Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Breach Transparency
Quick Take
On this week’s episode of Compliance Unfiltered, the guys dive deep on the topic of Breach Transparency.
- What exactly the stakes are in the buzz word heavy topic?
- What exactly is the landscape?
- How can a company prepare in advance, and what type of help is available out there?
These are just a few of the questions Adam covers this week. Curious about proper and consolidated communication around this hypersensitive topic? The CU guys have you covered there too! All these topics and more, on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man who is the row, row, row to your compliance boat, Mr. Adam Goslin. How the heck are you, sir? I am doing very, very well. My arms are getting tired. I can appreciate that, a man who never stops. So speaking of never stopping, let’s talk today about something that is near and dear to my heart, and that is open communication, specifically transparency around hard topics, right?
Saying the hard things out loud is oftentimes one of the hardest things to do in life. But let’s talk a little bit more specifically about breach transparency. Let’s set the stage here, Adam. Sure. So when my team said to me, they’re like, you don’t know what we’d love to do. We’d love to talk about breach communication. The very first things out of my frickin’ mouth were I would fervently urge organizations take your security and compliance seriously so that you’re less likely to become a statistic in the first place.
All that aside, let’s get into it. So we’ve all seen those companies that issue the public statements. And for some reason, man, it’s like all of a sudden I just hear like, Charlie Brown’s teacher going on and on about how important security and customer privacy is and meanwhile they’re trying to explain how the hell they got breached. It typically rings hollow, it definitely does for me. For some companies it’s not even their first breach but they took it really, really seriously this time. But anyway, what if you really do take security and compliance seriously and you still had a problem? You got hit by a zero day or whatever it may be. It does happen to some organizations and in that case you’re in that unfortunate position of needing to make public statements about your data breach and reassuring your customers and partners, you know, hopefully in a way that doesn’t ring hollow, you know, that, you know, that there’s, you know, but there’s a right way to do it. And, you know, there’s kind of a lot, a lot of wrong ways to do it as well. That’s fair. I mean, the last thing you want to do is sound disingenuous when you’re trying to talk to somebody about an uncomfortable topic.
So what are the stakes, right? We’re dealing with here is we’re talking about breach transparency. Well, I mean, I can’t stress enough. It’s critical to get the communication right from the, you know, out of the gate. You know, it isn’t just the communication that you’re sending out to news channels and customers, but, you know, it’s internal communication and every kind of external communication. You know, your reputation and your company’s future are going to depend on getting this right. You know, if your name just went out onto the Googler and, you know, and your name’s in lights, you know, and everybody’s trying to, trying to get their, you know, get their information. Everybody loves a train wreck, you know, type of thing. And so, yep, you’re gonna, you’re gonna get busy quick. So you went from a normal Tuesday morning to, you know, fit hit in the sham. You know, it’s not just the existing client base that’s like, hey, what the hell, you know, and what are the impacts and blah, blah, blah, but you got a, you know, a battalion of people that are on the outside that are gonna want to know what the hell’s going on as the words quickly, you know, spreading across the, the internets, if you will, you know, the, you know, and it’s difficult to navigate the waters and kind of keep everything together and still stay in business. You know, the stark reality is that there’s a lot of small businesses that don’t survive data breaches. You know, so mastering that communication, you know, kind of across the board is a really, really big element of how organizations need to get it right.
Well, how should organizations prepare in advance though? Well, You know, there’s many companies that get breached that they simply aren’t prepared to handle what’s about to hit the fan, you know, even organizations that are taking their security seriously. You know, that’s why it is important to know ahead of time, you know, what are we gonna do if we got hit by a zero day? You know, how are we going to articulate this? What are the steps that we need to take, etc? You know, certainly, you know, having a plan in place, you know, that’s been reviewed, you know, by security experts, you do training on that plan, you’re exercising that plan, you know, communicating that plan throughout the organization. You know, the reality is, and this is the one thing that a lot of organizations don’t think about is, you know, kind of until it’s too late, is that every single employee needs to know, what’s the plan? Because like I said, like we were just talking about, you know, this could be a miscellaneous Tuesday morning and you know, you’re just finished, you know, drinking your, you know, drinking your coffee and then having a donut and all of a sudden, all hell’s breaking loose. You know, and that’s pretty much how it happens when it happens is you go from zero to a hundred in T minus no seconds. And so that’s not the point at which we want to start talking with people about, hey, here’s what we want to go in and do.
So, you know, I mean, recommend to folks, you know, walking through that plan as part of their security awareness training included in your new hiring, but every single person on the team, you know, needs to, you know, needs to be able to, to at least have a notion of what it is they should be doing, shouldn’t be doing, you know, things on those lines. So you’ve got some measure of control before, you know, literally, you know, you drop the firework, you know, the firework into the middle of the herd of cats. You know, yeah, I mean, that’s a good that’s a good shout.
Now, who can you rely on to help? Well, you’re gonna need a good team of people around that can give you, you know informed, you know sage wise direction You know based on you know based on experience about you know what to do how to do it, etc You know and, and make sure that you’re leveraging the, the, the information that you’ve got from you know you’re a trusted, trusted team of experts, you know you know the moment that you discover you’ve been breached Isn’t the time to go searching the, I’ll date myself here, but searching the yellow pages for a freaking, you know, lawyer or a cyber forensics expert. The what they used to make yellow pages. So anyway, the, so some people are going to be chuckling and some people, you know, what the hell is he talking about? So yeah, it’s a hell of a lot easier if you basically have the list of people already through. So things for folks to kind of think through, you know, and I made this mention a couple of different times, but I’ll stick on the, you know, kind of on the legal, you know, kind of on the legal counsel. A lot of organizations will have the person that has been taking care of kind of their business contracts, business agreements for the last end decades, right? Just because they happen to have a title that says lawyer doesn’t mean that they have any clue what the hell they’re doing in the cyberspace. So they may be great with business, you know, business contracts, but don’t have any idea what they’re doing when it comes to a breach. So specifically with the legal counsel, you’ve got to make sure that number one, that they actually know what the hell they’re doing in the cyber, cyber arena and IT arena. And more importantly, they need to understand your business. They need to understand, you know, how do you do what you do? What types of information data do you have? What are the, you know, what are the structure of your agreements with your clients? You know, things along those lines. They need to have that, you know, roadmap together. That’s what’s going to arm them for being able to hit the ground running and be able to help you when the time comes. You know, that’s not, even if you have somebody that can spell cyber as a lawyer, you know, that’s great, but if you didn’t invest in that relationship, didn’t invest in, you know, in kind of setting the stage and whatnot with them, you’re still working from behind, if you will. Another arena is somebody that can jump into the fray. They can do cyber forensics. Depending on the organization and what all their needs are, they may need secure coding experts. They may need penetration testing experts. They may need networking experts. Certainly, there’s a plethora of consultants and assessors out there that are experienced with security and compliance matters. Those would be other good people to kind of get into the mix, if you will.
Now, how should you communicate with your customers? This is my biggest thing here, Adam, is that when you can only say this message the first time, right? once. So how do you make sure you don’t screw it up? Well, first and foremost, I’ll make this amazingly clear, I am by no means a legal expert. So, you know, go ahead and rely on your legal expert, you know, for assisting with, you know, what should we do, what should we say, etc. You want to take their guidance through this process. You know, you want to provide, you know, clear communication to your customers, to your vendors, to your partners about what’s, you know, what’s going on, you know, how it happened, what changes have been, you know, have been made, you know, details about your overall security program. I mean, if you’re walking into this particular situation, with a very strong stance of secure of a security and compliance management program, just happen to get hit by a zero day, well, then you’ve got a really good footing for being able to articulate to your clients, you know, hey, here’s what occurred, you know, here’s what we put together about what’s occurred, etc. You know, but we’ve got, you know, we’ve got this, you know, gigantic machine of security and compliance that we’ve got in place, you know, and these are the additional things that we’re going to do to, you know, make it even better, button it up, etc. You know, that’s a really good, really good message to be able to send out, you know, as best you can, you know, as best you can being, being sincere and genuine in the messaging with the clients so that it doesn’t ring hollow, you know, is going to be is going to be a big deal. You know, if you’ve got that robust program, you’ve already got client facing assets that you can leverage to distribute materials out to customers out to partners about, you know, about your overall program, you know, the reality is any organization can have a problem, but it’s a lot easier to do that, to make things better and to kind of quell the masses if you’ve already done your due diligence and just happened to get unlucky.
Now how much or how little transparency should one leverage? What’s the right mixture here from your experience? Well, the customers and the general public are going to be naturally skeptical about any public statement that’s made about a data breach. The reality is that we’ve watched this beating drum of bullshit notifications out to organizations about the problem so and so have with their data. blah, um, you know, and, and unfortunately that’s the backdrop on which your notification is going to be headed out. So the reality is trust has been broken and, and your next steps really will determine, you know, whether you can win that trust back or not. Um, you know, uh, any sign that you aren’t being transparent or aren’t being truthful, uh, will make things markedly worse. So, um, you know, open, honest, uh, when making the communication, obviously again, with guidance from your, you know, from your legal crew, um, you know, explaining what happened, how it happened, uh, you know, the, how you’re making course corrections updates on the implementation of those court course corrections, etc. You know, those are all, you know, kind of good tools, um, you know, um, you know, leveraging that the, the direction of the advice of the, of your legal counsel, um, but at the same time, I mean, you know, lawyers, lawyers are going to, are, are probably going to push you to, to, you know, with a less as more approach, but you know, just do your best not to, you know, kind of equivocate shift, the blame needlessly evade questions, you know, acknowledge the, you know, acknowledge the impact, uh, of that breach on the, on the customers and, you know, in, in, in many ways, uh, you know, maintain accountability, you know, through that process is going to be, uh, you know, a good approach, but at the same time, you know, every single detail that you’re providing out could be liability.
So, you know, you want to communicate effectively, but you also need to, you know, draw that line of protecting the company. Um, you know, I’d recommend generally to folks be a little more cautious about the, uh, about the, uh, level of transparency. Don’t do it too early in the process. Um, you know, get good, you know, good guidance from your team of experts. Um, you know, before you’re making any kinds of statements, make sure you’ve got your arms around the extent of the issue, exactly what happened, to whose data, etc.
That way you’re walking in with at least a good base of knowledge internally, and then can kind of make sure that you understand the material impacts and form that remediation plan, etc. But when you know all of those details first, then it kind of arms you with the capability to go in and provision a game plan of sensible communication that heads outbound from the organization.
Now, how does one, sensible communication is a great term now, but how does one go about a consolidation of communication, right? You want to make sure that the message is uniform, right? Yeah, well, you know, you’ve got the you know, you’ve got the scenario where all hell’s broken loose and, and you know and whatnot You’ve got you know, I’m just gonna kind of set the stage, right? We talked earlier about everybody kind of being on the same page Understanding and this is just kind of an example of how. how things can really start going sideways very quickly You know boom the you know the news hits the Googler all of a sudden it’s hitting Google while your salespeople are literally in a you know in a call with a customer you know your, your support desk is, is receiving in a flood of phone calls the you know the, the front desk, you know the main person that would answer the you know The law the line for the company is, is starting to you know get questions inbound You know, you’ve got all of these people that are you know, actively fielding questions or being posed with questions from customers, prospects, partners You know the customers aren’t you know, aren’t, aren’t looking you know aren’t typically heading straight to just the legal team and the CIO You know, they’re going to whoever they know within the you know within the organization. So, you know it when, when that news breaks that that’s where it’s critical to control the, control the narrative, control the talking points you know the more voices that you have in that dialogue then the less control you maintain over you know kind of over, over what was said as soon as you’re aware of it. You know immediately you should be like ready to go with yeah a notification to the internal across the board, every internal personnel about what is the process that we are adopting for inquiries from customers and other parties You know, honestly, I’d put together a script You know for them to be able to leverage when somebody is asking a question and have them redirect those inquiries to a central point that’s authorized to, to go in and field those questions, you know, controlling that narrative. It’s going to be important for, you know, for a couple of reasons. You know, first, gives you control the messaging, but, you know, on the second hand, you don’t want people opening up and saying too much too early. We talked about that, you know, just a little bit ago, about how you want to make sure you got your I’s dotted, your T’s crossed, you know, you want to understand the impacts and finalize your investigation before you’re starting to splay out, you know, the outbound responses and whatnot.
You know, the other thing is that when you’re redirecting all of those inquiries to that central point of contact, you now have the capability also to maintain a list of who all’s asking questions, what is it they’re asking about? Once you’ve gone in from the internal investigation perspective and from the company’s perspective, once you’ve kind of feel like you’ve got your ducks in a row there, now you can turn back around, go over to that list in the open kind of queue of inquiries, questions, etc, balance those two against one another to use as kind of input that will drive the communication approach, topics that you’re gonna wanna make sure that you hit, etc, because a lot of times it’s interesting when you find yourself in that storm, you know what you wanna go say out to the customer, but sometimes they’re coming up with questions that you haven’t even thought of. And it is good to have that repository there that you can now leverage to kind of drive the additional communication that you’re starting to send outbound.
Parting shots and thoughts for the folks this week, Adam. Well, do me a gigantic favor and don’t do the, don’t do the cross your finger approach. The reality is that every organization out there could encounter a problem, even if you’re doing your due diligence, but it is a hell of a lot easier to react quickly if you’re already prepared, you’ve already done the legwork and whatnot. Don’t do you, me and everybody a favor and don’t sit around and go, that won’t happen to me, and oh, we’re too small, I’ve heard all these excuses before, we’re too small and nobody knows that we’re out there and dah, dah, dah, dah, you know, it doesn’t matter anymore.
It doesn’t matter. the bad guys are gonna find you. Somebody’s gonna click on the wrong thing. You could be subject to a zero day. You could be one of the unfortunate souls that happened to happen to get hit. We were talking in a prior podcast about how they took a group of kind of security researchers, put them all in the room and basically set them loose on some really main line systems, software, hardware, etc. And in a span of a day, I forget, well, it was north of 10, zero days that this particular group of people, now that they sat down and just focused on it, they found 10, zero days in a day. What do you think the bad guys are doing? What do you think they can be coming up with, right? I mean, it really can happen to anybody. So for the folks out there, don’t take this lightly. I understand there’s always priorities, priorities for the organization, etc, but get this one on your list, go in and do your due diligence, get everything lined up in advance, do that, have a game plan, have the right people, train your people, etc, because if you do, it will make that process substantively easier on the organization as a whole. And quite frankly, we’ll put your organization into a position that will be light years ahead of the other goofballs that are out there, droning on about how much they care about your security and compliance, meanwhile had a problem.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
