conversation at each of those increasing levels and importance once you have that you can say again what do I know what do I know now what is the potential for what this could become but what is it

actually right now not guessing not speculating and based on that where does it fall on this scale that's gonna determine how you respond doing that ahead of time makes this a decision-making exercise not an information gathering exercise it makes objective decisions better so your team your tools and your to-do list this is the what needs to get done this where you line up all those things that you have to do you have to somebody has to monitor the media so that you have a heads up if there's any kind of leak coming in someone has to be on social media someone has to be gathering information someone has to be starting to draft responses someone has to put

together a holding statement which again in communication circles quite often people still don't understand what a holding statement is it sounds silly but it will harden me save your ass more often than not it is literally three or four sentences that say nothing literally nothing because you probably don't know anything all you do is acknowledge there's a thing and you're working on it and we got this we'll get back to you with more information everybody knows at least one person who can talk for 20 minutes without saying anything probably more than one person there's probably some in this room all your heads just turned so that is a holding statement it is literally nothing but in enough words to where if

something gets out before you're ready to talk about it you have an answer you put out words that make people respond to you rather than you having to respond to other people from a reputational communications perspective it lets you continue driving the train even if you don't know where you're going it keeps you in control of the situation so that's on your to-do list this is a checklist this is so you say okay what do we have to do and again it makes objective decisions faster you look at is there anybody going do we have any folks speaking at a conference this weekend do we have anybody doing a webinar on security this afternoon all

those kinds of things that you might want to pull back on you might want to see what's in the pipeline see if you need to adjust base to your situation is somebody sitting down for an interview with Forbes and we need to maybe adjust some of their talking points things like that that will help you again make good decisions keep everything under control and not just make it worse by losing control of the edges so your team your tools and your to-do-list majority of this can be done ahead of time I always say that about 80% of what you need to communicate effectively in the event of an incident can be done ahead of time and if you've done it

ahead of time then you are actually going to be better when you have to pull that trigger and actually implement that plan otherwise all bets are off good luck and training this is also very important I love sports metaphors I hope that works here the usually about half the audience is like oh ok and the other half is like oh so bear with me nobody shows up cold on game day you take a football team you don't all say great welcome to the team here's your playbook see you Sunday and then you all show up and like start introducing yourselves to each other right before kickoff that's not how that works you practice you practice practice

practice because you have to know what everyone else on that team is doing you have to know what they're thinking what their priorities are where they're going so that you can actually connect and make that work you know your quarterback needs to know not only what he or she is doing they have to know what the wide receivers doing so that they can actually connect and it has to be predictable there's muscle memory involved in training the way that you develop good muscle memory is that you train in different ways every time there's a training it doesn't have to be this giant shut down the company for a day realistic role playing thing it doesn't always have to be like that that

is important that is in a very important event but you don't have to do that so often that it becomes a bother sometimes it helps to just sit down and say all right here's the script here's how this is gonna go does everyone note their role is okay great check see in a corner then you know who the people are what they're doing everyone's made sure they're you know contact information is up-to-date you can run anything in between that big medium small whatever your objectives are you can change how you train but it's important to use realistic scenarios every training shouldn't be a bunch of executives sitting around the conference table reading from a script because no one's

getting anything out of that all the time it's an important ad to have injections a little a little inject into the middle assyrian area of your scenario i do training workshops on this for different folks and this is always one of the my favorite pieces because you really get to screw with people's heads and that's kind of the whole point of training is to see where your playing is weak and to see where your people are unex respecting where they're not expecting something to change because they have to be ready to roll with that so in the middle of an exercise everything's going along all of a sudden you pop in and you say hey I just saw

this tweet from Brian crabs he mentioned our company he doesn't know what's going on but he heard there's a thing and then you just step back and watch because it's awesome I mean it's awesome if you think that's funny I think it's funny so that's a good way to test your plan and see if people are ready to think on their feet because this isn't science we're doing our best to make it as scientific and is methodical and it's formulaic as possible but at the end of the day it's art it's just art because you have to feel your way through it to do it right and it's gonna change all the time and you have to be ready for

that understanding all the roles we talked about this this is important this is where everyone on your team needs to understand what everyone else on your team is doing so that they can more effectively handle their responsibilities in this unknown situation when everything is in flux you have to know where everyone else is moving around you so that you can make the best decisions possible within that context so I can you tell him visual like I've drawn this whole thing up here I hope you can see it it's in the air but everyone's got their own little place where they're spinning and doing the things they're responsible for and they know what they are because you've

built them ahead of time you've told them what they are and everyone knows what everyone else is doing even if they're not watching it because you've trained to it and you understand how you're all working together that's important don't underestimate the power of social media most people don't but you'd be surprised as you go farther and farther up the food chain in a company how often people really like to underestimate the power of social media hopefully there will come a point 20 30 years from now where that's not the case anymore God willing it's sooner but right now people still underestimate social media the things in the traditional crisis communications world where I used to say it's a 24-hour news

cycle you got to get stuff out there now it's about a 60 second news cycle things fly that's why that holding statement is so important because the minute something gets out there it's like throwing it into a system and watching it just gets whooshed way out of your hands you lose control over it so you need to know when something's coming at you and you need to be ready to push something back at it quickly so you feed that constant machine or it's going to feed on you all the rumors are gonna get out there before you have a chance to put out facts all the people who are speculating about oh my god what you did what you

didn't I heard this I heard that he's gonna get out there and one of the easiest ways for something to leak is a completely innocuous social media post some of my favorites are you know oh hey that's really funny my buddy John came here I had showed up on Tuesday we weren't supposed to have lunch until Wednesday that's funny yeah well John works for the forensics company he's there checking out your system to see what just happened to it and everyone knows where John works so now they all know that you have an incident doesn't take a lot of dot connecting from someone who knows what the dots are to be able to put those kinds of pieces

together and to then ask so it all come together as a tweet a question a phone call from somebody who's like hey this looks funny is there a thing here and it turns out there is a thing there but you weren't ready to talk about it so you have to be ready for that kind of thing like hey mom I'm not gonna be able to make it home for dinner on Sunday night because I have to work all weekend mom posts on Facebook oh that's too bad Johnny can't come home for dinner on Sunday he has to work all weekend something bigs going on at work you know that's really cute except mom's probably not just talking to a bunch of other

like 80 year old moms so or however old all your moms are which unfortunately may be my age which is not 80 so you have to think about all those kinds of pieces and again those may not be your exact responsibilities but you need to understand that those are considerations that somebody has to be thinking about and if they're not again it has the potential to blow back on you not them so we train and we train and we train and when we respond we make sure that we've taken this great plan that we train to it so well and that we are actually executing that plan in an effective way it's really hard to tell

without being a fly on the wall what has driven decisions from some of these companies that communicated so badly you don't know did you get bad advice did you have a bad plan or did you just choose to ignore all of it and you know somewhere there was a CEO was like oh I'm just gonna fly by the seat of my pants I have good instincts for this well you you don't always so that's that's why you have a plan in the first place there are important rules of thumb when it comes to response every response is gonna be different and I can't stand up here and tell you these are the five things that

you have to have in every single response because it will change it depends on the audiences on the specifics of the incident and it depends on who your company is and and what you are trying to protect ultimately the most important thing to remember your objective again from the broader business perspective relationship management matters this is the again this isn't the forensics this isn't that how do we you know mitigate this threat how do we get our networks clean that's all going on anyway the other piece that somebody else should be worrying about is managing your relationships through this event that has to stay front of mind as this is happening and based on that you respond to incidents Pacific's

you only talk about what you know you don't guess guessing is where you have a problem and this is particularly relevant to I think most of the people in this room whether you are part of the response team or not there's often especially these days a lot of pressure to have answers and you're not always gonna have the answers especially not in the beginning and most of the timelines for notification are gonna hit before you know anything or before you know everything especially before you know everything you may not even know anything you just know like went down that's it that's all I got but it's important that wherever you fall in that food chain wherever you sit in this

ecosystem when you own the information that someone else needs that you are honest about what you know and that you don't guess some of the biggest problems you see are when companies and organizations put out statements saying this is what happened and they're wrong they come back a week or two later and they say just kidding it's bigger than that oh just kidding it's big oh wait now it includes all this other information sorry we didn't know anything it turns out but they guessed and you don't know if that's because somebody who knew they didn't know anything felt pressured to say Oh definitively this is the answer this is what we know and then that worked its

way up to that statement that went out or if somebody felt obligated to present information in a more definitive way you don't know again unless you're inside a company but make sure that wherever you are in that chain you are passing along accurate information you're not guessing you're not speculating this is one of the biggest problems that causes legal liability that causes extended news stories one headline turns into 10 15 20 because you're guessing that's really important audiences this is part of what we talked about in building those tools in that stakeholder analysis you're gonna have audiences that you have to talk to there's gonna be compliance requirements there's gonna be notification requirements that you are

bound to 72 for 72 hour notifications from hick your new regulation du jour gdpr says this California's new law says this New York's DFS regulation says this like there's this enormous patchwork quilt that just sucks to try and dig through and that's why you have really good lawyers they will tell you who you have to talk to based on all of your vendor contracts who do you have to talk to some of them you'll have to talk to in 72 hours some of them you won't but some of them you will for certain situations but not for others so someone has to help you navigate that legal requirement everyone else is a gray area everyone else is a who should I tell not

who I have to tell but who should I tell who is going to be so much happier in this situation if they hear it from me directly not if they read about it somewhere else or if they hear a rumor from someone else that's a gray area and that's part of what you try and sort through in that analysis piece ahead of time so that you know here all of my gray area people and organizations stakeholders who do I have to talk to based on the facts of this situation and that helps you navigate that situation drafting messaging and delivering appropriately this is the what do you see your lawyer will tell you who you have

to talk to and what you technically have to tell them my job is to tell you how to say it so that that person actually takes the information and appreciates the information I mean nobody appreciates this kind of information but you can say something like a lawyer to me and I'm gonna want to like punch you in the face for saying it or you can say something like a functional human being gonna be like oh that sucks okay keep you posted there's a big difference in that reaction and that plays out in the broader company space too with all whoever you're talking to whether you're telling companies or board members or investors or partners whoever that is telling people like a

human makes a really big difference and goes a long way towards not just generally making everyone mad at you because angry people like to sue you and that makes this whole thing blow out of proportion then you would hear a Legally Blonde fan by any chance you know anger people don't kill their husbands it's kind of the same thing angry people don't see you in large large numbers so we try really hard to manage those relationships and keep everyone from like hating you in mass expectations is a big piece here I'm clearly pointing at this because I did learn that I should not walk over there and point at manage expectations so I'm trying really hard

to stay right here managing expectations is the key and we've touched on it and basically every piece that we talked about here managing expectations because it's a cyber event means that you're making sure from the very first time you open your mouth or you write a letter or you talk or notify anyone that you are managing their expectations to the fact that this isn't the end this is just the beginning but you've got it it's under control you have the right people and you're doing the right things to figure out what happened to fix it and to make sure it doesn't happen again but you're making sure that they understand there will be additional information that

comes out over time that this is not the final answer and that's the big mistake that I was referencing before with companies you know you look at the big OPM breach from a few years ago no no it was just this many and then a week later they came out and said well maybe it was like 10 million then they came out later maybe like 17 million and then somebody testified in front of Congress and it was a different number and then the final number was even bigger than that yeah that person lost their job because they guessed too much you want to make sure again in the beginning that you are setting up that expectation so that when

you have updated information somebody says thanks for the update and not why are you changing your story it's a very nuanced distinction but it means the world when it comes to managing your reputation and preserving trust you want people to trust you and to trust that what you're saying is credible and if the answer is I don't know anything yet you tell them that they're gonna believe you because they you don't know anything you want to make sure that you are executing this plan in a way that actually holds on to that piece this is one of the biggest pieces that gets dropped if you're just relying on somebody else to do this who's using the

wrong playbook your PlayBook in the cyber space has to manage those expectations more carefully than just about any other time so that's a big piece to hold on to all right we're gonna go through a couple of fun examples here good the bad and ugly and I acknowledge this needs to be seriously updated because pretty much every time you blink there's like seven more things that could go up here so some of these are gonna be a little old but they will hold out for a reason on here so the good yay Home Depot not new anymore feels like it happened 200 years ago it didn't it was not a hundred years ago we're gonna start with that one because

they they came right on the heels of target which is sort of one of the first big like what is this data breach thing moments for the general public Home Depot came right after them so they had the benefit of not being first which is nice the best quote I heard at a New York conference recently was the early bird gets the worm but the second Mouse gets the cheese Home Depot was the second Mouse target was the first Mouse so Home Depot came out and they didn't say here's what happened they didn't say we have our hands wrapped around this we know what happened here's what it is we're fixing it they balanced right

accurate correct information and saying something really fast again it's that statement that says lots of things really fast but doesn't actually say anything wrong because it doesn't actually say anything that's important and they reached out to people quickly they kept the information flowing they kept everyone updated throughout the process and they worked and made changes to start restoring trust quickly that helped there's still an example we still talk about them it was a thing that happened but they're on the good end of that because they manage relationships well in a different way Maersk the global shipping company everywhere touches everything probably ships everything you've ever heard ever touched yourselves all around the world completely completely shut down by not

Patea completely lost everything like there's some great articles out there giving really interesting color that's just fascinating assuming you weren't the ones sitting in the middle of it about how they handled it from a communications perspective from a reputation perspective they were brilliant because they focused on their customers they prioritized customer relationships and execution if you will they put out commander intent so we call it the the executive side here's how this is gonna go we are delegating authority because we can't tell you anything ourselves because we're just on our asses right now but they sent out authority to everyone at every port in every little Inn point that they worked with and said figure it out don't care how don't care

what it costs just do it so you you had people at ports all around the world points of entry all around the world using sticky notes using handwritten Ledger's to try and figure out what was in trucks what was going places using social media to communicate and they lost a ton of money ton of money hundreds of millions of dollars but the loyalty they gained from their customer base by handling it the way they did will pay off in spades those are going to be customers for life and life in life it's a it's that reputation piece and thinking about that the way they handled it is just it's textbook of how you put the right priorities first

so they had their team figuring it all out cleaning everything up trying to get back on line and at the same time you had people actually out there on the ground making things work anyway it was amazing so the bad the bad yahoo make up your minds what happens how much happens this is one where you clearly just kept changing the story it just kept getting bigger and it kept getting worse and there was no expectation that it was gonna get worse cuz every time it was no here's what happened nope okay no for real this is what okay sorry wait for real this is really really what happens nobody believes you then they lost valuation

when you know they're a murderer when they were required they've they did not balance anything about right and fast they just shot out the door guessed at numbers they were wrong they kept digging because it kept happening over and over and over again expectations were not managed at all that this might change and one of my favorite ones their response to what we're gonna do about this was you guys should change your passwords Thanks like it's like the cyber version of super victim blaming nobody likes that especially not the victim especially not when there's you know a billion victims nobody likes that that's a lot of angry people so the DNC this one's a little different

clearly not jumping into the politics and the specifics of what came out or when PS go vote but this was a personal email how it happened you know phishing link you can train people as much as you want they're still gonna click on shut like they're just going to so all of their emails got out there super embarrassing all kinds of strategy all kinds of things being written down that should not be written down conversations in systems and it didn't it just kept coming it didn't all come out at once it just kept dripping that drip effect is a huge problem in crisis communications because it's what takes that one story and turns it into 50 and

makes those 50 like election altering like it just keeps happening it's still embarrassing regardless of how they handled it regardless of what they did personally it was embarrassing for individuals professionally it was embarrassing for the organization again it's not always the data that you think you should protect that is the most damaging have to protect it all and the ugly obviously Equifax I feel like it would be malpractice if I didn't mention Equifax but you start to feel bad after a while like you can only dance on someone's grave so many times but they're just so textbook of everything that went wrong they just didn't they they literally knew about it months before they told us it's kind of a

problem why did you wait that long oh because you wanted to sell us all your stock cool yeah that makes me really happy about it they are a textbook example of how to mismanage the communications of a response so badly that literally everyone hates you it's not really good for business clearly they're still in business they're still moving but if you think about all the things that went wrong like they set up a website and then it crashed and set up a website it crashed it went wrong they were telling people here's a free service that you can use oh by the way we run that service we're not gonna tell you that I mean it it just kept going

none of their customer-facing response was good in their initial statement that they put out the very first thing if you read that statement closely was uh who are so sorry this happened to us what nobody cares that this happened to you everyone cares this that happened to us never start by telling us how bad you feel for yourself we don't care we are the victims you should be a partner in this victimization with us you should not do something that makes us look at you as the bad guy that is a problem that is another one of those nuances when it comes to reputation if you are handling something in a way that turns the whole narrative around and makes you

the bad guy in the situation you've clearly done something wrong and that is a very tough ship to turn around so I put target on here target has done I believe an amazing job sin this happened in 2013 of building out a secure making themselves secure if you will making all of a secure they've done tons of stuff they've led lots of changes all of that's great but if you look at everything they did in that moment it's everything that's wrong they also were the victim of being the first mouse which sucks clearly if you're the first Mouse Home Depot benefited from it again like we said they weren't the shock value that target was but I leave

target on the ugly cents ugly slide if you will because we are still talking about them they are still the thing we point to to say textbook bad response maybe not now maybe now they would handle it beautifully but then they didn't and they're still there which again if we're still talking about how bad you are at crisis response and it's been five years and everyone else has been worse since then that sucks for you so you could be on the ugly slide so three things you can do today because again now you all understand why this is important you all understand why reputation matters even if it's not your responsibility you understand why resilience is the thing that matters

regardless of whether these are your responsibilities and more likely than not they aren't which is fine even if you're in charge of Incident Response planning you're part of that team you're part of the incident response team all of this isn't gonna be in your AOR and that's fine but you should start asking the right questions these you need to make sure that somebody and your organization is taking responsibility for this knows they have responsibility for this and is doing it the right way and you have a sense of what the right way is and so you need to start that conversation to help make sure they are part of your plan that you have plans

that work together they may not they may have a great crisis set of plans for all kinds of scenarios but it may not be an effective cyber event that they've planned for you need to help them understand that so that you can work together in that response and it all starts with asking the right questions sometimes the first question is so whose may point of contact over here what do we talk to over in the communication shop and that's great review your plan whatever kind of ir plan you have or planning that you've done check it if you haven't done one good lord go do it once you've done it check it from this lens check it from

the communications perspective there are quick easy assessments that can be done to just identify where you may have a blind spot where you may not have identified a vulnerability and accounted for it these are easy things to do and they can save you a lot of time and a lot of you know weeping and gnashing of teeth in the long run and then shifting your mindset from secure to resilient not just for your networks but for your entire organization you're not gonna be able to protect everyone all the time so you want to make sure that everyone sleeps well at night knowing that whatever happens you got it you can handle it because your organization's ready that's

what makes you resilient so I believe we have like 45 seconds for questions if anybody has any whoa ha okay we'll start right there cuz you've been a good participate or not in your head lots and lots I'll calling you first

yep

well one way and I'm not sure it would have necessarily worked in the dnc case because there were such sensitive political considerations all around it but in traditional crisis communications you avoid the drip drip by pushing it all out there yourselves you know what they have so you can control its release just as much as they can maybe you didn't want to put it out there but sure it's not gonna have less of an impact if you put it all out there at once it's like the bad news dump on Friday is it you know 4:45 if you dump all at one time nobody's gonna be able to dig through every single little piece of it

and every little piece won't get its own news cycle the adversary is making sure that every little piece gets its own cycle if you shove it all out there at once you got one or two news cycles maybe to dig it through but no one's gonna take the time to make each individual piece a pain point so dump and dump in the ground basically there were others yes way back there you're the ax T Bo guy

right

no I think he goes back to being transparent being completely as transparent as you're possibly capable of being it's not a drip because that's the expectations management piece a drip is what Yahoo did where they changed their story as they had new information that's the expectations piece where in the beginning you say what we know now we're still looking we're still investigating the forensics team is still on site the FBI is still here we've got the best and brightest on it but we will have more information as we discover more you know that's not a very artful way of saying it but that's essentially what it is that's how you manage the expectations for we will have

more information for you when we know it ourselves the investigation is ongoing you don't say here's what happened XYZ done done thanks bye call me for questions yeah oh it's exactly because you only know snapshots another great way to describe it you only know what you can see right there you only know your slice of the world with the visibility that you have and over time your visibility will grow so you set up the expectation that when I know more you'll know more and there's gonna be more so everyone sit tight and if it turns out there is no more guess what there was no more now you're already used to what I told you so it's not that

big of a deal if there is more you knew it was coming so now you trust me as a source of credible information and not as a less than credible person who's changing their story over time does that make sense it's that and that it's that managing those expectations right there in the very beginning that is not part of a traditional crisis plan you don't manage expectations for the next six months you manage expectations for I'll have the rest of it for you tomorrow stay tuned so DIF anyone else two minutes oh that was more than 45 seconds bring on all your super long questions yes

mmm-hmm right it's not like 12 Christmas presents at Target Yeah right it is kind of almost becoming a fact of life and I think that there's not a lot of long-term research that I'm familiar with that says you know if you do it wrong here six years from now you're probably out of business like that doesn't really exist but you look at part of it is because some of the longer-term costs play out in the legal system they play out in lawsuits they play out in judgments you know whether it's class-action or otherwise you know I think I just saw a headline about you know Yahoo paying somebody however many millions of dollars and it's like we're

still talking about that so I'm not aware of specific numbers around how that impacts but if you look at there's usually articles that are written about dropping stock prices and the stock prices go back up and up and down you never went articles written about your company and how your stock prices are like fluctuating wildly because you've screwed something up so you know as as that specific sort of reputation management side goes those are never good but the specific actual business financial impact just varies wildly if you're a small mid-sized business this has a much bigger impact there's some stat that you know 86% will actually face a significant loss of business you know 50% will be out of business if

something happens to them because it's so much more trust base and their financial like fluctuation is so much tighter so even more important if you're small yes

um that has nothing to do with the cyber side of communications that has to do with just general message control within your organization you know you have your employee handbook who gets to talk who doesn't get to talk what happens if you do talk out of turn somebody very may well have put that doctor up there to talk or they're in violation of a company policy and that's always something that you run the risk of which is part of why you monitor everything that's coming at you because you never know who's gonna like leak out the sides but that kind of a thing is just a fact of life when it comes to communications across an organization it sucks

you know I had a I was at a government organization where I was working one of my colleagues had what he considered to be a very good relationship with all the media even though he had nothing to do with communications like he would send them daily emails every morning or he would see their stories at like 5:00 in the morning before the rest of us did and by the time I even got to work he had already fired off angry emails correcting like 10 of them so we just came to a happy compromise where every time he sent one of those anger emails he would just CC me and I at least knew what kind of I wasn't have to deal

with that day you know it's it's a fact of life it ain't all sunshine and butterflies let me tell ya but yeah for that kind of a situation especially in a crisis event it's very important to have that streamlined team in place so you can try and control that out awareness internally makes a big difference I think we're good I'm gonna Huck but thank you guys very much good luck and be around if you have any more questions [Applause]