How do you structure incident response communications and coordination with stakeholders so that they are informed and can make decisions quickly? Have you found any effective ways to improve this aspect of your IR plan?

Incident response communication has both internal and external dimensions. Sometimes, there are regulatory, legal or contractual requirements to externally communicate your status and the root causes of an incident — this is especially important for public companies if there are material harms affecting financial performance. Coordination with legal and finance is crucial for external communications. Internally, incidents often fall under attorney-client privilege, which dictates who can access the information. Having a standardized process with a trained incident handler is best practice. It helps control the narrative and prevents misinformation from spreading, so that communications can be managed effectively both inside and outside the company.

From my experience leading incident response services, two main points stand out. First, the problems we face have more to do with the business than the technology. Failures happen when business leaders and their organizations don't fully understand the incident response plan or their roles within them. It's crucial to communicate the plan clearly and verify that everyone knows their responsibilities. Second, regular practice and exercises are vital. Training is often forgotten if not applied regularly. Involving stakeholders in these exercises helps reinforce their roles and allow for smooth operations during an actual incident. Both maintaining stakeholder awareness of the incident response plan and having regular drills are both key for effective communications.

Starting with the human aspect is a key element that’s often overlooked. Typically, we dive straight into the technology and the technical details of what's happening but it's crucial to consider how different groups will receive the message. If I'm communicating with technologists, they're usually ready to jump into action immediately. But if the same message is sent to someone in finance, HR, or a call center, it might cause unnecessary panic, so it's essential to tailor communications to avoid alarming them. I've shifted my approach in recent years to prioritize understanding the audience and how they’ll respond to the message upfront. We must remember that we're dealing with humans throughout our processes for incident response, recovery, and business continuity.