Cyber Risk Guy

RESPOND: Communications (RS.CO)

Establishing effective communication strategies and processes that maintain stakeholder trust and confidence during cybersecurity incidents.

Author
David McDonald
Read Time
16 min
Published
August 8, 2025
Updated
August 8, 2025
COURSES AND TUTORIALS

Learning Objectives

By the end of this lesson, you will be able to:

  • Develop crisis communication strategies that maintain stakeholder trust and confidence
  • Create communication templates and processes tailored to different stakeholder groups
  • Build media relations capabilities that protect and strengthen company reputation
  • Establish internal communication processes that enable coordinated, effective responses
  • Design communication metrics and feedback loops that improve messaging effectiveness

Introduction: Communication as Competitive Advantage

How you communicate during a cybersecurity incident often determines whether the incident strengthens or weakens your business. Poor communication can turn a minor technical issue into a major reputation crisis. Excellent communication can transform a serious incident into a demonstration of your company’s professionalism, transparency, and commitment to customer protection.

For startups, incident communication is particularly critical. You don’t have the established reputation of larger companies to weather communication mistakes. Your customers, investors, and partners are more likely to be personally connected to your leadership team. Media attention on startup incidents is often disproportionate to the actual impact. But this also means that excellent incident communication can become a significant competitive advantage.

This lesson shows you how to build communication capabilities that turn cybersecurity incidents into opportunities to demonstrate your company’s values and competence.

Understanding RS.CO: Response Communications

NIST CSF 2.0 RS.CO Outcomes

RS.CO-01: Personnel know their roles and order of operations when a response is needed

RS.CO-02: Incidents are reported consistent with established criteria

RS.CO-03: Information is shared consistent with incident response plans

RS.CO-04: Coordination with stakeholders occurs consistent with incident response plans

RS.CO-05: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness

Communication Philosophy for Startups

Transparency as Trust-Builder:

  • Honest, accurate communication builds long-term trust
  • Proactive disclosure prevents speculation and rumors
  • Clear explanation of actions demonstrates competence
  • Admission of mistakes shows integrity and learning

Speed and Accuracy Balance:

  • Rapid initial communication with accurate available information
  • Regular updates as investigation progresses
  • Correction of errors quickly and transparently
  • Focus on facts while acknowledging uncertainty

Stakeholder-Centric Approach:

  • Tailor messages to specific audience needs and concerns
  • Prioritize communications based on stakeholder impact
  • Provide actionable information when possible
  • Show empathy and understanding for stakeholder concerns

Internal Communication Framework

Response Team Communication

Communication Roles and Responsibilities:

## Internal Communication Structure

### Incident Commander
**Communication Responsibilities:**
- Authorize all external communications
- Brief executives and board members
- Coordinate with legal counsel on messaging
- Make decisions on information disclosure

### Communications Lead
**Communication Responsibilities:**
- Draft and distribute internal communications
- Coordinate customer and stakeholder messaging
- Manage media relations and inquiries
- Maintain communication logs and documentation

### Technical Lead
**Communication Responsibilities:**
- Provide accurate technical information
- Review technical accuracy of communications
- Brief technical teams on response actions
- Interface with technical media and analysts

### Business Continuity Lead
**Communication Responsibilities:**
- Communicate operational impacts and workarounds
- Coordinate with customer success and support teams
- Manage vendor and partner communications
- Brief business stakeholders on operational status

Internal Communication Channels:

## Communication Channel Strategy

### Primary Channels (Real-time coordination)
- **Incident Response Slack Channel:** Core team coordination
- **Video Conference Bridge:** Always-open line for team
- **Shared Documentation:** Real-time documentation updates
- **Mobile Phone Network:** Emergency escalation and contact

### Secondary Channels (Broader team)
- **Management Email List:** Leadership updates
- **Department-specific Channels:** Team-specific information
- **Company-wide Announcements:** All-hands information
- **Internal Wiki/Knowledge Base:** Documentation repository

### Documentation Requirements
- **Incident Timeline:** Chronological record of events and decisions
- **Communication Log:** Record of all internal and external communications
- **Decision Record:** Documentation of key decisions and rationale
- **Action Items:** Tracking of assignments and completion status

Information Flow Management

Information Classification:

## Information Sharing Classifications

### Public Information
**Definition:** Information safe for public disclosure
**Examples:** General incident acknowledgment, public safety measures
**Approval Required:** Communications Lead
**Distribution:** Unrestricted

### Internal Only
**Definition:** Information for internal stakeholders only
**Examples:** Technical details, investigation findings, recovery timelines
**Approval Required:** Incident Commander
**Distribution:** Need-to-know basis within organization

### Confidential
**Definition:** Sensitive information requiring protection
**Examples:** Customer impact details, legal strategy, competitive implications
**Approval Required:** Incident Commander + Legal
**Distribution:** Designated personnel only

### Privileged
**Definition:** Legally privileged or highly sensitive information
**Examples:** Attorney communications, potential litigation details
**Approval Required:** Legal Counsel
**Distribution:** Attorney-client privilege protection required

Communication Timing and Frequency:

## Internal Communication Schedule

### Real-Time Updates (Ongoing)
- **Incident Response Team:** Continuous via primary channels
- **Executive Team:** Immediate updates for major developments
- **Legal Counsel:** Real-time consultation on sensitive matters

### Regular Status Updates
- **Every 2 Hours (P1 Incidents):** Core team status sync
- **Every 4 Hours (P2 Incidents):** Management briefings
- **Daily (P3+ Incidents):** Stakeholder updates
- **Weekly:** Long-term recovery and improvement updates

### Milestone Communications
- **Incident Declaration:** Immediate notification to all stakeholders
- **Containment Achieved:** Update on progress and next steps
- **Recovery Initiated:** Communication on return to normal operations
- **Incident Closure:** Final summary and lessons learned

External Communication Strategy

Customer Communication Excellence

Customer-First Communication Principles:

## Customer Communication Best Practices

### Lead with Impact
- Start with what customers need to know about impact to their operations
- Clearly state whether customer data or services are affected
- Provide specific timelines for resolution when available
- Offer concrete actions customers can take to protect themselves

### Demonstrate Control
- Explain specific steps being taken to address the issue
- Show investment in additional security measures
- Reference industry best practices and standards
- Highlight improvements being made to prevent recurrence

### Show Empathy
- Acknowledge inconvenience and concern
- Express genuine regret for any impact
- Recognize the trust customers place in the company
- Thank customers for patience and understanding

### Enable Action
- Provide clear steps for customers to take if needed
- Offer support resources and contact information
- Create FAQ sections addressing common concerns
- Establish dedicated communication channels for questions

Customer Communication Timeline:

## Customer Notification Framework

### Immediate Notification (Within 1-4 hours)
**Triggers:**
- Service disruption affecting customer operations
- Potential customer data exposure
- Security changes requiring customer action
- Regulatory notification requirements

**Content:**
- Brief acknowledgment of the issue
- Initial assessment of customer impact
- Immediate actions being taken
- Timeline for next update

### Detailed Update (Within 24 hours)
**Content:**
- More complete description of the incident
- Detailed explanation of customer impact
- Comprehensive response actions
- Specific steps customers should take
- Support resources and contact information

### Progress Updates (Every 24-48 hours)
**Content:**
- Investigation progress and findings
- Recovery actions and timelines
- Additional protective measures implemented
- Updated guidance for customers

### Final Communication (Within 7 days of resolution)
**Content:**
- Complete incident summary and timeline
- Root cause explanation (appropriate level of detail)
- Permanent fixes and improvements implemented
- Commitment to ongoing protection
- Contact for additional questions

Customer Communication Channels:

## Multi-Channel Customer Outreach

### Primary Channels
- **Direct Email:** Personalized messages to customer contacts
- **Customer Portal:** In-app notifications and status updates
- **Company Website:** Dedicated security update page
- **Support System:** Integrated support ticket communications

### Secondary Channels
- **Social Media:** Twitter, LinkedIn for broad awareness
- **Customer Success Calls:** Direct outreach to key accounts
- **Partner Notifications:** Channel partner communication
- **Industry Forums:** Professional community updates

### Channel Selection Criteria
- **Urgency:** Critical issues require direct email + phone
- **Audience Size:** Broad issues use website + social media
- **Technical Complexity:** Technical details via support system
- **Relationship Level:** Enterprise customers get personal outreach

Media Relations and Public Communication

Media Strategy Framework:

## Media Relations Approach

### Proactive vs. Reactive Communication
**Proactive Disclosure (Recommended):**
- Control the narrative and timing
- Demonstrate transparency and responsibility
- Prevent speculation and rumors
- Position company as security-conscious

**Reactive Response (When Required):**
- Respond quickly to media inquiries (within 2-4 hours)
- Provide accurate, factual information
- Correct misinformation promptly
- Redirect to company's official communications

### Media Message Framework
1. **Acknowledge:** Confirm the incident occurred without speculation
2. **Apologize:** Express regret for any inconvenience or concern
3. **Act:** Describe immediate and ongoing response actions
4. **Assure:** Communicate commitment to prevention and protection
5. **Assist:** Provide resources for those affected or concerned

Media Communication Templates:

## Media Statement Templates

### Initial Press Statement
**FOR IMMEDIATE RELEASE**
**[Company Name] Addresses Recent Security Incident**

[City, Date] – [Company Name] today confirmed that on [date], we detected and responded to a cybersecurity incident affecting [brief description]. We immediately launched an investigation and implemented measures to secure our systems and protect our customers.

**What Happened:**
[Factual description without speculation or technical jargon]

**Our Response:**
- We contained the incident within [timeframe]
- We engaged leading cybersecurity experts to assist our investigation
- We implemented additional security measures to prevent similar incidents
- We notified appropriate authorities and are cooperating fully

**Customer Impact:**
[Clear statement about customer data and service impact]

**What We're Doing:**
[Specific actions being taken for investigation, improvement, and prevention]

**Additional Information:**
Customers can find updates at [website] or contact us at [email/phone]. We are committed to transparency throughout this process and will provide updates as our investigation progresses.

### Media Interview Key Messages
**Opening Statement:**
"First, I want to acknowledge that this incident occurred and express our commitment to transparency and customer protection throughout our response."

**Key Points to Emphasize:**
- Speed and effectiveness of our response
- Investment in cybersecurity and continuous improvement
- Cooperation with authorities and experts
- Commitment to customer protection and communication
- Learning and improvement from this experience

**Difficult Questions - Response Framework:**
- "I understand the concern behind that question..."
- "Based on our investigation so far..."
- "We're committed to finding all the facts..."
- "We'll share more information as soon as we can do so responsibly..."

Investor and Stakeholder Communication

Investor Communication Strategy:

## Investor Relations During Incidents

### Board Communication
**Immediate Notification (Within 1 hour):**
- Board chair and lead investors via phone
- Brief email summary to full board
- Timeline for detailed briefing
- Assessment of potential material impact

**Detailed Briefing (Within 24 hours):**
- Comprehensive incident overview
- Business and financial impact assessment
- Response actions and timeline
- Legal and regulatory implications
- Media and customer communication strategy

### Investor Update Schedule
- **Daily updates** during critical phase (P1 incidents)
- **Every 2-3 days** during investigation and recovery
- **Weekly updates** during long-term recovery
- **Final summary** within 30 days of incident closure

### Material Impact Assessment
**Factors Requiring Disclosure:**
- Significant financial impact or costs
- Material disruption to business operations
- Major customer losses or contract impacts
- Regulatory fines or legal consequences
- Reputational damage affecting business prospects

Vendor and Partner Communication:

## Supply Chain Communication

### Vendor Notification Triggers
- Shared infrastructure or service disruption
- Security requirements or changes affecting vendors
- Need for vendor assistance in investigation or response
- Contractual notification requirements

### Partner Communication Framework
**Channel Partners:**
- Impact on partner operations or customers
- Changes to security requirements or procedures
- Marketing and communication coordination
- Support for partner customer communications

**Technology Partners:**
- Integration or API security changes
- Shared customer impact
- Technical coordination requirements
- Joint communication opportunities

Regulatory Notification Requirements

Common Notification Requirements:

## Regulatory Notification Matrix

### Data Protection Regulations
**GDPR (European Union):**
- Notification: Within 72 hours to supervisory authority
- Individual notification: If high risk to rights and freedoms
- Content: Nature of breach, data affected, likely consequences, measures taken

**CCPA (California):**
- Notification: "Without unreasonable delay" to consumers
- Attorney General: If affects >500 residents
- Content: Date ranges, data types, measures taken, contact information

### Industry-Specific Requirements
**Financial Services:**
- Banking regulators: Within 36 hours
- Customer notification: As required by state laws
- Law enforcement: If criminal activity suspected

**Healthcare:**
- HHS: Within 60 days of discovery
- Individuals: Within 60 days
- Media: If affects >500 individuals in state

**Education:**
- FERPA: No specific timeline, but "without unreasonable delay"
- State regulations: Vary by state
- Students/parents: As required by state law

### General Business Regulations
**State Breach Notification Laws:**
- Timeline: Varies by state (typically "without unreasonable delay")
- Content: Varies by state requirements
- Method: Written notice, email, or substitute notice

Regulatory Communication Process:

## Regulatory Notification Procedure

### Immediate Assessment (0-4 hours)
- [ ] Determine applicable regulations
- [ ] Assess notification triggers and requirements
- [ ] Calculate timelines for required notifications
- [ ] Engage legal counsel for guidance

### Notification Preparation (4-24 hours)
- [ ] Draft notifications per regulatory requirements
- [ ] Legal review of all notifications
- [ ] Coordinate with external counsel if needed
- [ ] Prepare supporting documentation

### Filing and Follow-up (24-72 hours)
- [ ] Submit required regulatory notifications
- [ ] Confirm receipt and compliance
- [ ] Coordinate with ongoing investigation
- [ ] Prepare for potential regulatory inquiries

### Ongoing Compliance
- [ ] Respond to regulatory information requests
- [ ] Provide updates as investigation progresses
- [ ] Coordinate with regulatory examination activities
- [ ] Document compliance with all requirements

Law Enforcement Coordination

Law Enforcement Communication:

## Law Enforcement Engagement

### When to Contact Law Enforcement
- Evidence of criminal activity (unauthorized access, data theft)
- Suspected nation-state or organized criminal involvement
- Ransom demands or extortion
- Regulatory requirements for law enforcement notification

### Communication Protocol
1. **Initial Contact:**
   - FBI Internet Crime Complaint Center (IC3) for federal crimes
   - Local law enforcement for immediate threats
   - Secret Service for financial crimes
   - Appropriate specialized units based on incident type

2. **Information Sharing:**
   - Provide factual incident information
   - Share evidence while preserving chain of custody
   - Coordinate investigation activities
   - Respect ongoing law enforcement operations

3. **Ongoing Coordination:**
   - Regular briefings on investigation progress
   - Coordination of media and public communications
   - Evidence preservation and sharing
   - Preparation for potential prosecution

### Legal Considerations
- Attorney-client privilege protection
- Voluntary vs. mandatory disclosure
- Impact on civil litigation
- International law enforcement cooperation

Communication Metrics and Effectiveness

Communication Performance Measurement

Quantitative Metrics:

## Communication Effectiveness KPIs

### Response Metrics
- **Time to Initial Communication:** From incident detection to first stakeholder notification
- **Communication Coverage:** Percentage of affected stakeholders reached within target time
- **Message Accuracy:** Corrections required / total communications sent
- **Channel Effectiveness:** Response rates and engagement by communication channel

### Stakeholder Satisfaction
- **Customer Satisfaction Scores:** Post-incident surveys and feedback
- **Employee Confidence:** Internal team satisfaction with communication
- **Investor Confidence:** Market reaction and investor feedback
- **Media Coverage Sentiment:** Positive vs. negative media coverage analysis

### Business Impact Metrics
- **Customer Retention:** Changes in customer churn during/after incident
- **Customer Acquisition:** Impact on new customer sign-ups
- **Partner Relationships:** Changes in partner engagement and collaboration
- **Market Performance:** Stock price and market confidence indicators

### Long-term Reputation
- **Brand Sentiment Analysis:** Social media and online mentions
- **Industry Recognition:** Awards, certifications, speaking opportunities
- **Competitive Position:** Market share and competitive wins/losses
- **Talent Attraction:** Recruitment success and employee referrals

Qualitative Assessment:

## Communication Quality Evaluation

### Message Effectiveness
- **Clarity:** Were messages easy to understand?
- **Completeness:** Did messages address stakeholder concerns?
- **Consistency:** Were messages consistent across channels and time?
- **Credibility:** Did messages build or maintain trust?

### Process Effectiveness
- **Timeliness:** Were communications delivered when needed?
- **Coordination:** Did internal teams communicate effectively?
- **Flexibility:** Did communication adapt to changing situations?
- **Preparation:** Were teams ready to execute communication plans?

### Stakeholder Response
- **Customer Feedback:** What did customers say about communications?
- **Employee Morale:** How did internal communication affect team confidence?
- **Media Reception:** How did media portray company communication?
- **Investor Reaction:** What was investor response to transparency and updates?

Continuous Improvement Process

Post-Incident Communication Review:

## Communication After Action Review

### Immediate Review (Within 48 hours of resolution)
1. **Timeline Analysis:**
   - Map actual communication timeline vs. planned timeline
   - Identify delays and acceleration opportunities
   - Assess decision-making speed and quality

2. **Message Effectiveness:**
   - Review accuracy of communications sent
   - Identify messages that caused confusion or concern
   - Assess consistency across channels and stakeholders

3. **Stakeholder Feedback:**
   - Collect immediate feedback from key stakeholders
   - Review customer, investor, and employee responses
   - Analyze media coverage and public sentiment

### Detailed Analysis (Within 2 weeks)
1. **Process Evaluation:**
   - Review communication decision-making process
   - Assess team coordination and role effectiveness
   - Identify bottlenecks and improvement opportunities

2. **Template and Tool Assessment:**
   - Evaluate effectiveness of communication templates
   - Review tool performance and user experience
   - Identify gaps in communication capabilities

3. **Training and Preparation Review:**
   - Assess team readiness and skill levels
   - Identify additional training needs
   - Review communication plan accuracy and completeness

### Implementation Planning (Within 30 days)
1. **Process Improvements:**
   - Update communication procedures based on lessons learned
   - Enhance decision-making frameworks
   - Improve coordination mechanisms

2. **Template and Resource Updates:**
   - Revise communication templates based on effectiveness
   - Update stakeholder contact information
   - Enhance communication tools and platforms

3. **Training Program Development:**
   - Plan additional training for identified gaps
   - Schedule practice sessions and tabletop exercises
   - Update communication training materials

Hands-On Exercise: Design Your Communication Strategy

Step 1: Communication Team Assessment

Current Communication Capabilities:

  • Designated communications lead: [Yes/No] Name: _____________
  • Crisis communication plan: [Comprehensive/Basic/None]
  • Communication templates: [Complete/Partial/None]
  • Media relations capability: [Strong/Developing/None]

Communication Team Structure:

  • Incident Commander (communication authority): _____________
  • Communications Lead: _____________
  • Customer communication owner: _____________
  • Media relations contact: _____________

Step 2: Stakeholder Communication Planning

Key Stakeholders (Priority Order):

  1. _____________ (Communication method: _______, Timeline: _______)
  2. _____________ (Communication method: _______, Timeline: _______)
  3. _____________ (Communication method: _______, Timeline: _______)
  4. _____________ (Communication method: _______, Timeline: _______)

Communication Channels:

  • Primary customer channel: _____________
  • Emergency customer contact: _____________
  • Media relations method: _____________
  • Investor communication: _____________

Step 3: Message Framework Development

Core Messages (Fill in your company specifics):

  • Company commitment to security: _____________
  • Customer protection priority: _____________
  • Transparency and accountability: _____________
  • Continuous improvement focus: _____________

Key Differentiators:

  • What makes your response unique: _____________
  • Competitive advantages to emphasize: _____________
  • Company values to highlight: _____________

Step 4: Metrics and Measurement

Communication Success Metrics:

  • Time to customer notification: _____ hours
  • Customer satisfaction target: _____ / 10
  • Media sentiment goal: ____% positive
  • Employee confidence target: ____% satisfied

Measurement Methods:

  • Customer feedback collection: _____________
  • Media monitoring approach: _____________
  • Employee feedback method: _____________
  • Stakeholder satisfaction assessment: _____________

Real-World Example: FinTech Communication Excellence

Company: 73-employee mobile banking startup Challenge: Regulatory environment, customer trust critical, high media attention

Initial Communication Crisis: The Incident: API vulnerability exposed customer account balances for 47 minutes Poor Initial Response:

  • Delayed customer notification (8 hours)
  • Generic, defensive messaging
  • No proactive media engagement
  • Internal team confusion and mixed messages

Immediate Impact:

  • 23% customer churn in first month
  • Negative media coverage in major publications
  • Investor confidence concerns
  • Regulatory inquiry initiated

Communication Transformation (Months 1-6):

Strategy Overhaul:

  • Hired experienced crisis communications consultant
  • Developed comprehensive communication playbooks
  • Created customer-first messaging framework
  • Established media relations and spokesperson training

Process Improvements:

  • Customer notification within 30 minutes protocol
  • Pre-approved message templates for speed
  • Cross-functional communication team
  • Regular communication drills and training

Next Incident Test: The Incident: Third-party service disruption affecting mobile app for 2 hours

Excellent Response:

  • Customer notification within 15 minutes
  • Proactive social media updates every 30 minutes
  • Personal video message from CEO
  • Real-time status page with technical details
  • Proactive media outreach with transparent information

Results:

  • 98% customer retention through incident
  • Positive media coverage praising transparency
  • Customer satisfaction increased post-incident
  • Industry recognition for crisis communication

Business Impact (12 months post-transformation):

  • Customer trust scores: 4.2/5 → 4.9/5
  • Customer acquisition: 340% increase
  • Media sentiment: 89% positive coverage
  • Investor confidence: Series B funding secured
  • Regulatory relationship: Cooperative partnership established

Investment and ROI:

  • Communication program investment: $125,000
  • Customer retention value: $2,800,000
  • Business growth enabled: $8,500,000
  • Regulatory cost avoidance: $500,000
  • Total ROI: 9,300% in 12 months

Key Success Factors:

  • Customer-first communication philosophy
  • Speed balanced with accuracy
  • Transparency as competitive advantage
  • Continuous practice and improvement
  • Integration with business strategy

Key Takeaways

  1. Communication Is Strategic: How you communicate during incidents can become a competitive advantage
  2. Speed and Accuracy Balance: Fast communication with accurate information builds trust
  3. Stakeholder-Specific Messaging: Tailor messages to audience needs and concerns
  4. Transparency Builds Trust: Honest, proactive communication creates stronger relationships
  5. Practice Enables Performance: Regular training and exercises ensure effective execution

Knowledge Check

  1. What should be the primary goal of incident communication?

    • A) Minimize legal liability
    • B) Maintain stakeholder trust and confidence
    • C) Reduce media attention
    • D) Comply with regulatory requirements

  2. How should startups approach customer communication during incidents?

    • A) Wait until investigation is complete
    • B) Communicate only what’s legally required
    • C) Provide timely, transparent, customer-focused updates
    • D) Let customers find out through media

  3. What’s the most important factor in crisis communication effectiveness?

    • A) Having perfect information before communicating
    • B) Using professional PR language
    • C) Balancing speed, accuracy, and stakeholder needs
    • D) Avoiding admission of any responsibility

Additional Resources

In the next lesson, we’ll explore how to conduct effective incident analysis, implement mitigation measures, and drive continuous improvements that strengthen your security posture.

← RESPOND: Analysis & Improvements (RS.AN) Top RESPOND: Response Planning (RS.RP) →

Reader Feedback

See what others are saying about this article

Did you enjoy this article?

Your feedback helps me create better content for the cybersecurity community

Share This Article

Found this helpful? Share it with your network to help others learn about cybersecurity.

Link copied to clipboard!

Share Feedback

Help improve this content by sharing constructive feedback on what worked and what didn't.

Thank you for your feedback!

Hire Me

Need help implementing your cybersecurity program? Let's work together.

Hire Me

Support Me

Help keep great cybersecurity content coming by supporting me on Patreon.

Support on Patreon
David McDonald

I'm David McDonald, the Cyber Risk Guy. I'm a cybersecurity consultant helping organizations build resilient, automated, cost effective security programs.

;