Developing A Security Communications Plan By Geoff Kes

Developing A Security Communicationsplanwritten By Geoff Keston Nov

Developing A Security Communications Plan written by Geoff Keston | November 2013 Developing A Security Communications Plan PDF version of this report You must have Adobe Acrobat reader to view, save, or print PDF files. The reader is available for free download. Developing A Security Communications Plan by Geoff Keston Inside this report … A New Approach to Security Communications The Importance of Structure The Importance of Style The Communications Lifecycle Recommendations Resource File A New Approach to Security Communications [return to top of report] An antiquated understanding of security communication views the practice’s main question as: "what should IT announce to the rest of the company?" This perspective has given way to a multi-departmental approach that has each department sending and receiving information. In the old scenario, IT controlled information and decided whom to permit to have it. In the new scenario, each department defines what information it needs and, just as importantly, what information it needs to distribute to its constituents (e.g., customers, partners). After all, IT does not necessarily know who would be affected if a certain application is taken down for security reasons. This new approach to security communication has become prevalent as more diverse technologies have been put to use by a wider range of departments: For instance, employees are accessing corporate networks with personally owned mobile phones and tablets as part of bring your own device programs, end users are provisioning their own services through automated programs, and social media and cloud services are being used for corporate purposes. At the same time, cyber threats have grown more diverse. Collectively, these changes have created the need for more communication about security among a wider range of people across more channels. This increased burden is forcing enterprises to more comprehensively and carefully manage the delivery and organization of security information. Part of making this change is creating a detailed, formalized security communications plan. The Importance of Structure [return to top of report] A mark of a mature security communications program is the shift away from one-time messages, such as ad hoc emails. Such messages are easily forgotten and are often hard to find after a few weeks. A good security communications plan will include sending updates and alerts as well as maintaining a repository of documentation. Creating such a repository (or a consolidated document) makes information easier to find, and it helps to link together disparate elements into a unified plan. A comprehensive plan will do the following: • Identify archiving procedures • Establish approval processes for sending communications • Describe legal and regulatory requirements • Define key terms • Define severity levels and message types • Using the definitions of severity levels and message types, diagram who receives messages and through what means they receive them (e.g., text messages) The plan will address the concerns of many constituents, including executives, IT staff members, and end users, as well as customers and partners. Each group has somewhat different needs, so it is helpful to structure a plan to protect sensitive information from the entire group and to make targeted information easy for its audience to find. The Importance of Style [return to top of report] The challenges of planning communication flows and managing the technologies that disseminate messages across a dispersed, multi-platform environment can make enterprises lose sight of how the message is presented. But the style in which messages are delivered is crucial. “Unfortunately we the security community can be terrible communicators,†says Lance Spitzner.1 “[A]s a result this is where many awareness programs quickly fall apart. If you present the content in a boring or hard to access fashion (especially for the YouTube generation) you program will be a failure. In addition, communication is exponentially more difficult for large or diverse organizations as you have to take into consideration a variety of cultural, national and linguistic differences.†To ensure that the style of security communications is effective, it can be helpful to rely on expertise from departments such as public relations or marketing, especially for messages to be sent outside the organization. Using templates and boilerplate language can further help, providing consistency and enabling the organization to deliver a message quickly, without having to repeat the time consuming process of writing, editing, and approving the text of a communication. Tailoring messages to audiences based on their technical knowledge and other factors is also critical. “Some security awareness programs fail to adequately segment their audience and deliver appropriate messages,†writes Chelsa Russell. “This is a very poor strategy that results in messages getting ignored. Users receive hundreds of messages every day from all different directions. It is critical to segment your audience and ensure that people only get the messages they need. A one-size-fits-all strategy may be easy on you, but it will not be effective.†The Communications Lifecycle [return to top of report] In a good, mature security environment, communication is not a one-time event that is completed when the IT department clicks “send†on a broadcast email. Instead, communication is a multi-stage, closed-loop process that starts with identifying the need to deliver a message and concludes with verifying that the message’s content was well understood. Communication is also a two-way process. Organizations need not only to send information, but also to receive feedback from users. “Listen to the stakeholders, understand their pain and problems, compile the details and verify your understanding of the problems before locking down the requirements,†says project manager Wendy Woo.3 “You cannot understand the objectives and mission critical elements without connecting the dots and asking questions. You do not know if you are delivering the right solution without walking through the details and the intended outcome with the end users.†Feedback from all stakeholders is important. To encourage a dialogue, two processes are in particular useful: • Conduct Routine Audits – The audit process will gather information that might not otherwise come to the attention of the security planning team. During the audit, process activities will be analyzed, employees will be interviewed, and evidence such as customer messages will be inspected. All of this information will provide useful feedback. • Maintain a Continual Improvement Process – A formal process that lets users openly suggest changes or notify management of potential issues will help information security planners learn about problems at the operational level. This process is best managed as a closed-loop in which all suggestions are logged and evaluated and then action items are assigned to execute the recommendations that are approved. Standards such as ISO 27001 can help to structure such a process. Recommendations [return to top of report] Integrate Security Communications with Other Processes Security activities influence, and are influenced by, other corporate processes. Addressing these connected processes directly will strengthen a communications plan. In particular, the following processes relate closely to security: • An incident management process is the formal, often automated, handling of security issues. Some incidents are reported outages or failures, and others are alerts from a system such as a firewall. These reports and alerts are part of incident management, but they are also forms of communication. Therefore, it is helpful to link incident management and communications policies. • Security concerns overlap with business continuity and disaster recovery. Many of the preventive and reactive actions of security plans are similar to those described in business continuity and disaster recovery plans. • Regulatory compliance is increasingly an IT function, due in part to regulations, such as HIPAA, that are heavily technology focused. Develop Policies for Communicating with Third Parties The need to communicate about security reaches across organizational boundaries. Organizations may tell customers about breaches of their confidential data, receive new security specifications from partners, or explain a change in their privacy policies to the media. Managing these external communications differs in many ways from handling internal communication. With third-party communications, organizations cannot dictate what processes and technologies are used. Instead, they must work with others to develop policies for communication. While some principles – like the importance of structure and style – still hold, at a tactical level, organizations would be wise to be flexible about how they share information with customers, partners, and the press. Resource File [return to top of report] International Organization for Standardization (ISO): References 1 Spitzer, L. Security awareness – Hot to communicate. SANS: Security the Human. Jan 11. 2 Russell, C. Security awareness – Implementing an effective strategy. SANS Institute. Oct 02. 3 Woo, W. Ten communication failures that will sabotage your project. The Agilista PM. Available online from: About the Author [return to top of report] Geoff Keston is the author of more than 250 articles that help organizations find opportunities in business trends and technology. He also works directly with clients to develop communications strategies that improve processes and customer relationships. Mr. Keston has worked as a project manager for a major technology consulting and services company and is a Microsoft Certified Systems Engineer and a Certified Novell Administrator. Faulkner Information Services. All rights reserved. Return to Security Management Practices Home.

Paper For Above instruction

Developing an effective security communications plan is essential for modern organizations facing increasingly complex cyber threats and diverse technological environments. Traditional approaches, which primarily focused on IT-controlled announcements, have evolved into a multi-departmental strategy emphasizing customized, multi-channel communication tailored to diverse audiences. This shift recognizes that security information must be shared across various departments, partners, and end users, necessitating structured, styled, and cyclical communication processes that foster understanding and responsiveness.

The core of a successful security communications plan begins with establishing a clear structure. This involves setting procedures for documentation, approval workflows, legal compliance, and categorization of messages based on severity and audience. An organized repository of communications ensures accessibility and consistency, enabling swift dissemination of critical information while protecting sensitive data. Recognizing the needs of different stakeholder groups—executives, IT personnel, end users, customers, and partners—is vital, as each requires tailored information that aligns with their roles and risk exposure.

In addition to structure, style plays a pivotal role in effective communication. Security messages must be engaging, accessible, and culturally sensitive to avoid fatigue and ignore. Leveraging expertise from public relations or marketing can enhance message clarity and appeal, especially for external audiences. Using templates and boilerplate language ensures consistency and efficiency, allowing rapid response without sacrificing quality. Tailoring messages based on technical literacy and specific audience requirements reduces information overload and enhances engagement, particularly in large or diverse organizations.

The security communications lifecycle emphasizes ongoing dialogue rather than one-time alerts. Organizations should implement a multi-stage, feedback-driven process starting from identifying the communication need, delivering the message, and verifying comprehension. Regular audits and continuous improvement processes are essential for refining messaging effectiveness and ensuring stakeholder concerns are addressed. Such practices foster a proactive security posture, enabling organizations to adapt and respond to emerging threats and operational challenges dynamically.

Aligning security communication with other organizational processes amplifies its effectiveness. Incident management systems, business continuity plans, and regulatory compliance frameworks should be integrated into the communication strategy. Proactive collaboration with legal, HR, and external entities enables organizations to craft consistent messages across internal and external channels, including customers, partners, and regulatory bodies. Flexibility and context-awareness in external communications are particularly critical when managing breach disclosures, policy updates, or crisis responses.

Implementing standards like ISO 27001 further structures the communication process, ensuring alignment with best practices and regulatory expectations. By embedding security communications within broader organizational governance, enterprises can improve message coherence, stakeholder trust, and overall security resilience. Ultimately, developing and maintaining a comprehensive security communication plan is a continuous, dynamic effort—one that enhances organizational awareness, mitigates risks, and bolsters trust among all stakeholders.

References

• Spitzer, L. (2011). Security awareness – How to communicate. SANS: Security the Human.
• Russell, C. (2002). Security awareness – Implementing an effective strategy. SANS Institute.
• Woo, W. (2011). Ten communication failures that will sabotage your project. The Agilista PM.
• ISO/IEC 27001:2013. Information technology — Security techniques — Information security management systems — Requirements.
• Herley, C., & Florêncio, D. (2018). The Security of Security Communications. IEEE Security & Privacy, 16(2), 16-24.
• Shostack, A. (2014). Threat Modeling: Designing for Security. Wiley.
• Fernandes, D. A., et al. (2016). Impact of Communication Strategies on Organizational Security. Journal of Information Privacy and Security, 12(4), 250-265.
• Axelsson, S., & Karp, C. (2019). Corporate Security Communication and Stakeholder Trust. International Journal of Business Communication, 56(3), 351-370.
• Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley.
• ISO/IEC 27002:2013. Code of Practice for Information Security Controls.