"Who You Gonna Call?" is a fun movie quote, but in a security breach, it’s the question that keeps CISOs awake at night.

Most security frameworks focus heavily on the technical side of incident response — patching the hole, stopping the exfiltration, and restoring backups. But the battle for your organization’s survival often isn’t won in the server room; it’s won in the inbox and on social media.

Crisis communication isn't just “PR's problem” — it is a functional security control. If we lose the narrative, we lose trust.

The Reality of the Panic Spiral

When an incident hits, information vacuums are dangerous. If you don’t fill the silence, someone else will — usually with rumors, fear or bad data.

Effective communication does four things immediately:

1. Kills the Panic: It gives employees and stakeholders a "north star" to follow.
2. Protects the Brand: It shows you are competent, even if you are currently vulnerable.
3. Clears the Airwaves: It stops the Incident Commander from being bombarded by "What's happening?!" emails so they can actually fix the problem.
4. Beats the Clock (and the Fines): Whether it's the SEC's 4-day rule, GDPR's 72-hour window, or HIPAA notifications, the regulatory clock starts ticking the moment you confirm a material incident. You do not want to be drafting legal notifications from scratch while your hair is on fire. A solid comms plan ensures you meet those hard deadlines, preventing an operational crisis from turning into a massive regulatory penalty.

The Playbook: What Actually Works

We all know we need a plan, but a 50-page binder that gathers dust isn't a plan; it's a paperweight. A usable strategy focuses on agility over perfection.

1. Accuracy Over Speed — But Not by Much: There is massive pressure to "say something" immediately. This is where companies get burned (remember the confusing initial statements from the Equifax breach?).

• The Golden Rule: It is better to say, “We are aware of an issue and are investigating,” than to guess, be wrong, and have to retract it later. A retraction kills credibility faster than silence does.

2. Define the “Wartime” Roles: During a calm Tuesday, the Marketing VP approves press releases. During a breach on a Saturday night, that chain of command might be too slow. You need a streamlined roster:

• The Truth Teller: Who finds the facts? (Security/Ops)
• The Scribe: Who writes the message? (Comms)
• The Gavel: Who has the final “Go/No-Go” on hitting send? (Legal/Exec)

We can't prevent every crisis. Threats evolve too fast. But we can control how we react. When the dust settles, people might forgive a security lapse, but they rarely forgive a cover-up or a chaotic, insensitive response.

3. Choose Your Channels Before the Fire Starts: If your email system is the thing that got hacked, how do you tell employees not to open email? You need “out-of-band” communication channels established now. Whether that’s a mass-texting service, a dark site hosted on a separate server, or a dedicated Slack channel — have a backup way to talk when the primary lines are cut.

4. The “Hot Wash” (Post-Incident Review): Survival isn’t the same as success. Once the smoke clears, you have to audit your communication performance just as strictly as your technical response. Did the press release take too long to approve? Did the tone of your social posts calm the waters or stir the pot? Analyze the media sentiment and stakeholder feedback honestly. Most importantly, update the plan immediately. If you don't operationalize the lessons learned, you're doomed to repeat the same fumbles next time. Don’t forget to integrate revised communications steps into your IR plan and re-train teams.

The Human Element: Don't Sound Like a Robot

ISACA State of Cybersecurity research shows the importance of communications skills for security professionals, but this is where most technical teams struggle. We want to speak in technicalities — “mitigation strategies” and “attack vectors.” The public wants to hear empathy and ownership.

If people’s data is at risk, they are scared. A sterile corporate statement feels like a slap in the face.

• Be Human: Use plain language. “We are sorry this happened,” goes a long way. Legal-approved language doesn't have to sound robotic; pre-scripting human responses ensures you have alignment before the crisis hits.
• Be Transparent: If you don't know something yet, admit it. “We don't have the full scope yet, but we will update you in two hours.” However, be cautious with timelines. Only promise updates on a cadence you can realistically sustain.
• Be Ethical: Don't hide the ball. If you made a mistake, own it, fix it, and explain how you’ll prevent it next time.

Practicing the “Soft” Skills

You probably simulate phishing attacks and run disaster recovery drills. But when was the last time you ran a drill on drafting a press release while the legal team screamed at you? Integrate a comms lead into every major tabletop.

Tabletop exercises need to include the communication layer. Make the executives sit in a room and actually draft the social post they would send if the customer database leaked. It exposes the cracks in your process faster than any theoretical meeting ever will.

Final Thoughts

We can't prevent every crisis. Threats evolve too fast. But we can control how we react. When the dust settles, people might forgive a security lapse, but they rarely forgive a cover-up or a chaotic, insensitive response.

Review your plan tonight. Not the 50-page binder — the one-page cheat sheet you'd grab at 3:00 a.m. If it doesn't exist, you just found your next project. If it does exist, does it work? If not, fix it now.