PARTICIPANTS
• Chris Jones, VP, comms, FanDuel
• Kevin Lee, VP, marketing, Obsidian Security
• Joanne Rasch, VP, corporate comms, Dragos
• Alex Thompson, CCO, Thomson Reuters
• Susan Waldron, VP, head of corporate comms, American Century Investments
• David Bowker, VP, security, PAN Communications
• Moderator: Frank Washkuch, executive editor of PRWeek
New data breach reporting regulations for financial institutions that require even more rapid disclosure timelines are making data security an urgent issue for brands. This roundtable discussion focused on how concern around data security is affecting comms broader planning and messaging to both current and potential customers.
Alex Thompson, CCO, Thomson Reuters said the topic of data breach is “front and center not just for management, but the board.” He believes the comms function is critical to keeping the focus on the facts and on the customer when an incident occurs. “When we’re in the mix, we’re ensuring that the core team maintains its discipline and manages through the incident effectively,” he said.
David Bowker, VP, security, PAN Communications said the new rules underscore the need for advanced preparation. “There's a need for everybody to have things in order and be ready to respond quickly in the event that something emerges.”
“It's good to be prepared internally and have those processes set up so you can respond and respond appropriately,” agreed Joanne Rasch, VP, corporate comms.
Top row (left to right): Chris Jones, Kevin Lee, Joanne Rasch. Bottom row (left to right): Alex Thompson, Susan Waldron, David Bowker.
Comms pros are spending more time on ensuring they are prepared. “I'm surprised how much time I spend with data security,” said Susan Waldron, VP, head of corporate comms, American Century Investments. “We're making changes so we can move fast when we need to, especially for client messaging.”
“I spend as much time talking to our compliance team and our data and technology team as I do to reporters every day,” said Chris Jones, VP, comms, FanDuel. Jones and his team established a point plan so that if a potential cybersecurity threat occurs, the team can immediately connect with management, the compliance team and the regulatory team and communicate information quickly. Keeping customer service in the loop is also critical. “For a customer-based business with a high level of friction around verification, we capture a lot of people's personal information,” he said.
Panelists agreed that transparency is paramount to handling any security breach. “The recent breach with Okta, where they delayed communication, really impacted the brand and the stock. That shows you that transparent communication is key,” said Kevin Lee, VP, marketing, Obsidian Security.
In light of a notable recent rise in hacks and data security breaches that left some of the world's biggest brands compromised, cybersecurity is an exploding market. Panelists discussed how they communicate their brand’s points of differentiation on an issue that can be confusing, complex and a bit scary to consumers.
Lee said Obsidian focuses on succinct education-focused messaging. “We try to keep it very digestible and, in layman's terms, focus on education and value versus creating fear,” he said. Despite occasional pressure from its PR firms, Rasch keeps Dragos messaging focused on “the things that we are really, truly experts in” and offering “perspective where it's helpful, not just to get our names in an article.”
Rasch cautioned that chasing the wrong media opportunities can have an internal cost by creating spokesperson fatigue. “If you push too many things they're not seeing as high value, they're not going to respect the program as much and won't be as enthusiastic about participating,” she said.
“Cybersecurity companies fall into ambulance chasing whenever there's a huge data breach,” Lee explained. “If you're not adding value to the community, you lose credibility to continue having that conversation in the future. It's important to step back and think about things before pushing a message out there.”
“Giving actual perspective is the thing that gets you continued visibility and return conversations with the reporters,” said Bowker. Emphasizing your area of expertise, establishing credibility with your audiences and being able to simplify, he said, are crucial components of comms with the media. “There's a big need for smart people at technology companies to translate what's going on in a way they can understand.”
With more interactions taking place virtually and digitally than ever before, the way consumers interact with brands is evolving. While these advances are opening new avenues for more connection between consumers and brands, they also open up the door for wider security breaches and cybersecurity crises.
Panelists discussed how these factors affect the way they plan for potential cybersecurity crises. Thompson said managing the reputation of an executive class within a digital environment, where identities are built out with data sets that are vulnerable to others, is an area his team is exploring.
While just a few years ago the idea of putting a C-suite level executive on a social media channel was unthinkable, it’s becoming more common. Jones said his team left comments turned on even though some were negative during the appearance of FanDuel’s CMO on a YouTube channel. “Every company has to develop its own comfort level with the metaverse,” he said. “I don't think anyone has this figured out.”
Another risk Thompson noted is the new entry point into the IT stack that occurs when thousands of employees are using digital platforms that can be running live in the background during the workday. “With everything moving to the cloud and new devices, it does create gaps,” explained Lee. “Some of our customers have Amazon’s Alexa connected to their network at the office to read and write emails. You have to understand your risk. Constant security awareness training is important because every employee is a vulnerability.”
Corporate communications professionals have an opportunity to assist their organizations in this regard. “Employees are definitely a risk,” said Waldron. “Partnering with the IT and data security team on internal communications is important because they have very specific objectives to cybersecurity, but we know how to communicate with people to change behavior. You need to do it in the right way and put together strategies that reinforce the outcomes you want.”
Companies that bake security awareness training into their operations and communicate that to their workforce will be the most successful going forward, said Bowker.
While the general public is aware of the risks in IT networks and with data, the risks associated with operational technology in industrial systems like manufacturing is a growing problem. “People can hack into industrial processes and take down energy grids. Ransomware is a growing problem and can affect supply chains,” said Rasch.
Thompson noted the war in Ukraine may have influenced people's awareness of how important cyber defense is at a national security level. “We redoubled our efforts and upped our communication around the events in Ukraine, knowing the possibility for cyber attacks emanating from Russia and potentially Belarus were going to be real for both our European operators and in North America,” said Jones.
“We're seeing much more proactive communication about preparation, rather than responding to major incidents after they happen. We're at a time of heightened awareness for cybersecurity. It's becoming part of conversations, consumers see it the most where it impacts them directly, such as gas scarcity prices,” explained Bowker.
While huge breaches make the news, comms pros also handle smaller breaches that can be a big issue internally. “We've had several customers experience cyber petty theft that never reached a media level. One misconception is that only big breaches are out there, but there's a lot of things happening every day the security team is involved in that require very concise communications internally,” said Lee.
All in all, panelists agreed that the risk of data breach looms large in its potential to damage a brand's reputation. “Data breaches affect the entire customer base. They feel their information is out there and out of their control. It's a very personal thing,” said Rasch.
Ripples can often be felt beyond those directly impacted. “Multiply that effect by the number of people that those impacted are going to tell and the damage to your brand can be very consequential,” said Jones.
In the end, how companies respond is critical. “Preparation to go out with the appropriate message in the event that it happens makes all the difference,” said Bowker.