June 12, 2024

Reading Time: 22 minute(s)

Episode 139: How adding Crisis Management to your Incident Response Plan can save your bacon?

June 12, 2024

In this episode of The Virtual CISO Podcast, host John Verry talks with Kevin Denino, President of KCDPR, about the essential role of communication in crisis management. With his wealth of experience, Kevin shares practical advice on navigating crises, whether they arise from cybersecurity incidents or other unexpected challenges. Key topics include:

The difference between incidents and crises, and how to recognize when a situation escalates.
The importance of consistent communication with customers, shareholders, and employees.
Strategies for integrating crisis management into incident response plans to protect your brand and reputation.
How changing regulations are influencing crisis communication practices.

John Verry (00:00.185)
The whole idea is super conversational and it doesn’t really matter if we end up bouncing around on the agenda and things like that, no sweat. If at some point you really just think you totally bollock something up, you can say, hey, can we roll that back? They’ll cut it all out. But that rarely ever happens. To me, a little bit of, hey, let me fix that kind of thing is just human and makes the podcast sound better anyway. So you ready? Sounds good.

Kevin (00:18.264)
It’s gonna be good.

Kevin (00:26.52)
Yep.

John Verry (00:32.377)
Hey there and welcome to yet another episode of the Virtual CISO Podcast. With you as always, John Verrier, your host and with me today, Kevin Donnino. Hey Kevin.

Kevin (00:41.624)
Hey, John. Thanks for having us.

John Verry (00:43.897)
Something just went totally wrong with your sound.

Kevin (00:45.464)
that we’re talking about this time.

Dust, dust, dust.

John Verry (00:50.841)
That was better. Yeah. Yeah, you were just working off your microphone that’s on your laptop.

Kevin (00:54.008)
Awesome.

Kevin (00:57.56)
I have a desktop, but if you want me to log in and put my AirPods on.

John Verry (01:01.273)
No, no, no, no, no. Do me a favor. Stay closer to the, I think it’s when you lean back, you know, you just, right. I’m going to just start all over from the beginning to make it easy for the guys that are, that are cutting this. Hey there and welcome to yet another episode of the virtual CSUN podcast with you as always your host, John Verry and with me today, Kevin De Nino. Hey Kevin.

Kevin (01:06.656)
Okay, we’ll do that again. No worries.

Kevin (01:24.184)
Hey, John, thanks for having me on.

John Verry (01:26.073)
Looking forward to it, sir. Always start easy. Tell us a little bit about who you are and what is it that you do every day.

Kevin (01:33.464)
I appreciate that. So I’m president of KCDPR. So we’re a strategic communications agency that does a lot of work, really guiding companies in the cybersecurity space specifically, but then also in the financial and technology world as well from a client base too. So I’ve been doing it about 20 plus years, virtual services really across North America.

John Verry (01:59.481)
Before we get down to business, what’s your drink of choice?

Kevin (02:04.792)
I actually didn’t hear what you said, John. I’m sorry, we gotta cut that. my drink of choice. I should have known this because you told me. Yeah, yeah, sorry. You wanna start with the whiskey drink of choice and then we’ll cut it again?

John Verry (02:07.245)
Yeah, come on, so let’s go though. What’s your trigger choice?

Kevin (02:19.448)
I feel like it’s Friday here. You know, Scotch would be my drink of choice. So I actually did the, I actually did the the trail in Scotland as well. The Speyside Trail. Johnny Walker, probably my go -to, John.

John Verry (02:34.969)
Sorry, I can’t can’t say I’m a scotch guy, you know to me scotch is good whiskey ruined by Pete But so you and I you and I won’t be able to enjoy a beverage together. Sorry about that So it’s so, you know Unfortunately as we know security incidents are becoming more and more frequent and I don’t think they’re going to unfortunately disappear anytime soon Many of the organizations that we work with have at least a baseline incident response plan in place

But I would say if you have what might be called a crisis management plan or something similar. So that’s the topic of today’s conversation. So let’s lay some groundwork for that. Can you define what we mean by an incident versus a crisis?

Kevin (03:08.576)
Yeah.

Kevin (03:19.992)
Well, I mean, incident probably has a little bit more of a cyber play on it. So whether it’s a, whether it’s an actual breach or something specific to a network, et cetera, that’s when I think of an incident response. When you think of crisis communications, there’s a, there’s a variety, there’s a variety of things that can happen. It could be, you know, an injury, a death, it could be a large financial, financial loss, an employee situation.

customer situation. There’s obviously a wider world, I would say, in the crisis ecosystem, if you will.

John Verry (03:57.849)
So would you say that there’s a point where an incident crosses over into a crisis? Like how do we know this is gone from, crap, we had an incident to, crap, crap, we’re in a crisis?

Kevin (04:12.344)
Yeah, there’s always going to be crossover and I would say to the point of the, it’s definitely not an if scenario. Now it’s a when scenario. And this is where kind of determining if there is an incident, how to kind of dissect and then communicate off of that crisis are huge. So what usually ends up happening, John, is it…

It could be something where let’s say a CISO or an organization detects something, or in many cases it’s not detected and you know, a customer is impacted or there’s, there’s something specific that happens. So, you know, a small business example, we’ve had clients whose websites and you know, basically their whole network was, was hacked by an ISIS support group. So you, when you went to their small business website, it was a ISIS support group, you know, black flag, et cetera.

and that’s the, crap moment. And so having a backup and being able to pivot quickly and then communicate to all of your audiences and understanding how to communicate. Play a huge role in that. And we’re talking like the how, meaning like you have an incident and you know, your network’s compromised. You can’t use email, you know, a web.

portal, if you will. So maybe you’re texting, maybe there’s a manual way of getting in front of your audience. So I think all of that kind of really plays a big role. But there’s clearly a lot of nuance to the extent of an incident, if you will.

John Verry (05:53.017)
So from a perspective, is the major differentiation in your mind between an incident response plan and crisis response, whether it’s a separate plan or it’s integral to the incident response plan, is it the idea of managing outbound communication in a way which has the impact of, excuse me, lessens the impact of the event or the incident?

Kevin (06:23.16)
The playbook is probably very much the same. So I think that, you know, an organization would definitely be better off following an incident response playbook, much like a crisis situation playbook. And a lot of it is determining what the risk is, what the situation is, and then what the broader company communications are going to be, and then who’s in charge of each of those streams. So whether it’s customers,

shareholders, employees, having sort of a specific playbook of, you know, this person’s in charge of this audience. Here’s how we’re going to communicate it. it almost doesn’t matter from a planning and communication standpoint, what the situation is. If you run the same playbook and lean heavily on communicating, and I would say an over -communicating, which this is where incident response plans.

tend to fall short. There tends to be a turtling and no communication. And that tends to create an even wider crisis because then you have things like media interactions or prognostications taking flight, shareholders, customers, et cetera. And then you start to spiral. A colleague of mine gave a great example, actually, and it puts a visual picture on it. If you imagine sort of the five Olympic rings.

and you put them on a table with a white tablecloth and you spilled some red wine on the tablecloth. You start to see kind of the wine infiltrating the various parts of a business, legal operations, communications, it’s HR, et cetera. And so all facets of an organization have to be communicating because if one of those audiences impacted, clearly the other four or five are going to be as well.

And I think that’s really the key part of it is ensure you are communicating because in many cases you will be punished in many cases by the court of public opinion, your reputation and your brand down the road as well without a plan of attack and without communicating.

John Verry (08:42.617)
Yeah, you made me think of something that I hadn’t thought of in preparing for the conversation today. We had a client who didn’t find out about an incident until a reporter called them up and said, hey, this breach happened over here. You host all of your data there. You know, what’s going on with your client data? And the person’s answer was, I have no idea what you’re talking about.

And that was what got into the press. So that’s an interesting situation, because I was going to ask you later on in the conversation, should your crisis management plan be independent of the incident response plan? Should they logically be one document? But here’s an interesting case where we didn’t know about the incident until it was a crisis and communication was critical.

Kevin (09:37.048)
happening more and more. I mean, that’s a great point. I think a lot of these bad actors are really smartening up from a communications and PR standpoint. And in many cases, going to, in the scenario you mentioned, seeing that a lot, going to whether it’s influential media and or shareholders and saying, hey, this breach has happened as well. Because in many cases, John,

If it’s a ransomware attack, a lot of these ransomware groups, you know, they’re still in many cases financially motivated to. and so it’s utilized as a tool perhaps to, you know, whether it’s a ransom notice that they want, as well, but they’re becoming more sophisticated and more savvy and utilizing external resources to do that. And that’s where.

you know, the answer that was provided, like, what are you going to do when that happens? If you truly don’t know, like, then that’s the extent of it. And you need to, you need to recover and get back to them. But, and in a, in a crisis or incident response plan, there’s things called holding statements where it’s truly exactly what it says. Hey, we’re, you know, we’ve become aware that this happened. We’re looking into it, you know, and you, you give yourself at least a window of time to find out what the heck happened and then re communicate.

more of the facts as well. But that scenario, I think, is becoming and probably will become more of the norm as well as the sophistication of these various breaches continues to kind of ante up.

John Verry (11:15.193)
So if you think about a normal incident response plan, you know, they all follow effectively a similar structure, right? We, you know, we identify the issue. Ideally, we determine the root cause. We seek to contain the incident from spreading further. We’ll work through a remediation. We work through recovery. Are there specific things that should be in my incident response plan to minimize the likelihood that my incident raises to crisis? And if so,

Where in those conventional locations should I be interjecting crisis content, if you will?

Kevin (11:54.456)
A lot of it is going to be sort of the nuance of what the actual communications are around the incident. You know, when we talked through that tree of, you know, if you’re a larger organization and you have business unit leads, you know, who’s in charge of reaching out to clients, third party vendors, you know, employees, if it’s the case of Wall Street as well.

and making sure that that response is as ironclad as possible and consistent. Because the risk of what can happen in the scenario you present is where you have a lack of clarity on either the response structure or there tends to be a gap in that an audience maybe either gets ignored or communicated in a different method. And then the risk goes up.

inevitably based on that too. So it’s very much a dance and an art form in a way, but it’s also very practical and that the message needs to be consistent. The medium likely needs to be consistent. And if there are certain, you know, kind of what I would call, you know, very important or high dollar, whether it’s top customers or, you know, relationships, et cetera, making sure that they’re personalized as much as possible to, to that end.

But it’s very much the breakdowns that tend to occur are likely along the way in the form of how the news or the updates are being made and who’s in charge of them and making sure that they’re consistent as well.

John Verry (13:35.961)
Gotcha, so it sounds like you’re not saying let’s shim this into this part of the plan. It sounds more like whether it’s an independent plan or within the plan, it says when we need to message and we need to message to these audiences, here are the, here are the, here’s who’s going to message and here are the types of messages that we would want to communicate depending upon different parameters associated with the event.

Kevin (14:04.472)
That’s exactly right. And then there’s also, you know, for the media example, you know, if any media, if any media inquiries do come in, here’s who’s in charge of managing those media inquiries. Please, you know, communicate that or direct all calls, emails, et cetera, to this person or group. And then they run point on really any external communications, whether it’s analysts, Wall Street media, et cetera, they’re running point on that.

and then can kind of liaise with business unit leads as well.

John Verry (14:38.009)
Yeah, it makes a lot of sense because I think the people that are typically involved in incident response tend to be on the technical side of the equation. And I think their focus is on the technical components of responding to the incident. And I think that they are generally not knowledgeable enough about the business itself and the potential impacts associated with poor communication, right?

That’s really, that’s what we’re trying to solve for here.

Kevin (15:11.96)
exact it’s it’s poor or inefficient or incomplete communication and and so your earlier question on sort of what are potential pitfalls it’s not even necessarily in the in the dealing of the actual incident a lot of it is the planning and communication for the go -forward strategy after said incident or crisis happens as well and in many cases you know you’re you’re you’re doing triage

You’ve got your technical team, whether it’s a CISO, et cetera, you know, kind of working on the technical side of things. But for a larger, really any size organization, you know, the reputation of the firm, a lot of what comes out of that from a reputational side is the actor of, okay, whether the breach has been, you know, we’ve taken care of this breach, maybe we haven’t taken care of it, or it’s still something that we’re fighting, et cetera.

What’s our message? What’s our voice going to be? How is our brand going to be impacted? You know, how are we alleviating this concern? And that’s why you see in many cases, whether it’s larger brands, you know, there tends to be, if you’re the end customer, you tend to receive a communication. Here’s what happened. And then there’s always some sort of nugget of whether they’re offering a service, whether it’s a credit monitoring solution.

you name it, like there tends to be at least some sort of carrot that’s dangled of here’s what we’re doing. But then the follow -up to that as well is just as important. How are we communicating with these audiences to ensure that we have their trust in continuing to do, whether it’s to do business with us, whether it’s continuing to utilize our network, et cetera, making sure that their information is secure. I mean, so, and that’s where each of those different audiences,

employees, customers, shareholders really become important after the fact to stay in touch with as well.

John Verry (17:16.665)
So I came into this conversation, obviously, looking at this from a cyber perspective, because that’s what I do every day. That’s what we do every day. And it occurred to me, I probably should have thought about our conversation in a broader sense, in that there are many types of crises that you might be dealing with that would have nothing to do with a cyber incident. Now, increasingly, it is cyber incidents. But as an example, the famous Tylenol issue, that would be something that I would assume that the same crisis response

process would be followed. And again, now it’s just different people with different audiences communicating different messages. So does a typical, when you develop a crisis management plan, if that’s what you guys call it, is cyber just one component of that? And then there are different components that are going to be specific to the context of each organization.

Kevin (18:12.44)
I’d say five years ago, they probably were separate. Current day, and probably what COVID and all of that digital transformation really showed and look at today is it’s all part of one broader plan under the scope of crisis communications. Every business more or less these days has.

has some huge, big digital shift or has gone completely digital, which that whole COVID era really pushed everyone towards. And what happened is there’s lots of, you know, while there’s lots of cool things that have happened in terms of whether it’s working remote or taking manual processes and digitizing them. And then you weave in things like IOT, you know, remote workers using company networks, et cetera, just the level of risk on all things digital.

When went through the roof. And so it really is all part of one. One process. And I think that’s probably to your point, I think a bigger trend where it’s not even an either or scenario. And I think if organizations approach incidents within cyber very much as any other, large crisis, they’re all going to be in many cases digitally based these days anyway.

and spanning from that. So that tends to be, I would say, probably a broader, but also a better approach to you to kind of cover all of your bases.

John Verry (19:47.289)
Yeah, I hadn’t thought of that because, you know, like a certain example, let’s say, let’s say you were working with Tesla, right? Tesla might be breached. Tesla might be breached and it might impact client data. It might impact their manufacturing processes, but another crisis would be, you know, a full self -driving mode crash that killed lots of people or a giant recall, right? That would, that would potentially impact their stock valuation. So in those circumstances, I’m guessing that the, your crisis response plan is going to be.

specific to those types of incidents where cyber is one type of incident. And as we bubble down, the impact of the cyber incident and the communication might be common, but the source might be different. And you may have different paths that you’d end up taking down this, call it communication tree, right, or hierarchy, if you will.

Kevin (20:35.992)
be a tighter, whether it’s departments or individuals and audiences matrix that are impacted. But I think the broader role of your communications as a company and having a comms liaison or lead on that doesn’t change in any of those. And that’s where kind of the role of public relations or communications becomes hugely important to any of those scenarios because they’re in many cases leading.

all of the outbound and inbound communications as well. It’s just a matter of the groups of individuals involved in that C -suite, you know, might differ in each of those scenarios as well. The Tesla example, let’s say with a safety concern, obviously is going to be a CEO and comms level component, but whether you have a head of product, you know, or a specific sort of delivery.

component that needs to comment on trends with that would be a key important part. Maybe the cybersecurity element or the CISO would not be as actively involved in that. But again, you’re involving all audiences and then kind of determining sort of who’s, who’s leading the charge in that regards as well. And that’s what I meant by the, the playbook and process is very similar. It’s, it’s just kind of altering sort of, you know, audience structures really, and who we’re talking to.

John Verry (22:02.713)
Yeah, makes sense. So when we look at a good incident response plan, they’ve got lots of contact information there. Who’s the cyber liability insurance provider and how do we get in touch with them? Often you’ll have a data forensics firm, which is already pre authorized to come in and actually do the work in that case. Legal counsel, of course, is going to be listed there. Should these incident response plans have a PR firm in it?

Kevin (22:29.624)
Thanks. A little bit biased here, but whether it’s a firm or individual, absolutely. I mean, communications and having knowledgeable and experienced people that understand how to reach out to and communicate to all of these different audiences. And you might even, John, have an external communications lead and an internal communications lead.

I’ve worked at several organizations that that segment that way. And I think that’s also a very smart way to do it. Meaning, you know, if you’re a large organization with employees spread out either across the country or the world, internal communications are going to be massive and needed and externals. It’s all its own, its own kind of beast in its own right, especially again, publicly traded company. Now you’re talking about analysts, shareholder communications, media.

all of these external factors as well. So yeah, absolutely. And I think that’s, that’s constantly a struggle with, you know, with firms that don’t have folks that have that sort of core expertise. You know, I think you could view that skillset much like a CISO and that if an organization doesn’t have a CISO and something on the breach side happens, like, you know, imagine what’s going to happen from a technical standpoint, it’s the same thing. And that.

You know, you’ve got sort of risk management on, let’s say your network and IP, et cetera, with folks. But think about your brand and reputation risk management. And that’s where, whether it’s a PR firm or a comps team, et cetera, that’s where their focus is. And that’s where their experience is. And in many cases, that can be priceless.

John Verry (24:15.865)
So question for you.

Most authorized response vendors, like when we’re initiating data forensics incident response, very often that’s being driven by the cyber liability insurance company, right? They’re the entity having the breach reaches out. They begin to explain what the process should look like and say, Hey, you should contact these folks. Is that same concept yet exist with folks like you? Are you working with cyber liability insurance providers that way?

if they have an organization of significant size where poor communications, especially externally, especially shareholders, especially to Wall Street, that the impact of the breach would be so significantly higher that having you as being part of their incident response team makes sense.

Kevin (25:05.88)
that in many cases, part of that insurance policy for sure. And the risk side. And I think there can also be, there also can be a situation where based on your next move or how you kind of attack a particular breach, both on the technical side and reputational side, you run the risk of potentially not having a situation be covered by a cyber insurer, et cetera, because of how

certain protocols were handled and or mismanaged, et cetera. So, I mean, I think that’s definitely a big part of it. And, you know, even as a business owner, you know, as well, while in the comps field, like we’re working, we have a cyber insurance provider and are working very closely with them, much like heirs and omissions insurance too, in that regard. So it very much is a key part of that.

And I think, you know, especially on the insurance side, while not an insurance expert, I know enough to know that insurers, particularly with these incidences, are looking for ways in many cases to pick apart scenarios and ultimately not insure. And that’s increasingly, you know, I was recently at a Chamber of Commerce event where in many cases,

We’re hearing that insurers are going back to clients and using the, you know, war. So if an IP address, let’s say is straight trace to, let’s say a China or Russia, the insurer will say, well, you know, it’s traced to, to this, to this country. We’re going to use this clause of, you know, the war clause and therefore not covered. And so there’s a lot of kind of infighting and pushback on that as well. And so I think that’s an important piece of the puzzle where having.

having a protocol that’s in place because you’re going to have issues with that insurance side for sure and being able to navigate that more and more these days.

John Verry (27:12.217)
Yeah, it’s interesting point. I had a, an attorney on the podcast, I don’t know, six months ago, a year ago to talk about the, whether or not when you’re looking at your cyber liability insurance policy, whether or not you should have a lawyer review it. And then the second thing was in the event that you have a serious cyber incident, should a lawyer who is cyber liability insurance knowledgeable beyond your team to be able to support you when the CLI provider attempts to.

shirk some of their responsibility. So it is definitively a challenge for organizations. I’ve seen clients of ours be not covered when they thought they should be covered.

Kevin (27:52.376)
Yeah, absolutely. Yes, on that front. And I would imagine even, you know, from six months ago till now, how much has evolved on that front as well, especially just with the geopolitical situation in the world as well.

John Verry (28:08.281)
Yeah, I agree. So you may be familiar with this. There’s been a lot of new or enhanced disclosure requirements coming out of the federal government, right? CISA relating to critical infrastructure, the new SEC disclosure laws around 10Ks and 8Ks are fairly onerous and really, I would say, turning up the heat on good communication around incidents. I would assume that that’s…

probably something that will drive folks to be chatting with you guys a little bit more to ensure that those communications are done properly.

Kevin (28:44.984)
I mean, absolutely. I mean, and my credit union side as well, it’s now a requirement in terms of just reporting incidents as well. So, you know, in many cases, at least financial services has always been a little bit slow in terms of implementing new processes, et cetera. And this is an area of risk, I think, for banks, credit unions, institutions, public companies with those requirements to really kind of have an expert come in.

build a plan for you and then make the decision, okay, whether you need ongoing support, great, we can help you there. But in many cases, if you don’t, then at least you have an expert that’s come in, built out sort of a plan of attack for you. But you’re exactly right. There are still many cases, a lot of institutions out there and companies out there that don’t have even an incident response plan to this day, much less any sense of how to communicate to.

the old way of saying no comment, or internalizing it and having, let’s figure this out internally and not say anything until we figure it out and then think things snowball. In many cases, to your point, legally, you’re not going to be able to do that anymore. And so in many cases, whether it’s an investment into your biz, it’s essentially an extension now of risk management. That would be the best way to describe it because your brand,

and the requirements of it now, and with this digital transformation that’s taken place and just the velocity of breaches and attacks, it’s a must have.

John Verry (30:27.929)
Yeah, I agree. I think we have to begin to understand that you need to assume events will happen. And our goal probably should be a little less about ensuring that an event never happens and a little bit more on ensuring that if an event happens that we minimize the time to detect and we minimize the impact of the event. And I think crisis management,

Kevin (30:54.36)
Absolutely.

John Verry (30:57.241)
is all about minimizing the impact of the event.

Kevin (31:01.386)
Absolutely. I mean, that is like the hallmark of crisis communications and management across the board is it’s minimizing the impact and then, you know, in many cases kind of focusing on, you know, the go forward strategy of next step. So in all of those scenarios, even going way back to the Tylenol recall, et cetera, you know, how did that brand rebuild trust, et cetera?

And in many cases it was, you know, whether it was a swift action and pulling all product off the shelves, you know, commenting clearly to media, ensuring that the risk was gone and then going back up out, et cetera, like, you know, audiences and people remember that, you know, and they also remember the flip side, you know, if there was an impact or something that did happen, a lot of brands don’t recover from that, as well, or, or massively impacted. And I mean,

While not a cyber look at Boeing probably is a great example from a reputational standpoint as well. on that front, probably known as one of the, one of the best, if not top five American run large, large enterprises and now dealing with all sorts of issues too. And, you know, that took, that’s going to take a lot of time to get back to that level of trust too. So it all played.

John Verry (32:25.049)
Yeah, especially when you consider the lifespan of planes that we might have a concern about. I mean, the idea now that you can, as you’re searching for a flight, select the plane type, kind of tells us everything we need to know, right?

Kevin (32:38.808)
I was actually going to mention that. Anyway, it’s great. And I mean, and, you know, we could probably have a whole episode on that, but I think the takeaway too from that is, you know, where there are these industries where, whether it’s a monopoly or duopoly, where there’s not a ton of competition, and then you have a, you know, kind of a crisis situation that impacts the broader market, you know, you know,

impacts that brand and the broader market either, you know, can’t react to it or there is no solution. Like it becomes problematic as well. And so I think that that is a case study in its own right of, you know, where really having good solid communication, but then also, you know, if it wasn’t a space where there are lots of competitors, this is the stuff that in, you know, the C suite and marketing and PR boardrooms that competitors are talking about too.

How can we take advantage of the fact that this company had a breach? You know, they’re screwing up on this. They haven’t communicated well, you know, we’re going to, you know, make no mistake companies, you know, competitors are talking about that every day in terms of kind of pulling market share and gaining market share as well. And so that, you know, that’s definitely, you know, a large element of, you know, any crisis response, whether it’s mitigating risk, but then on the flip side, it’s.

it’s mitigating risk and ensuring kind of, you know, money in and money out obviously doesn’t deviate too much as well.

John Verry (34:12.281)
I think we beat this up pretty good. Anything we missed, any last thoughts?

Kevin (34:12.76)
Thank you.

Kevin (34:18.104)
I mean, you touched on a lot of the regulatory requirements. I think that was something I was definitely going to mention. I think you’re going to see more and more of that, whether it’s disclosure of breaches, but just the that whole conflicts of the movement away from the if scenario. And it’s more of a when scenario and being prepared and then really making the determination. If you have the resources in house to to do this great.

But that’s where those tabletop exercises and even if you don’t have a crisis, kind of going through and actually kind of doing exercises to ensure tends to help too. It happens probably a lot on the technical side, but you could also do exercises on the comm side to kind of see, all right, what happened? Where do we have any gaps potentially as well? I would leave you, John, with that one as well.

John Verry (35:14.265)
Yeah, you know, it’s funny you should say that because we do a fair amount of like business continuity testing, incident response testing, and I’m thinking through and I don’t know that we put as much emphasis on the communications as we should, you know, based on like the audiences that we typically work with. We tend to, you know, more and we do our best to get as many of the business people involved in these, but you just gave me a pointer that we really should be.

considering the communications management component of incident response more deeply than we actually do. So I’m actually glad you brought that up. I hadn’t really thought that through very well.

Kevin (35:56.44)
Yeah, it’s going to be a that’s going to be a key part of it and really just making sure that that everyone kind of knows what lane and and what message to communicate.

John Verry (36:08.761)
I’m guessing that the bulk of your clients are clients that are clients from a PR perspective and then this crisis management becomes an ongoing component of your relationship with them.

Kevin (36:23.512)
Good question. Epson flows a little bit. So, but yes, in many cases, like we’re providing ongoing counsel, and then let’s say we help create and build a plan and then we’re available if there is a crisis. So there tends to be, you know, kind of your core team that’s readily available if and when a crisis does take flight. There are also scenarios, John, where we’re brought in to create a plan, you know, communicated and handed off to a larger team as well. But.

the bulk of the scenarios where we’re involved in partnership with our clients on all encompassing public and strategic comms across the organization.

John Verry (37:06.041)
And in light of the fact that the public companies probably have greater impact to an incident if it’s not, if communications are not managed, well, I would assume that more of your clients tend to be in the public domain and probably slightly larger than an average company. You’re probably not working with a lot of small companies. You’re probably working with those mid -size and up companies, generally speaking.

Kevin (37:32.536)
It runs a gamut, you know, probably skews two thirds sort of mid, you know, middle market and higher. But that said, you know, working with a lot of tech clients across, whether it’s FinTech or blockchain, as well, there are a lot of smaller organizations where this isn’t even remotely on the radar, but they’re in massively impacted, you know, verticals as well, where you might be, you might have a CTO on the team, you know, in a management team of five or six, but.

you know, we’re running all things comms related to. And so, you know, those are the, those are the needier clients for sure. And then on the flip side, you know, you might have a, a tech client that’s working closely, let’s say with a public utility, you know, which, which we work with as well. And, you know, the public utility is kind of woefully inadequate on.

a variety of comms, et cetera. So working in tandem with them too tends to be helpful. So it really does run the gamut, but yes, the impact is definitely wider felt at a larger organization. But in this day and age, look at the amount of startups, whether it’s via partnerships, relationships, or where their tech is being leveraged in larger verticals or

you know, on the government side of things as well. And by government, I’m talking like state county level and things like transportation, agriculture, water as well. There, you know, with everything kind of going digital, there’s a lot to really kind of be involved in in that regards too. So there’s plenty of help that we can provide, I guess would be the best way to sum it up. And it tends to be similar.

across different verticals, but there’s clearly higher levels of risk in certain scenarios.

John Verry (39:36.377)
makes complete sense. So if somebody did want to reach out, what’s the easiest way to get in touch with you?

Kevin (39:40.088)
Yeah. best way to get in touch our website, kcdpr .com email address is kevin at kcdpr .com as well. more than happy to, to chat and do a complimentary consult to, to learn more about your comms needs and, and help anyone out on, on all the topics we discussed today.

John Verry (40:01.305)
Sounds good, man. Thank you for coming on.

Kevin (40:03.544)
All right, John, appreciate the time. Thanks again. Cheers.

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 139: How adding Crisis Management to your Incident Response Plan can save your bacon?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How Should Crisis Management Connect with Incident Response?

CMMC Certification vs. CMMC Compliance: Which One Do You Need?

CMMC Certification: How Long Does It Take to Get Certified?

What Privacy Roles Does My Business Need?

What is a Secure Web Gateway and How Does It Support Zero Trust?

18 US States Have Now Passed Privacy Laws – Time to Start Building Trust

Risk Tolerance: To Avoid, Transfer, Mitigate or Accept—That Is The Question!

10 Most Important Steps to Build a Data Privacy Program

What are SaaS Providers Doing with Your Data?

How can we help you?

Services

Compliance

Insights

Pivot Point Security