Developing A Security Communications Plan By Geoff Keston Co

Posted on December 26, 2025

Developing A Security Communications Planby Geoff Keston Copyright N

Developing A Security Communications Plan by Geoff Keston Inside this report ... A New Approach to Security Communications The Importance of Structure The Importance of Style The Communications Lifecycle Recommendations Resource File A New Approach to Security Communications An antiquated understanding of security communication views the practice's main question as: "what should IT announce to the rest of the company?" This perspective has given way to a multi-departmental approach that has each department sending and receiving information. In the old scenario, IT controlled information and decided whom to permit to have it. In the new scenario, each department defines what information it needs and, just as importantly, what information it needs to distribute to its constituents (e.g., customers, partners).

After all, IT does not necessarily know who would be affected if a certain application is taken down for security reasons. This new approach to security communication has become prevalent as more diverse technologies have been put to use by a wider range of departments: For instance, employees are accessing corporate networks with personally owned mobile phones and tablets as part of bring your own device programs, end users are provisioning their own services through automated programs, and social media and cloud services are being used for corporate purposes. At the same time, cyber threats have grown more diverse. Collectively, these changes have created the need for more communication about security among a wider range of people across more channels.

This increased burden is forcing enterprises to more comprehensively and carefully manage the delivery and organization of security information. Part of making this change is creating a detailed, formalized security communications plan. The Importance of Structure The mark of a mature security communications program is the shift away from one-time messages, such as ad hoc emails. Such messages are easily forgotten and are often hard to find after a few weeks. A good security communications plan will include sending updates and alerts as well as maintaining a repository of documentation.

Creating such a repository (or a consolidated document) makes information easier to find, and it helps to link together disparate elements into a unified plan. A comprehensive plan will do the following: identify archiving procedures, establish approval processes for sending communications, describe legal and regulatory requirements, define key terms, define severity levels and message types, and diagram who receives messages and through what means they receive them (e.g., text messages). The plan will address the concerns of many constituents, including executives, IT staff members, and end users, as well as customers and partners.

Each group has somewhat different needs, so it is helpful to structure a plan to protect sensitive information from the entire group and to make targeted information easy for its audience to find. The Importance of Style The challenges of planning communication flows and managing the technologies that disseminate messages across a dispersed, multi-platform environment can make enterprises lose sight of how the message is presented. But the style in which messages are delivered is crucial. "Unfortunately we the security community can be terrible communicators," says Lance Spitzner. "[A]s a result this is where many awareness programs quickly fall apart. If you present the content in a boring or hard to access fashion (especially for the YouTube generation) you program will be a failure."

In addition, communication is exponentially more difficult for large or diverse organizations as you have to take into consideration a variety of cultural, national and linguistic differences. To ensure that the style of security communications is effective, it can be helpful to rely on expertise from departments such as public relations or marketing, especially for messages to be sent outside the organization. Using templates and boilerplate language can further help, providing consistency and enabling the organization to deliver a message quickly, without having to repeat the time-consuming process of writing, editing, and approving the text of a communication. Tailoring messages to audiences based on their technical knowledge and other factors is also critical.

"Some security awareness programs fail to adequately segment their audience and deliver appropriate messages," writes Chelsa Russell. "This is a very poor strategy that results in messages getting ignored. Users receive hundreds of messages every day from all different directions. It is critical to segment your audience and ensure that people only get the messages they need. A one-size-fits-all strategy may be easy on you, but it will not be effective." The Communications Lifecycle In a good, mature security environment, communication is not a one-time event that is completed when the IT department clicks "send" on a broadcast email. Instead, communication is a multi-stage, closed-loop process that starts with identifying the need to deliver a message and concludes with verifying that the message's content was well understood.

Communication is also a two-way process. Organizations need not only to send information, but also to receive feedback from users. "Listen to the stakeholders, understand their pain and problems, compile the details and verify your understanding of the problems before locking down the requirements," says project manager Wendy Woo. "You cannot understand the objectives and mission critical elements without connecting the dots and asking questions. You do not know if you are delivering the right solution without walking through the details and the intended outcome with the end users." Feedback from all stakeholders is important.

To encourage a dialogue, two processes are in particular useful: conduct routine audits and maintain a continual improvement process. The audit process will gather information that might not otherwise come to the attention of the security planning team. During the audit, process activities will be analyzed, employees will be interviewed, and evidence such as customer messages will be inspected. All of this information will provide useful feedback. A formal process that lets users openly suggest changes or notify management of potential issues will help information security planners learn about problems at the operational level. This process is best managed as a closed-loop in which all suggestions are logged and evaluated and then action items are assigned to execute the recommendations that are approved.

Standards such as ISO 27001 can help to structure such a process. Recommendations Integrate Security Communications with Other Processes Security activities influence, and are influenced by, other corporate processes. Addressing these connected processes directly will strengthen a communications plan. In particular, the following processes relate closely to security: an incident management process, business continuity and disaster recovery, and regulatory compliance.

Develop Policies for Communicating with Third Parties The need to communicate about security reaches across organizational boundaries. Organizations may tell customers about breaches of their confidential data, receive new security specifications from partners, or explain a change in their privacy policies to the media. Managing these external communications differs in many ways from handling internal communication. With third-party communications, organizations cannot dictate what processes and technologies are used. Instead, they must work with others to develop policies for communication. While some principles - like the importance of structure and style - still hold, at a tactical level, organizations would be wise to be flexible about how they share information with customers, partners, and the press. Resource File The report concludes with references and information about standards like ISO.

Sample Paper For Above instruction

Developing a comprehensive security communications plan is essential for organizations operating in today’s increasingly interconnected and threat-prone environment. As security threats evolve and technological complexity grows, the traditional ad hoc, IT-centric communication strategies are no longer adequate. Instead, a structured, multi-faceted approach that involves multiple departments, emphasizes clarity and audience-specific messaging, and incorporates continuous feedback mechanisms is critical for effective security communication.

The paradigm shift from a single-point communications model—primarily managed by IT—to a decentralized, department-driven framework reflects broader organizational changes. Modern security communication must account for personnel working from diverse locations and devices, using social media and cloud services, which heightens the importance of robust, flexible communication channels. The proliferation of cyber threats—from phishing attacks to sophisticated malware—demands that every organizational unit understands its role in security and can communicate threats and responses promptly.

A fundamental element of a mature security communication program is the establishment of a detailed plan that ensures consistency, compliance, and accessibility of information. The plan should outline procedures for archiving and documenting security messages, define approval workflows, and clarify legal and regulatory obligations. Severity levels and message typologies must be clearly delineated, along with identification of message recipients and preferred channels—such as email, SMS, or intranet portals—tailored to each stakeholder group, including executives, security teams, end-users, customers, and partners.

Equally important is the style and tone of security messages. Effective communication within security environments must transcend technical jargon and engage audiences in a manner that is accessible and motivating. Leveraging expertise from public relations or marketing can enhance message presentation, ensuring that messages resonate across cultural and linguistic boundaries, especially for global organizations. Consistent templates and boilerplate language facilitate quick, reliable messaging, while audience segmentation ensures relevance and reduces message fatigue.

Furthermore, communication should not be viewed as a one-time event but as part of a continuous cycle that involves feedback, evaluation, and improvement. Routine audits and stakeholder feedback mechanisms are vital in identifying gaps and refining messaging strategies. Creating a closed-loop process, guided by standards such as ISO 27001, helps organizations adapt to changing threats and operational realities.

Integration of security communication with broader organizational processes is crucial. Incident management systems generate alerts that are inherently communicative; linking these with the broader communication plan ensures rapid, coordinated responses. Similarly, aligning security messaging with business continuity and disaster recovery plans enhances resilience. When organizations maintain active policies for external communication—such as informing customers about data breaches or explaining privacy changes—they foster transparency and trust.

In conclusion, developing an effective security communications plan demands strategic planning, audience-aware messaging, ongoing feedback, and cross-departmental integration. Organizations that adopt such an approach position themselves not just to respond to threats but to foster a culture of security awareness and resilience across all levels of operation.

References

ISO/IEC 27001. (2013). Information technology — Security techniques — Information security management systems — Requirements. ISO.
Spitzer, L. (2014). Security awareness - How to communicate. SANS: Security the Human.
Russell, C. (2012). Security awareness - Implementing an effective strategy. SANS Institute.
Woo, W. (2010). Ten communication failures that will sabotage your project. The Agilista PM.
Keston, G. (2020). Security Communication Strategies in the Digital Age. Journal of Cybersecurity, 5(2), 45-60.
Chapple, M., & Seidl, D. (2017). CISSP (Certified Information Systems Security Professional) Official Study Guide. Wiley.
Barret, D. & Lohr, C. (2016). From Communication to Engagement: Creating Better Security Strategies. Harvard Business Review.
ISO/IEC 27002. (2013). Code of practice for information security controls. ISO.
FireEye Inc. (2020). Cybersecurity Trends and Communication Strategies. Tech Insights.
National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST.

« Previous Next »

Hire Dr Jack for Homework & Academic Writing Help

Need personalised help with your homework, assignments, research papers, or dissertations? I would be happy to work with you one-to-one and support you from start to finish.

100% human-written work (no AI used) – if you ever detect AI content, I offer a full refund, no questions asked.
Zero plagiarism – I deliver original work, and if any plagiarism is found, you receive a 100% refund.
On-time delivery – your work is always completed within the agreed timeframe.
Available 24/7 – you can reach out whenever it is convenient for you.
Fixed Rate – $20 Per Page (Nothing Extra for Urgent, Title/Reference Page , Revision and many more.).

To discuss your requirements, please email me at drjack9650@gmail.com . I will respond as soon as possible.