I first heard the term “Cyber Narrative” while interviewing Jennifer Dulles, APR, a media relations and crisis communications expert, on the S4x24 Main Stage. It’s worth your time to develop a cyber narrative, especially given the often poor public statements we hear from asset owners post incident.
Jennifer defined a Cyber Narrative as “a story about what threats exist, your preparedness, and your teams, and what you do daily to protect from that (cyber attacks)”. (see the clip below for 2 minutes on this).
I’d add that your Cyber Narrative should also include what you have done to prevent high consequence events and your ability to recover from a cyber attack. Engineers and OT Security Pro’s could work together to provide your media and investor relations with something in advance of a cyber incident affecting Operations such as:
While we have a proactive cybersecurity program to prevent cyber incidents, we know it’s not possible to stop all attacks. We have a tested plan in place to meet our commitments to our customers and the community in the event of a cyber incident.
We have non-cyber safety systems in place so that contaminated xxx won’t be delivered to our customers even if an attacker has compromised our computers and networks. One of the recovery scenarios we have designed and tested is to restore services to our customers within yyy hours after a successful cyber attack, and we strive to recover faster than that.
You can work with your media and investor relations, as well as with appropriate executives, so they understand the measures behind these statements. They may want to include more detail, provide some buffers on recovery estimates, or want more information on a consequence you haven’t thought of.
What’s your cyber narrative?