A COMEDIAN ONCE suggested that an executive's only viable option when cornered by a 60 Minutes crew is to fall to the floor and feign death. Let them in the door and you're toast; keep them out and you only incriminate yourself in the eyes of judgmental viewers.
These days, corporate security executives can be forgiven for secretly wanting to roll over and play dead themselves. Boxed in on one side by new public disclosure laws and regulations, and on the other by an evermore savvy and sensationalistic press, CSOs increasingly must find successful strategies for responding as their breaches play out in the public arena.
Thankfully, say experts, there are alternatives to chaos and panic when a physical or digital security incident (or both, as seems to have been the case in last August's power grid failure) becomes a matter of public knowledge.
Connie Emery, chief privacy and security officer at Tenet HealthSystem, is one security executive who's been blindsided by a breach and lived to tell the tale. When an internal user error sent confidential patient information to the wrong person, that individual called a local news station rather than the hospital to report the incident, triggering every CSO's worst nightmare.
"We were not aware of the problem when the media called, so that part was a worst-case scenario," says Emery. "But we immediately put our task force on it, and it wound up going very well, all things considered."
What put Tenet Health in a position to deal successfully with the unexpected? According to Emery, the company had a team identified and in place for just such an emergency; the team was quickly able to pinpoint the cause of the problem; and a C-level hospital executive was ready to deliver a clear, succinct explanation and message of reassurance to the public.
As in nearly all other aspects of security, preparedness is the watchword for successful public communication. Security officials from industries as diverse as health care, finance and transportation say the key is to have a plan in place before you ever pick up that phone to find a reporter or irate business partner on the other end.
Every company should have an incident-management plan, and every company's incident-management plan should include a communication component to help determine who gets told what when and how once a breach has occurred. "If you don't have a plan up front, you're going to misfire," says Michael Rasmussen, a Forrester Research analyst who specializes in security. "You need to have public relations in place. Otherwise, you communicate too much or communicate inaccurate information."
That means that, in all but the very smallest companies, a communications professional, public relations expert or, in a pinch, human resources executive should be included in whatever team is assembled to address a security incident.
It might seem counterintuitive to ask a professionally close-mouthed security executive to cozy up with someone whose job is to talk all day long. But CSOs say a public relations executive can be security's best friend. "A good communications person will indirectly promote your own goals. They'll be your champion," says John Melia Jr, chief risk officer at Home Loan and Investment Bank. "Their job is to synthesize information and say how it's important to the big picture without getting bogged down in details."
At Massport, the independent public authority that runs Boston's Logan International Airport and other port facilities, Director of Corporate Security Dennis Treece works with Director of Media Relations José Juves. The two have a relationship that's so good it verges on gushy — which is saying a lot for Treece, a 30-year army intelligence veteran who directed military security during the first Persian Gulf war.
"José is a good guy. We've reached a good middle ground in the relationship between our two roles," says Treece. "My responsibility as a security person is to make sure we marshal the right resources to address a problem. His expertise is putting the right emphasis on what's happening."
"In some places there can be friction between media and security folks," says Juves. "But Dennis and I are very up front and honest with each other and with the media." For Juves, who directed communications for Massport on Sept. 11, 2001, when terrorists hijacked two planes from the airport, "Inspiring confidence in the travelling public is the philosophy that unites us. [Dennis's] job is security, which leads to increased confidence. My job is to communicate that confidence."
TeamworkWhile they are unanimous in saying that breaches are far too variable in nature to allow for a predetermined set of procedures, the security executives we spoke to have all compiled lists of internal contacts to be mobilized as an ad hoc first-response team. For Tenet Health's Emery, that list includes people from administration, risk management, information systems, human resources, legal and corporate communications, and a privacy officer. But in each instance, a different cast of characters might be assembled depending on the circumstances.
For example, at Comerica, the financial services company, a small, core incident-response team conducts an initial assessment and then determines who should be involved, according to Julie Larson, vice president for information security, risk and awareness. A policy violation would need input from HR but wouldn't necessarily involve outside law enforcement, she says. Any physical breach would naturally involve corporate security but might also include information security if the breach (or the forensic response) also involved corporate information systems. And when an incident potentially compromises customer data, then media relations is in on the initial response team.
With so many departments covering so many different areas of high sensitivity — fraud, corporate security, IS, legal and so forth — Comerica has taken pains to iron out redundancies in the incident-response plan to reduce duplicate efforts and avoid toe-stepping once a response is initiated.
"We sat down and looked at all the different parts of the organization and asked, If this [type of breach] were to occur, what would your role be?" says Larson. "The goal was to try and minimize crossovers and duplication." She notes as well that one important "administrivia" task needs to be tended to — making sure the list of incident responders is kept up-to-date. It's a seemingly minor detail that can turn out to be decisive in the first minutes of an incident. "People come and go; they change roles within the organization. You need to keep your incident-response plan fresh. If I need to contact media relations at 2 am, I need to know I'm dialling the right home number."
Letters of the LawWhen security has been compromised, containment is the first responsibility of that crack incident-response team you've put together. Simultaneously, the team will also need to determine what information must be disclosed or should be disclosed — and to whom.
On the "must" side of the equation, laws such as California's much-discussed Information Practices Act (SB 1386) increasingly play a part in determining who gets told what and when. (The law requires that companies doing business in California or having customers in the state promptly notify those customers whenever their personal information may have been compromised.)
At the same time, US federal legislation is changing the way specific industries operate. In financial services, for example, the Safeguards Rule of the Gramm-Leach-Bliley Act mandates how financial institutions design, implement and maintain safeguards for customer data. Particular sections of the Sarbanes-Oxley Act require companies to audit the controls and processes underlying financial reporting and to disclose in real-time any material events that might impact a company's financial standing.
In health care, the Health Insurance Portability and Accountability Act (HIPAA) has radically changed nearly every aspect of how patient data is collected and handled by hospitals, health-care providers, insurers, doctors' offices, billing companies and others.
"When you have an unauthorized disclosure of patient health information, HIPAA comes into play, and we have to get our HIPAA experts involved," says Anthony Potter, director of security at the Forsyth Medical Center in Winston-Salem, North Carolina. "In a situation like that, it's in our absolute best interest to be very forthcoming with information. There are criminal penalties attached for not doing so."
During a breach, the last thing you want is to have any member of your response team rummaging through desk drawers or flipping through compliance manuals. To be prepared, make sure at least one member of the team is current on all of your company's legal disclosure obligations. Make sure your legal or compliance colleagues have clearly posted and explained these confidentiality laws to employees (which should also reduce the number of inadvertent breaches); and make sure your company is gathering physical and digital compliance data on an ongoing basis.
This last step should help both in detecting and shutting down a breach and, if necessary, in defending your company against potential charges of negligence. "Ensure that you're gathering information all the time," advises James Mobley, president and CEO of @Stake, an information security consultancy. "From a technology standpoint, that means log everything. You'll be able to quickly gather and examine data and understand what's going on."
It's also a good idea not to split legal hairs. Given all of the recent discussion on compliance and legal responsibilities, companies should avoid taking an overly narrow view of disclosure responsibilities. Says Forrester's Rasmussen, "If you follow the letter of the law only in California, you're going to tick off all your customers in Oregon and Washington state who'd expect to be notified too. Your incident-disclosure policy can't be so tight that it's going to hurt you."
KISS And TellKeeping it simple is one of the guiding precepts of effective disclosure. Tenet Health's Emery ticks off a list of what customers hear when there's been a potential breach of confidentiality: "We tell them that we have been advised of an incident that may have put their identity at risk. We give summary details. We let them know that we are investigating the incident. We offer a contact and telephone number for more information, should they have questions."
What's not on that list is just as important as what is: There are no details that could incriminate the organization or leave it vulnerable to further attacks, no specifics that could confuse or inflame customers' fears, and no information that could give the impression that the situation is not under control.
Security experts agree, moreover, that the content of your message to customers and business partners should be honesty tempered by brevity. "We try to go straight to the point," says Comerica's Larson. "We want to be open and honest, but also relieve anxiety and reduce panic. We keep to the point and give them just the information they need."
Corporate communications are most effective when they're backed by an overarching goal shared by all members of the response team. For Massport's Treece and Juves, that goal is to reassure the public that the airways are safe. For Home Loan and Investment Bank's Melia, it's mitigating risk for his organization over the long term, not just on an event-by-event basis.
"Some security people are too quick to shoot from the hip," Melia says. "If we have an ATM break, yes, that's news; but in terms of understanding business processes and mitigating risk, it's not any more [newsworthy] than dealing with bad checks or defaulted loans."
Hard as it may be to take the long view during a short-term crisis, security executives and their communications colleagues must always be thinking of the future, agrees @Stake's Mobley. "When the incident is finished, will your reputation still be intact?" he asks. "Your message should be clear and crisp and say what you're doing to minimize risk for the next time. You want to emphasize that clients have placed their trust in the right organization."
SIDEBAR: Engaging the EnemyWhen does pre-emptive disclosure make sense?
You've made a big arrest. You've uncovered hostile activity before any damage was done. Is it ever wise to take a pre-emptive approach to disclosure, to brag to the world of the virtues of your crack security team?
The short answer is no, no, never and no. Security experts unanimously agree that it's never a good idea to release security news, happy or not, unbidden. But there is one clear exception: If the press is going to find out come hell or high water.
Last September, a former Guantanamo Bay translator was arrested at Logan International Airport in Boston with hundreds of CDs of allegedly classified information in his luggage. That same day, Massport Director of Corporate Security Dennis Treece informed his director of media relations, José Juves, that the man had applied for a job at Logan Airport in the days immediately following September 11, 2001.
Rather than have that fact dribble out later and overshadow the good news of the successful arrest, Juves took the news to the media himself. "That way, we were able to get ahead of the story and to put it in context," he says. "If it came out two or three days later, the emphasis would be on how Massport reacted, rather than on the arrest itself."
And it's always best, Juves says, to try to contain coverage to as few news cycles as possible. "When people see several stories on the same incident out there on successive days, even if it's positive, it starts to erode their confidence. As much as possible, we try to have all the information out there at the same time." — T MAYOR
SIDEBAR: Ready for the Close-UpWho do you feed to the media wolves?
When there's news that needs announcing, who gets to stand in front of the cameras, talk to the local newspapers or contact customers? If you're a security officer, the answer most likely is, "Not you."
You're well-informed and your title will convey seriousness of purpose. But, unfortunately, using a security officer as spokesman can often convey unintended messages along with the right ones.
"Even if the break is significant, you're not going to see a security guy out there," says John Melia Jr, chief risk officer at Home Loan and Investment Bank. "You don't want to alarm the 80-year-old people at home watching the news."
Even if the security executive stays superbly on message, the media often can't resist the urge to play to the stereotype, says Melia. "If they see someone from the security side, they're going to want to put him in front of a fire truck and blow the story up."
Finally, there is that touchy subject of personal presentation. "There is a perception of the security guy as the one with the bad tie," Melia concedes. "And many security people still come off sounding like a cop [when put] in front of the camera."
So, should you turn to the CEO or some other C-level executive? Not necessarily. Always use a C-level signature on written communications to customers and business partners, experts agree, but save the top executive's on-camera appearances for all but the most life-threatening security situations.
That leaves the corporate communications person to carry most of the water. Corpcomm and media relations professionals come ready-made with bland titles that are designed to slide under the radar. They also often come with a Rolex or a set of pearls — or both.
The job of the security executive, says Melia, is to make sure the spokesman is fully briefed, and then to get out of the way. "As a security person, you shouldn't be standing in front of the cameras. Your core skill should be to ensure the correct message gets across, but you don't have to be the deliverer," he says. "Leave that to the professionals."