Trust and Security: The Odd Couple Driving Your Business

if I put it down and you can't hear me let me know and I'll pick it back up so hi nice to see you all my name is Lauren and as was quickly said I run daily malar strategies which is a strategic communications firm and I want to give you a smidge of a background on why in the world that's relevant for here today because it sounds like I just took a wrong turn and ended up at the wrong conference but I do that all the time and this is one of my favorite things to do is to take what I do and talk to people who do what you do because in reality we should know a lot more about

each other and then we'd all be a lot better at what we do which is kind of the point so I started dealing - trotta G's about three and a half years ago my whole the first ten years of my career was down in DC doing security communications with the government in different cool roles and sitting in different cool buildings and working at different cool agencies and then enough of that came up here started doing corporate communications in New York City and quickly learned that I was bored out of my mind because if you have ever done corporate communications it is boring as hell so learned a lot really awesome missed the security missed linking those two

parts of my life together love the communications love the security and this is where we landed this marries all those worlds and it's been such a fun space to play in so I mostly work in cybersecurity communications so a lot of Incident Response stuff and a lot of stuff that falls outside of that space in me internally how can we communicate better between our team and the rest of the organization how can we communicate better with the board how can we communicate better externally with our customers so that they understand what we do and why we do it better than that guy over there because in reality we all use the same words and we all sound

alike to pretty much everybody that we're selling stuff to so that's where I spend a lot of this time and the peace of all of that that I want to touch on here today it's something that I've noticed becoming an increasingly important and relevant thing when talking to different clients and working with different organizations because a lot of the challenges that people have especially and I don't like saying we're doing crisis communications Werner in cyber because half the time it's not a crisis and everyone just thinks it is so when we're doing incident response communications that can cover a variety of things the heart of what really makes something successful and what you're seeing become an increasing challenge is

that organizations are responding to events in a way that causes them to lose the trust of the people whose trust matters to the very heart of what their organization does so we're gonna get into that a little bit here but essentially you lose the trust of the people who matter and who come to you as customers and clients and whatever form that is and how in the world can you keep that from happening in your role when your role is not the PR guys sitting on the other side of the building talking to the media all the time and we're gonna talk a little bit about what the trust piece is the security piece is how they overlap

together and what you can do in your role unless you anybody here actually sit in a communications or marketing role because if so you actually took a wrong turn you you really did mean to be somewhere else so I I don't talk to those folks because they already get this they already think they know what they're doing I like talking to you because quite often your ass on the line when something goes wrong so let's make sure you understand how to make it go right across the organization and how to provide information into that process that makes everything more successful on the other end so that's where we are Trust insecurity not often two things in

their traditional sense that come together but both of them are so incredibly critical to keeping an organization going and will interchange business company organization I don't care if you work at a school I don't care if you work at a non-profit I don't care if you work at an enterprise a small business it doesn't matter this piece of that is gonna be shaped like you but foundationally it's gonna be the same as everybody else so bear with me on the vocabulary I also say cyber not InfoSec if that offends you there's a room downstairs all right so trust in security okay this is older than me believe it or not I just hit my 40th birthday so I

feel like I walk into any room and I'm like yep grandma's here what's up how you guys doing so this is how I view so many different organizations so many different companies you go in you've got trust and it's all and nice and neat and it's in the little PR and marketing and calm side of the house and it's all shiny and pretty and then their security is like get out of the way I'm in the trenches I'm getting down and getting dirty I'm fixing stuff and they have to be linked together so we're gonna talk a little bit about both I want to start on the security side and bare with me we're gonna do a lot of what I think is very

logical stepping through these different things so the objective of security that's a company an organization a school whatever is to protect the organization it's very easy to think that it is simply to protect the network to protect the system to protect this device this thing but in reality you are part of a larger functioning ecosystem within your company that all has to work together to protect itself at any point at any point in time so the overall objectives for security has to be a broader wider view than just the thing that's right in front of you and the more that you can understand about that broader view even if you're only responsible for the thing in front of

you the more you can understand that wider view the better off you're gonna be at protecting that thing and helping the overall ecosystem function in a crisis in an incident in an event whatever your word is of the day the objective from the business side is to recover with as minimal of a long-term impact as possible it's to make sure that when this is done when the dust is settled that we're still operating on the other end that that bump isn't a big bump this is when you talk about the difference between an incident and a crisis you can take an incident and you can mishandle it left right up down in sideways and turn it into a crisis but

it doesn't have to start that way but there's a difference and no matter what size or what shape the event is you're looking at the object is to get through it with as minimal of a bump possible this is really all wrapped up in the concept I know we've all heard a billion times over of everything's resilience it's how you get through it it's making sure at the end of the day everything about your organization is thriving afterwards just as much as it was thriving before that's key not just your piece but every part of the company and it means that it's not enough to just get your piece of the world your network your system clean and

up and running if you somehow to do that screwed up other parts of the business that are now no longer thriving a good example here is customer relationships that sounds completely foreign and disconnecting from anything else you're hearing in this room and that's good because then you'd be in the wrong spot but when you look at the kinds of things that you see now that are big and scary about data breaches out in the real world like in the headlines in the media the ones that you're seeing are the ones that are being handled poorly and that are becoming bigger and bigger and bigger problems and a lot of time that's related to the fact that they're

impacting and being mishandled one on one in a relationship in a communications with the customers and the people who are directly impacted so it's not enough to just handle your piece of it if you in doing so you manage to screw up everything else that's not resilience so we talked a little bit about the actual costs of a data breach and where this actually links in we're moving here kind of quickly because this is a 30 minute talk that's usually an hour so you're welcome I cut out like four slides that I'm gonna talk fast so bear with me here you didn't have cookies you'll stay more awake than the rest of us or maybe

I should have had fewer I don't know so if we look at the 2019 cost of a data breach report that came out thank you very much Boeing the new IBM love that thing the average cost of a data breach this year three point nine two million okay that's a lot of money where is that cost coming from what are the different buckets one point for two million or 36% the just bucket of what makes up that average cost is lost business lots of things go into lost business but one of the big pieces of that category is lost customers it's people who used to give you money to do something who are now choosing to give that money to someone

else and not to you that hurts your business you lose customers that hurts your business you lose all your customers you don't even have a business we were really interesting to statistics that were included in the report this year that I had not seen previously that indicate to me that other people are paying more attention to this particular slice of our world companies that lost less than 1% of their customers after a data breach had an average cost of 2.8 million dollars they saved nearly 1.1 million dollars by losing fewer customers companies that lost over 4% of their customers had an average cost of 5.7 million significantly higher so what do you think the average percentage of loss

customers is where do you think on that in that range between less than 1 and more than 4 average 3.9 percent that's how close everybody is to hitting these higher numbers and having that bigger impact just from customer loss so why is it that some companies lose and cost more and some companies lose and cost less what's the distinction it was really interesting looking at some of the others there was another study again another Pony Minh study that they did 65% of breach victims said that they lost trust in the organization they specifically cited the loss of trust and of that group 27% discontinued their relationship so you find that there's a relationship there's a correlation between losing

trust and taking your business elsewhere in the context of a data breach that's the overlap there was a specific finding that the loss of customer trust had serious financial consequences for the companies experiencing this data breach and there was a relationship documented between having a strong security posture and having loyal customers and Trust those two things were related that's not an area that has been studied for years and years and years like a lot of other impact studies have done but it's becoming a more relevant thing it's becoming a more common thing and it's causing people to look at it more and I expect to see more like this in the coming years so Trust is obviously

important Trust is obviously impacted during a data breach but what exactly is it that we're talking about though it seems like one of those obvious words where no one actually knows how to define it because everyone just kind of knows what it means but if you really look at the words behind it reliability truth ability and strength of someone or something we trust that you're going to be honest and reliable and consistent and stable over and over it's foundational to your business it's all the things we just said if someone doesn't trust you they're not going to do business with you they're gonna go somewhere else it's very basic none should have said this in the beginning this is not the

rocket science lecture there's nothing rocket science about what we're doing I'm pretty sure based on all the words I understood in the last session I sat in there was rocket science down there but there is not rocket science up here it is just a piece of something that isn't that common but when you suddenly put it together with what you do and the rocket science II techie cool stuff that you're working on all the time something clicks and it makes more sense so back to trust foundational your business it drives your reputation trusts a reputation go back and forth they're interrelated you get a reputation for being trustworthy you have more business you grow you lose

that trust your reputation decreases you lose business you're done it says that it's as simple as that it's such a common thing in other parts of the business world to talk about that the actual term trusted consumer brand is a thing that companies aspire to think about something like Starbucks or I know apples a bad example it usually works in other crowds but go with me people who buy from those stores don't do it because of very specific details about the Prada they're getting there they don't do it because Starbucks coffee is amazing it's actually burnt we all know that but we go there anyway because it's Starbucks and it's reliable and it's consistent and it's gonna be fine

that's a trusted consumer brand people want that and it's all around I just trust your name and that's it so do you build trust if it's not important if only there was some like magical thing that we knew would lead to trust and actually build it and preserve it and grow it and oh wait yeah that's there so this this is an area that the business side of the world has been exploring for decades what causes trust what builds trust what loses trust how do you get trust back right there communication good communications builds trust talking to people how do you build trust in your personal lives how you get co-workers to trust you neighbors to trust you

teachers to trust you you talk to each other you communicate and you do it effectively you do it in a way that is consistent that is reliable that is honest and again we're not gonna jump into all these details here these are words that if you don't already know what they mean see me after we'll figure it out it's transparent its informative it means when you're talking to someone you're actually telling them information you're not just talking at them because the sound of your voice is cool and you have nothing else to say there are times and places to say nothing with lots of words that's a whole different talk also but there's a place for that and it's in this space

too but it's not part of the consistent trust building side of the house Trust is built through actions and words it's not just what you say it's how you back it up with what you do and then how you tell people what you're doing not just what you did for one person but how you told everyone else what you did so that everybody understood and believed that your actions were reliable and trustworthy good communication both in words in actions and in how you talk about those things that you are doing that's how you build trust and Trust again going backwards so it's not rocket science Trust is something that drives your business fun facts I like fun facts didn't put

any gold stars in this one but there would be stars all around here we do a lot of gold stars in my house I put ones another survey 55% of IT and data security folks thought knew that a data breach was going to negatively impact the organization's reputation I'm not sure if I should be excited that it was 55 or incredibly depressed it was only 55 it's better than 54 so we'll take it 55 knew it was going to negatively impact reputation 71% didn't think they had to care 71% it's not my job that's fine no big deal take a little step back to what we just talked about about the impacts of a data breach being driven by

the loss of trust and reputation amongst your customers do you think maybe somewhere in there there might be a reason that you should also care who gets fired who loses their job when a breach goes horribly horribly wrong is it the marketing team nope if it is whoa go somewhere else that place is weird 71% do not believe that it is their responsibility and only 18% collaborate with other functions at the organization on brand protection something as simple as making sure that our IR plan accounts for something like preserving customer trust only 18% that is a very small number of the people in this room but hey 18 is better than 17 but what could you do so that you are in

the 18 how can you make sure you're in the 18 what can you do from your role to balance the security you're directly responsible for and the trust that you are responsible for maintaining across your entire organization because that's the whole point of security we're gonna go through this part kind of quickly here I am gonna make sure we add more or less on time here I like to start with looking at an event timeline I'm really bad at graphics bear with me that little red thing right there that's an event we're call that we're gonna call that a date of reach for simplicity okay we rent like it's a big one because those are

easier examples so when you look at an event timeline you have the time period you know I've seen this presented a million ways left of boom whatever you want to call it like this is normal life nothing's gone wrong everything's fine what can you do in that time period something happens huh chaos reigns something happens you're fitting the fan everyone's trying out to be the one who gets fired during what can you do during and then what can you do after what can you do after probably to turn this into a circle one of these days and I'm not being lazy but what do you do after as you cycle back into that before period and things get back to

normal and you do it all again what can you do to maintain trust from your role beforehand Trust Bank Trust Bank Trust Bank there's a million different words for this too it's a very common concept in the business side of the world what can you do to build up the trust bank before it starts so that you have something to draw down when you need it having a built up stash of trust having people who already really trust you because you've proven yourself ahead of time mean that when something goes wrong they're gonna give you just enough slack to catch your breath and figure out what's going on they're not gonna be all over you immediately because they

already see I told you they weren't trustworthy they're gonna pause before they say that and that pause gives you a chance we're gonna talk a little bit more about each of these during you got a walk and chew gum at the same time same time walk and chew gum that concept doesn't mean anything to you see me afterwards we'll explain it again what it means you have to do all these things at one time you can't just be focused on fixing the incident you have to be focused on fixing the incident and communicating effectively about it to the people who need the information at the same time you have to be able to do more than one

thing at a time and then after review what worked what didn't start over fix it if you broke something along the way fix it fast if you did it great make a note of what worked so you have it for next time you're getting back into that standard normal so before building up the Trust Bank how do you do that how do you develop trust build up a positive reputation how do you pick the right words have the right actions we just talked about this it's good communication but it's a little more than that and it's a lot more than that when your role is not the person sitting over in the marketing team doing all the

talking from your place from your spot whatever shape that may be in whether you're security whether you're attack whether you're in the wrong room and you're not sure why you're here whatever your role is building up relationships internally amongst your team and amongst teams that are not yours across the organization building those relationships ahead of time because you were going to need to interact with each other when something goes wrong you're gonna need to know who to talk to on the Khans team who to talk to an HR who in the world to talk to it legal and knowing all of those things because at some point something that happens will intersect with your little

slice of the world whatever shape that may be and knowing who to talk to about what at that moment is critical and having trust built up ahead of time with those individuals in those offices is gonna make or break the difference for you and what you're doing and how you're able to help service it's not just knowing people and talking to people it's actually again this I almost feel even silly for saying this it's doing your job to the best most reliable most consistent way that you know how to do it it's being known for and building up your own reputation in your own seat for good responsible reliable trustworthy service and information so that when

people need something from you in the heat of a moment they know that they're gonna get something from you that's worth getting and it's communication it's talking to people internally externally across teams across the company in a way that gives them information that they need in a reliable and trustworthy way it's not just telling them what they want to hear ignoring their questions because they're annoying because we all know different parts of your company are going to be annoying that's usually where I am but it's talking to them and it's building up those chains of communication so that they exist when you actually need them so your Trust Bank is relationships its service and it's communication and it's

doing all of those things over and over and over and then when something goes wrong relying on the fact that you've already done them and you're not learning how to do them now during walking and chewing gum same as we said before it's a focus on fixing the thing at hand while at the same time preserving the other important things of the company helping make sure that the things that need to thrive outside of your space are still thriving and knowing that the people who are responsible for the trust piece of that people who are responsible for communication because hopefully someone in your organization is responsible for communicating during an incident and if they're not talk to me afterwards we'll

have a longer conversation Incident Response communications is a very key part of this that's how you talk to all those stakeholders and knowing the kinds of information that need to be relaid at different times and the kinds of information and questions that the person in that position is going to need in order to effectively communicate is how you can help and no matter what size or shape the incident is no matter what size of shape your organization is they're always going to be answering the same exact four questions if they've been really really really smart and they've done this ahead of time you've already answered these questions with them and they're just asking you specifically which of these

which of the things applies to the the incident at hand they always need to know who am I gonna have to tell who do I have to tell and who should I tell that's a whole separate conversation when do I tell them who needs to be told immediately who can be told later Who am I required to tell by legal in the next 72 hours who do I need to tell before I tell that guy so they don't get mad that I didn't tell them first etc way more complicated than it should be how do I tell them they're always gonna be making a decision about who the spokesperson is it's not always the same

person what channel am I going to communicate this information on am I going to send out an email a notice a phone call what am I gonna do or say and what am I going to tell them what actually is happening what's the end for me what are the facts what do I know what do I not know what's the content of the thing that this person is going to tell it as magic time to this magic group answering those four questions for every specific incident is something that is not the responsibility of the communicator to answer it's the responsibility of everyone on the ground who sits and owns the information to feed into that process for that decision

and then after your review and your repeats you do the same things you see how can I take steps how can I take action that gets us back to regular order as quickly as possible because people need to get back there for this company and for this business what do I need to fix what did I do wrong what needs to get better what did I miss and you start over it's the same with any incident response plan that you're putting together the end is always review adjust repeat as necessary and you do it until you're done action matters being consistent matters not changing your story all the time not changing your information flow all the

time and put a lot of God just try not to do it again while you're still cleaning up the first stone again this is not rocket science I shouldn't have feel silly I've had to say that as many times as I have in the last few years if you've already messed something up and you're still cleaning it up try not to break anything else pretty straightforward there's there's no hidden meaning behind that it's exactly what it sounds like alright so key takeaways we just covered very quickly because I've been talking very fast a lot of step by step by step things that if you're not walking out of here afterwards going oh yeah I definitely already knew that

then good I'm glad you listen to this but if that's what you're thinking then good because linking those concepts to the work you do every day is not something that you get to do every day but knowing that all these things are connected and how is what will make you better at your peace of the world and give you a better sense of everyone else's world so that you can more effectively navigate through them whether you want to move up in the world at some point or not or whether you want to stay where you are and just get better at what you do so key takeaways good communication builds trust period end of story

would drop the mic but it's not mine before during and after good communication is always gonna matter and it's everyone's responsibility it's not just something that gets locked up in the corner you know we joke about like locking the IT team in a little closet over here while you're locking your comms team in a little closet on that side of the house it's important that everybody realizes that they have a role in a communicating effectively across the organization and it you need to take time if you're not directly involved in doing it you need to take time to understand the incident response plan who's involved when are they involved at what points do different teams come in

what does it look like what's a crisis what's not who do I need to be able to give information to when I have information so that they can do their jobs more quickly and more effectively and at the end of the day we can make good objective decisions and all get through this in a clean easy way and don't be afraid to ask for help there's a lot of stuff here that is not falling squarely in your wheelhouse and if for some reason something that seemed really easy on a Monday suddenly gets really hard on a Wednesday don't be afraid to ask somebody don't be afraid to ask for help in your organization out of your

organization there are people who live and breathe this stuff and they know how to link all those different pieces of the house together in a way that matches the shape and footprint of your organization that's what matters there's no one-size-fits-all here so it's not it's art and it's science there's more science than you realize but at the end of the day it's all about risk management and making the kinds of decisions that help your business thrive that's what we're all doing anyway so Oh any questions yes I know what you got

mhm yes absolutely there's a lot of people who a lot of times you there's an increasing range of responsibilities and everyone has a little bit of a different take on like all the fancy titles I get flown around these days but it's essentially you're all doing the same kind of work but there is a nod towards the fact that this trust element has to stretch across the organization and has to be focused on by somebody because otherwise it falls down to everybody else's list there's always a bigger fire then preserving trust but at the end of the day if you don't do it doesn't matter what fires you put out anyway so yes it's becoming something that is

definitely bubbling up in a food chain so the more you understand about it regardless of where you sit in those spaces then the better off you're going to be to help not only where your company needs to be right now but where they are starting to realize they are going in the future and you can actually get there ahead of them which is kind of cool though yes those are my favorite oh

I definitely agree on the being transparent apart I tend to take a slightly less antagonistic role towards the media's relationship with the world I you know their job is to report their job is to report things that aren't necessarily what you want them to report but one way and again we didn't jump into all the specifics and all the details with our time constraint what we were covering today but if we're diving into how to do crisis comms right the right way essentially 101 whether you're in a cyber scenario or not do audit us in security situations as well if you're not talking someone else is so there are a lot of things you can do along the way

to make sure that that's where you get into that I just gave you a whole bunch of words but I didn't say anything but you're gonna report all those words and then you're not going to make up your own words because I gave you my words so filling those gaps and not leaving big holes in the public conversation and in the dialogue whether it's media or social media in particular is very critical to maintaining control of the ship as you're driving along because if you're not driving it someone else will and you'd rather be on it than under it that's probably a better analogy alright thank you guys so much appreciate it [Applause]