Timely article -- Datacom's Peter Wilson just wrote a blog post on a related topic, more to the point of CIOs needing to think about PR a bit more: http://techsource.datacom.com.au/TechKnowledge/bid/153653/Do-Australian-CIOs-Need-to-Think-About-Public-Relations
Public relations and information security
Too much and you can over-extend and it can go "pear shaped". Too little and you can be branded as uncommunicative and unreasonable. For large corporations the linkage of a brand and any security issue can have a negative effect on share price and immediate financial repercussions.
A large vendor with great responsibility providing supporting infrastructure recently addressed a zero day vulnerability with no media release until the security patch was issued. This made security operations personnel and security aware individuals around the globe very nervous.
Here are some guidelines to consider for your organisation:
1. Tell the good stories on a regular basis. Issue a press release when customer visible or customer impacting security features have been implemented. For example if you introduce optional two factor authentication for customers, promote this competitive advantage. For example if you are a social media site a press release announcing successful implementing of password hashing of your database further to recent compromises at competitors would be a good story to tell. You will note some financial institutions even tout their fraud monitoring capabilities with television advertisements which reduce losses for them, and the potential inconvenience for you. The story may be: we're making security easier for you because we're monitoring your transactions for fraud, rather than giving you extra security controls to deal with.
2. Have a social media policy, press relations policy and educate your employees to not speak, and when they speak to "stay on approved message". I've experienced jaw dropping occasions where CIOs of major corporations share "bright ideas" (un-vetted by the corporation) that could be taken right out of context by the media. If you are a senior person in information security, ask to be consulted on any press releases, advertisements or planned presentations involving security, information exchange or third party relationships.
3. If you are communicating bad news, do it in a timely manner. Have a "canned" pre-approved factually correct press release that mentions that the organisation has been made aware of a security incident and is working on responding via prior established security incident management process and procedures, and that updates will be provide to protect affected stakeholders when actionable information is available. When information is available on the extent of a security incident, be as transparent as possible with affected stakeholders without outlining new/existing security controls and control gaps that could negatively impact on your security posture.
4. Think of the implications before you act. If there is a major decision coming up related to security, think about the public relations upside and downside as well as the legal exposure if the decision became publicly known. Before you call the cops on a security researcher or issue a cease and desist letter, think of the available options. When all else fails, quote the Google motto and "don't be evil".
Sign up now »
RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.
Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).
- Have an incident response plan.
- Pre-define your incident response team
- Define your approach: watch and learn or contain and recover.
- Pre-distribute call cards.
- Forensic and incident response data capture.
- Get your users on-side.
- Know how to report crimes and engage law enforcement.
- Practice makes perfect.
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.