Security Roundtable’s editor in chief, Tim Moran, recently sat down with René Bonvanie, chief marketing officer at Palo Alto Networks (securityroundtable.org’s parent company) to talk about crisis management and communication strategy in an era in which data breaches and worldwide threat incidents are common news headlines. Read on for strategic information about processes and actions you should consider when building a crisis playbook or triage team, and more.
Tim Moran: Crisis management and communication is something I know every management team, including the team at Palo Alto Networks, is very serious about. Of course, a corporate crisis can be something other than a cyber breach. But as a purveyor of cybersecurity, there are really two angles to this, right? One involves customers, and one the company or organization itself. Can you explain your thinking about that?
René Bonvanie: Absolutely. There are different angles that must be emphasized involving cybersecurity because there is “doing right” in terms of your customers and your employees, but there’s also the context of “doing right” for your shareholders and regulators. The perspectives can be very different, because what the law will tell you to do may or may not be in the spirit of how you think of customer relationships. The law, of course, must be followed, which crafts your strategy as much as your own beliefs. An organization must walk that fine line.
But mostly, I believe you must stay in character when a crisis hits. That, of course, gets partially shaped by regulators and legislators, who will tell you to do certain things under certain circumstances. However, that is not necessarily the case for most types of crises that can occur. The reality is, the vast majority of crises have nothing to do with a breach.
Breaches are regulated in many economies now by legislators, because breaches typically touch upon the fundamental rights of citizens and their privacy—or on the negative impact on the value shareholders attach to stock.
TM: It would seem, then, that there are so many variables and lenses to consider that crisis communication—breach-based or otherwise—is not a simple matter.
RB: Exactly. Again, in general, the guiding principle in crisis communication is to stay in character, as I’ve said. And that is sometimes very hard, because though you might have been very transparent in the past, humans have a tendency to become much less transparent when things go wrong.
There must be a guiding principle or core set of values because, if you don’t have that, the folks you are communicating with will immediately understand that something is off. If you step out of character during a crisis, they will remind you that you are no longer complying with your own style and your own values.
TM: In other words, the danger is looking sneaky even though you’re not really hiding anything—it’s just that you, as an entity, are behaving differently.
RB: If, all of a sudden, your organization starts saying things in the wrong spirit, that could also be perceived as being very devious. Typically, staying in character during a crisis is also where you’re going to see a challenge with your board of directors. The board doesn’t live the relationship with customers the same way you do. And while the board oversees your organization’s operations, they aren’t part of your everyday operations like you are, so their inclinations can be very different, in times of crisis, from yours.
For instance, you might want to preserve your customer relationships at any cost, including doing things such as being very transparent and being highly factual about what happened during a crisis incident. The board might be more reserved when it comes to doing those things, especially because there is fiduciary responsibility for them.
TM: Some of the other events on the list of crises, such as a hostile takeover, shareholder activism, et cetera, are very different from cyber breaches. Can all these events be handled the same way?
RB: No. First, they all have separate playbooks. From a crisis management perspective, a company—regardless of what industry it’s in—should have more than a dozen playbooks on scenarios ranging from being breached, or a customer being breached, to investor activism, to executive departure. But the thing is, you must have overarching principles across all these playbooks. The details are different, but the structure, the process flow, is the same. The guiding principles are the same. The playbooks are different, because some of them are highly influenced by regulatory considerations. As an example, at some point, the FBI will likely show up if an organization that handles people’s personal data has been breached, and it will be part of the investigation. But for other crisis scenarios, like a natural disaster impacting an organization’s global headquarters, there’s likely no FBI involvement. That’s why the playbooks must be separate.
TM: What about assembling a triage team for crisis? Could you talk a little bit about how that works, especially if a breach is involved?
RB: One of the top things an organization has to figure out is the management structure when it comes to crisis. The bottom layer is crisis communication, triage, where you look at the fundamental elements of what it takes for something to get escalated. That team, I think, should have at its core somebody whose entire job is corporate risk management, along with a corporate communications lead and a chief legal officer. Those are the three core elements of a triage team. And then, this team applies a set of principles that are part of all the different playbooks to determine whether an issue needs to be escalated to an executive crisis communication team.
TM: Can you talk about the different roles and jobs?
RB: That first layer is the crisis triage team. Their job is not to start working on the crisis itself, but to qualify whether something truly is or has the potential to become a crisis. Because there’s lots of noise. Let’s say, hypothetically, a reporter calls you up and says, “I’ve been approached by someone who says she thinks your technology is being used for political reasons in the Middle East.” That tells you there’s a risk here because that story could be highly untrue, or damaging, or both.
In that case, the escalation point in that situation would be to the triage team. They would vet whether there is sufficient risk here to pursue the case. Then, depending on what needs to be done, that can be researched. That is not the job of the crisis triage team, per se—that is suited for the executive team and the forensic experts.
This is when the crisis management would go broader. If the triage team believes there is a clear and present risk that can lead to a crisis, they will escalate this to the executive crisis triage team, which will have broader participation from others in a company. At that point, you can get more folks involved in either the assessment of the risk or the investigation that’s ongoing. And then, in certain specific cases, an organization would consider escalating to the board.
TM: Let’s talk about cyber breaches for a second. Is there just one flavor of breach?
RB: No, it’s important to have two very different flavors of breach playbooks—two very independent flavors. One is a breach of your own network and systems, and one is a breach of one or more of your customers.
TM: Can you discuss that a bit?
RB: Sure. A breach can have a variety of effects. The obvious one is that criminals can steal information from an organization’s network that is customer-specific. That poses severe security and privacy risks to all customers. At that point, it’s important to be extremely transparent with customers and tell them the story first: what happened, what you’re doing about it, what your specific risks are. Because the breach has now become an enterprise risk. The less obvious one involves the integrity of a system. Say a criminal were to steal source code and discover vulnerabilities – now, how well does your product work? The criminals don’t have customer data, but they might have a backdoor into your customers’ security infrastructure.
You can see how that is another playbook and why those playbooks must be well-developed. And they should always involve communicating to customers directly.
TM: What kind of risk or risks are involved here?
RB: There is the possibility that one of an organization’s customers is successfully breached. That has severe ramifications for that customer and for the company itself, but since the customer is at risk, they should be the first and foremost priority. Yes, the company’s reputation is at risk, too. Even the breach of a single company can have severe ramifications for all other customers, due to trust. That tells you that these playbooks need to be extremely well-developed and have a cascading set of activities that need to be deployed.
Based on what I’ve observed in the security industry, one of the most difficult things when it comes to a breach is that it’s a very asymmetrical situation. Determining that an organization has been breached is relatively easy, but knowing exactly what happened, what the exposure is and what exactly to do about it is very, very hard.
TM: Why is that harder?
RB: The public’s expectation is that all information comes at the same time. So, the recipient of a communication related to a crisis incident believes that, if you know there is something wrong, you know exactly why, what you’re going to do about it and what the impact is. But, as I said, it’s asymmetrical. It generally doesn’t work like that, where you have all the answers right away. The playbooks should have an incremental strategy for how you disperse information, because the closer you get to a resolution, the more precise you need to be.
The triage team I mentioned earlier has a very important role in vetting when something merits running a playbook, and, of course, they have vetted the playbooks themselves. And you’ve got to stick to those playbooks because, if it ever comes to an audit or an investigation, if you are dealing with crisis by the seat of your pants, you’re going to be in a lot of trouble, even if you believe you did the right thing.
TM: So, clearly, you cannot overestimate the importance of vetted and sophisticated playbooks when it comes to breaches.
RB: Correct. The playbooks should be reviewed by the board and by an organization’s audit committee because, at the end of the day, there must be oversight for the playbooks. Those playbooks then dictate how you’re going to operate, which is very important in case something happens afterward.
But therein also lies a challenge because the playbooks are mechanical. They are stripped of any emotion because, if emotion comes in, it could potentially compel you not to run the playbook. “Oh, this one is different, this feels different,” people might say. This is when even the best-prepared teams still work on an exception-by-exception basis. Somehow, they believe this situation is so different that you can’t run the playbook. You’ve got to be very careful and not let that happen. And if it’s truly the case that you didn’t have the right playbook, it is the perfect —albeit unfortunate—place to start an additional one.
TM: The final question I have for you is: what is your best advice for others in your position, anybody in the non-technical C-level, for handling a crisis?
RB: Most of all, I think you’ve got to be the first to explain. You cannot make yourself dependent on a third party, or you’ll be caught flat-footed. That is a recipe for failure. You’ll constantly be on the defensive, and your version of the story will always be snowed under.
Furthermore, you’ve got to be prepared for, and have practiced, doing the right thing first. I would say this is the religious part of crisis communication. As a team, the board plus executive management must define what the right things are to do first.
If the right thing is to “do right” by your customers, then that’s what educates all your playbooks. And that could come at the expenses of other things. But if you can’t agree on that, everything else is in vain. So, to me, you must agree as a team what the right thing is, what the guiding principles are. Decide: what are those core values that will always, always educate your crisis communication?
The next thing is the process. The process starts with a very small but highly skilled triage team that works on the pre-triaged crisis with an “escape valve” called the board. In the end, though, your guiding principles stay the same. Your process stays the same. The way you play it out – and with whom you work, where you source your information, what is reasonable timewise and what is legally required – changes very much in each of the playbooks.
TM: Fascinating. Any final words on the subject? Anything you think often should be said but rarely is?
RB: The main thing I’ve seen happen in playbooks or in crisis is that ego—personal or as a company—overshadows everything. But crisis is not your opportunity to shine or show off. It requires ultimate modesty and humility. In the end, I think, if you go back to the core principle, these are most often reputational events. At the end of the day, the system has to restore a reputational issue. And in doing that, you cannot really change character, because your reputation is a reflection of your character.
TM: A great thought to finish on. René, thanks so much for your time and insight.
RB: You are very welcome.