Book:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/Develop and create the cybersecurity plan/Develop a communications plan

From LIMSWiki
Jump to navigationJump to search

5.7 Develop a communications plan

Cybersecurity and the nation's digital future.jpg

5.7.1 Address the need for transparency in improving the cybersecurity culture

"If you look at it historically, the best ways to handle [cybersecurity] incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there’s an incident, trust in your organization goes down. But the most transparent and communicative organizations tend to reduce the financial impact of that incident.” - McAfee CTO Ian Yip[1]

When your organization spreads the idea of improving cybersecurity and the culture around it, it shouldn't forget to talk about the importance of transparency. That includes the development process for the cybersecurity plan itself. Stakeholders will appreciate a forthright plan development and implementation strategy that clearly and concisely addresses the critical information system protections, monitoring, and communication that should be enacted.[2][1] Not only should internal communication about plan status be clear and regular, but also greater openness placed on promptly informing the affected individuals of cybersecurity risks and incidents. Of course, trust can be indirectly built up in other ways, such as ensuring training material is relevant and understandable, improving user management in critical systems, and ensuring communication barriers between people are limited.

5.7.2 Determine guidelines for everyday communication and mandatory reporting to meet cybersecurity goals

Sure, your IT specialists and system administrators know and understand the language of cybersecurity, but do the rest of your staff know and understand the topic enough to meet various cybersecurity business goals? One aspect of solving this issue involves ensuring clear, consistent communication and understanding across all levels of the organization. (Another aspect, of course, is training, discussed below.) If everyone is speaking the same language, planning and implementation for cybersecurity becomes more effective.[2] This extends to everyday communications and reporting. Tips include:

  • Clearly and politely communicate what consequences exist for those who violate cybersecurity policy, better ensuring compliance.[3][4]
  • Consider developing and using communication and reporting templates for a variety of everyday emails, letters, and reports.[2]
  • Don't forget to communicate organizational privacy policies and other security policies to third parties such as vendors and contractors.
  • Don't forget to communicate changes of cybersecurity policy to all affected.
  • Be flexible with the various routes of communication you can use; not everyone is diligent with email, for example.

5.7.3 Determine guidelines for handling or discussing sensitive information

Safely and correctly working with sensitive, protected, or confidential data in the organization is no simple task, requiring extra precautions, attention to regulations, and improved awareness throughout the workflow. In the clinical realm, organizations have PHI to worry about, while forensic laboratories must be mindful of working with classified data. Most businesses keep some sort of financial transaction data, and even your smallest of businesses may be working with trade secrets. These and other types of data require special attention by those creating a cybersecurity plan. Important considerations include staying informed of changes to local, state, and federal law; being vigilant with any role-based access to sensitive data; developing and enforcing clear policy on documenting and disposing cyber assets with such data; and developing boundary protection mechanisms for confining sensitive communications to trusted zones.[3] Cybersecurity standards and frameworks provide additional guidance in this realm.

5.7.4 Address incident reporting and response, as well as corrective action

As discussed earlier, fostering an environment of transparency in regards to cybersecurity matters is beneficial to the business. By extension, this includes properly disseminating notice of cybersecurity risks, breaches, and associated responses. Steve McGaw, the chief marketing officer for AT&T Business Solutions, had this to say about it in 2017[5]

When a breach is revealed, the attacked company is portrayed not as a victim, but as negligent and, in a subtle way, complicit in the event that ultimately exposed partners and customers. In short, it’s clearer than ever that cyberattacks can have an existential impact on companies. If customers don’t trust a company, then they simply won’t do business with them. These types of brand implications are indelible, and a communication strategy is invaluable.

This is where you decide how to communicate cybersecurity incidents and respond to them. McGaw and others offer the following advice in that regard[2][1][5][6]:

  • Organize an incident response team of IT professionals, writers, leaders, and legal advisers and together develop protocols for how revelation of a cybersecurity incident should be handled, from the start.
  • Ensure that upon an identified breach that the issue and it's likely impact are eventually clearly understood before communicating it to stakeholders. Communicating a hastily written, vague message creates more problems than solutions.
  • Provide messaging on the solution (corrective action), not just the problem. Sometimes the solution is complex and difficult, but it's still beneficial to at least let stakeholders know action is being taken to correct the issue and limit its impact.
  • Consider the use of playbooks, report templates, and training drills as part of your communication plan. Practice resolving security incidents with your assembled incident response team, and seek outside help when needed.
  • When crafting your message, avoid jargon, use clear and simple language, be transparent (avoid "may" and "might"; be up-front), and keep your business values in context with the message.
  • Don't forget to extend transparent messaging to internal stakeholders.

5.7.5 Address cybersecurity training methodology, requirements, and status tracking

While the topic of cybersecurity training could arguably receive its own section, training and communication planning go hand-in-hand. What is training but another form of imparting (communicating) information to others to act upon? And getting the word out about the cybersecurity plan and the culture it wants to promote is just another impetus for providing training to the relevant stakeholders.

The training methodology, requirements, and tracking used will largely be shaped by the goals and objectives detailed prior, as well as the budget allotted by management. For example, businesses with ample budget may be able to add new software firewalls and custom firmware updates to their system; however, small businesses with limited resources may get more out of training users on proper cyber hygiene than investing heavily in IT.[2] Regardless, addressing training in the workplace remains a critical aspect of your cybersecurity plan. As the NRECA notes[3]: "Insufficiently trained personnel are often the weakest security link in the organization’s security perimeter and are the target of social engineering attacks. It is therefore crucial to provide adequate security awareness training to all new hires, as well as refresher training to current employees on a yearly basis."

You'll find additional guidance on training recommendations and requirements by looking at existing regulations. Various NIST cybersecurity framework publications such as 800-53, 800-171, and the NIST Cybersecurity Framework (PDFs) may also provide insight into training.


  1. 1.0 1.1 1.2 Lago, C. (10 July 2019). "How to implement a successful cybersecurity plan". CIO. IDG Communications, Inc. Retrieved 21 March 2023. 
  2. 2.0 2.1 2.2 2.3 2.4 Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. Retrieved 21 March 2023. 
  3. 3.0 3.1 3.2 Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. Retrieved 21 March 2023. 
  4. "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. Retrieved 21 March 2023. 
  5. 5.0 5.1 McGaw, S. (2017). "Breaching the secret to cybersecurity communications". The Public Relations Strategist (Spring 2017). Archived from the original on 15 August 2022. Retrieved 21 March 2023. 
  6. Hamburg, I.; Grosch, K.R (2018). "Chapter 4: Aligning a Cybersecurity Strategy with Communication Management in Organizations". In Peña-Acuña, B.. Digital Communication Management. IntechOpen. doi:10.5772/intechopen.75952. ISBN 9781838814908.