Successfully resolving a major cyber incident takes more than shutting down the hackers. There’s still the nontrivial matter of restoring business capabilities and making improvements, coordinating with a wide range of stakeholders and remaining mindful of legal obligations and pitfalls.

All of which brings us to Communications, the last category of the NIST Cybersecurity Framework’s Recover function, and of the Framework itself. If the topic sounds familiar, it’s because NIST also includes a communications category within the earlier Respond function (check out our December 2016 Cyber Tactics column, “Having Your Say in Cyber Response”).

So, what’s the difference between communications during response and those during recovery? Although there is some overlap, response communications tend to focus more on the people and information needed to investigate, assess, contain and mitigate a specific incident. Recovery communications are geared towards coordinating the efforts that will satisfy post-incident response legal obligations, manage public relations and repair business capabilities and reputation.

Let’s consider recovery communications as analogous to having just filmed a movie. Specifically, an intense drama, with a chance of a sequel. The actors have gone home, but much work remains.

Roll the Closing Credits

After the final scene, the filmmakers have contractual obligations to acknowledge a long list of people, businesses and locations, and the lawyers then finish the credits with notices and disclaimers. Compare incident recovery, where there often are numerous requirements (or simply good business reasons) to identify and notify a diverse set of individuals and entities, usually in a pre-defined order.

As NIST notes, recovery efforts must ensure that internal stakeholders (including “IT teams, incident response personnel, senior management, business unit owners, legal, Human Resources, privacy representatives, [and the] board of directors”) have enough information to “understand their responsibilities during the recovery stage and... maintain confidence in the recovery team’s abilities.” Carefully prepared communications also get sent to external stakeholders, such as “CSIRTs [Computer Security Incident Response Teams], business partners, customers, regulators, credit reporting agencies, law enforcement, press/media, analysts, [and] insurers.”

Award for Best Editing: Lawyers

When it comes to sharing network intrusion information, the legal team often decides what stays in and what falls to the cutting room floor. As NIST observes, “what may be said to whom and when will require extensive legal planning and advance discussion,” with an understanding that “providing too much information or inaccurate information may do more harm than good, and insufficient information sharing could lead to further harm to the organization’s reputation.”

Write a Hollywood Ending

Directing a great film requires a great script, a great cast and plenty of rehearsing. So too in incident recovery. Security professionals and business leaders should assemble a multi-disciplinary team of employees and advisors to develop, test and, if necessary, execute the communications portion of their company’s incident recovery plan. If everything goes according to plan, instead of riding off into the sunset, you’ll actually get to go home before the sunset.