Why Every Security Leader Needs a Crisis Communication Plan

Dr Tony Jaques

For many years, crisis management was viewed primarily as an operational challenge. Something goes wrong, the immediate issue is contained, systems are restored, and the organisation moves on.

That approach is no longer enough.

Today's operating environment is shaped by cyber incidents, social media, misinformation, artificial intelligence, geopolitical instability and rising stakeholder expectations. Organisations are no longer judged solely on how effectively they respond to a crisis. They are judged on how quickly, transparently and credibly they communicate throughout it.

In this environment, security leaders are increasingly finding themselves at the centre of crisis communication.

Whether responding to a cyberattack, critical infrastructure outage, workplace incident, misinformation campaign or reputational issue, the question is no longer whether an organisation should communicate. The question is how quickly it can do so while maintaining trust and credibility.

Crisis management specialist Dr Tony Jaques believes one of the biggest shifts in recent years is recognising that crisis management extends well beyond the immediate incident itself.

"There's a growing realisation that crisis management is about what to do before the crisis ever happens, what to do when it happens, business recovery, but also a recognition that the reputation of the organisation can be more damaged after the crisis than during the crisis."

This observation is particularly relevant for security professionals. While organisations often focus heavily on operational recovery, investigations and compliance obligations, the longer-term impact on reputation can ultimately be more significant.

A cyber incident may last days. A service outage may last hours. A reputational crisis can linger for years.

The End of the Golden Hour

One of the most significant changes facing organisations today is the speed at which information spreads.

For decades, crisis communication professionals worked around the concept of the "golden hour", the belief that organisations had approximately an hour to gather information, formulate a response and engage with stakeholders.

That window has effectively disappeared.

Social media, mobile devices, and 24-hour news cycles have created an environment in which stakeholders expect immediate communication. If organisations fail to provide information quickly, others will fill the vacuum, often with speculation, misinformation or outright falsehoods.

Importantly, this does not mean organisations need all the answers immediately.

As Dr Jaques points out, there is always something meaningful to say, even when facts remain incomplete.

"We're really sorry this has happened. We're working on it right now, and we'll get back to you as soon as we have more information."

Waiting until every detail is known may feel prudent, but in today's environment, silence can easily be interpreted as confusion, incompetence or avoidance.

Reputation Is the Asset at Risk

One of the most important lessons for security leaders is understanding what is truly at stake during a crisis.

When systems fail, infrastructure is disrupted or services are interrupted, organisations often focus on fixing the technical problem. While that remains essential, the bigger challenge is protecting trust.

As Dr Jaques notes, "When an outage occurs, the public are very angry. It's important to recognise that what's at risk is not your infrastructure. What's at risk is your reputation."

The 2024 CrowdStrike incident provides a useful example. While the technical fault originated elsewhere, the organisations most affected were those whose customers experienced disruption. Stakeholders rarely distinguish between technical causes, suppliers and subcontractors. They simply remember who failed to deliver the service they expected.

For security leaders, this reinforces the importance of viewing incidents through the lens of stakeholder impact rather than technical fault. Customers, employees, investors and regulators are less interested in who caused the problem than they are in understanding what happened, how it affects them and what is being done to resolve it.

The New Threat: Misinformation and Deepfakes

Compounding these challenges is the growing prevalence of misinformation, disinformation and AI-generated content.

Dr Jaques makes an important distinction. Misinformation occurs when incorrect information is shared unintentionally. Disinformation occurs when false information is deliberately created and distributed to influence perceptions or drive a particular agenda. Both can be equally damaging to an organisation's reputation.

The rise of AI has dramatically amplified this challenge. Manipulated images, fabricated videos and false claims can now be created and distributed at scale, often reaching large audiences before facts are established.

The solution is not to engage in endless debates or repeatedly restate false claims. Instead, organisations must focus on communicating verified facts clearly, consistently and quickly.

Trust is becoming one of the most valuable assets an organisation can possess.

Four Principles Every Security Leader Should Remember

Throughout his career, Dr Jaques has consistently advocated four core principles that should underpin every crisis response.

First, state the facts. Second, demonstrate empathy. Third, apologise where appropriate. Fourth, explain what is being done to resolve the issue.

"If you do those four things in that order and do them well, then you've established a really strong foundation for whatever else comes afterwards."

While simple in concept, these principles are frequently overlooked when organisations become consumed by legal considerations, technical investigations or operational pressures.

Dr Jaques also challenges the notion that legal advice should automatically override every other consideration. Effective crisis management requires a genuinely cross functional response that balances legal, operational, security, communications and stakeholder considerations. Organisations that view every crisis solely through a legal lens risk protecting themselves in court while damaging themselves in the court of public opinion.

Security Leaders as Trusted Advisers

Perhaps the most significant implication for the profession is the growing need for security leaders to become effective communicators.

Modern security leaders are no longer responsible solely for investigations, guarding operations and incident management. Increasingly, they are expected to contribute to organisational resilience, executive decision making and stakeholder engagement.

That requires an understanding of communication as well as security. It requires preparation long before an incident occurs.

Importantly, preparation does not mean developing lengthy crisis manuals that sit unread on a shelf. Instead, organisations need practical, accessible response plans that clearly define roles, responsibilities and communication principles.

The organisations that navigate crises most effectively are rarely those with the largest plans. They are the ones that have thought through their response before they need it.

In a world where information moves instantly, trust is fragile and misinformation spreads rapidly, crisis communication has become a core security capability.

For today's security leaders, protecting people, assets and operations remains critical. However, protecting trust may prove to be the challenge that ultimately defines organisational resilience in the years ahead.

To hear the full podcast – See Episode 156 here