KITH https://kith.co Tue, 18 Sep 2018 15:40:01 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.7 The most critical skill in a crisis is… https://kith.co/the-most-critical-skill-in-a-crisis-is/ Tue, 18 Sep 2018 15:29:42 +0000 https://kith.co/?p=2595   I’m often asked, “What are the keys to crisis success?”.  After 25 years in the field, I have a ready stock of answers (a whole book’s worth in fact).  However, many of these articles have been from the standpoint of what the company should do, how fast they should respond or who should be […]

The post The most critical skill in a crisis is… appeared first on KITH.

]]>
 

I’m often asked, “What are the keys to crisis success?”.  After 25 years in the field, I have a ready stock of answers (a whole book’s worth in fact).  However, many of these articles have been from the standpoint of what the company should do, how fast they should respond or who should be in the room.

However, I’m a communicator at heart so I wanted to take a look at this question from the very personal perspective of the lead communicator, the person responsible for telling a story in the wake of a reputation crushing crisis.  After talking to dozens of corporate communicators, watching real events unfold, and evaluating what I do when engaged in crisis situations, I believe that there’s one secret, a key skill for success in a crisis that’s often overlooked by communicators.

The key to a successful crisis response is the ability to ask great questions.

Asking great questions is the key to unlocking the knowledge you need to solve the puzzles and challenges you will be faced with in a crisis situation.   So your ability to ask questions, to get the facts and understand the situation is one of the most important tools that you have. Sadly, it’s also one that is often overlooked and I believe that all communicators should master this skill.

Importantly, you need to be able to ask good questions both up and down.

Firstly, as a communicator it’s likely that you’re not going to have a ton of knowledge about the specific issue or event.  This is particularly the case if you’re part of a complex enterprise with many moving parts and stakeholders. Obviously if you have just started working with the organization – a common situation I found myself in as a consultant – this knowledge gap is particularly pronounced.  Good, pertinent questions will help you understand what is going on and most importantly, the implications of these events.

Secondly, you need to understand what the senior leadership team is thinking.  Without a clear understanding of their objectives, the background to key decisions and the myriad other factors they are considering, you won’t be able to translate their intent into actionable messages.  Therefore, asking good questions of your executive team as they’re making decisions about the crisis response is the single best tool that you have.

Some people have years of experience, and the ability to see patterns, and often they can tell the leadership team what’s going to happen next. Sometimes people can map out a range of options that could happen.  At Kith, we pride ourselves on our ability to ‘look around corners’, to tell you what is likely to happen based on our years of experience in crisis situations.

But we can only do this if we understand the situation.  So even those with experience need to be able to ask questions.

Much like everything in life, we aren’t simply born with the ability to ask good questions, just like we aren’t born with the ability to ride a bicycle. But in the exact same way that we can learn to cycle, we can learn how to ask better questions.  We just need some steps to help and I recently read a great article which laid out five key steps to asking great questions.

First is focus. What specifically do you want to know? And if it’s not a simple yes or no question, how can you obtain deeper knowledge?  Ask specific questions to get a specific answers. Also, do you need to ask everything right now or can you have a sequence of questions that you return to as events progress? Focus on what is critical at that time.

The second is purpose.  Be clear about why you are asking this question and how this information is going to move the process forward.  Also, differentiate between trying to collect facts versus gathering opinions. Both are valuable in a crisis situation but facts sometimes outweigh opinions when we’re trying to do rapid response.  ‘What do we know about…?’ is a very different question to ‘What do we think about…?’.

Third is intent. Is the question to start an argument or are you trying to open a discussion? Should you know the answer already or are you trying to glean useful information at that particular moment? Are you asking out of frustrating or curiosity? Do you really care about the answer?

Hopefully your questions have a clear purpose but also think about why another person is asking something.  Maybe they just want to start a fight or perhaps they are trying to express concern about the direction the organization is taking.   Considering your intent – and the intent of others – will force you to ask and think about better questions. It might also help you notice a good question that might otherwise seem out of place.

Fourth is framing.  We’ve all watched or sat with reporters who have asked questions that are incredibly leading.  Their biases and opinions are built into the question itself. But we are all guilty of this, maybe not even consciously.  How we frame a question and the examples and language we use will influence the answers we get whether we mean to or not.

So you need to think if that the best way to ask the question?  Is the question really neutral or are you introducing bias that will affect the results you get?

Lastly is follow up. Did you get a useful answer to your question or is there more you need to know? I’m really fond the concept of the ‘five whys’: you ask why, why, why, why, why to really get to the bottom of something. In a crisis situation you rarely have time to do that but do  make sure you really understand the answers you receive. So you might get an initial answer from a senior executive and then seek out the right subject matter expert and ask them ‘why’ for as long as you can.

I think that these five steps –  focus, purpose, intent, framing and follow-up – form the basis of good questions.   But I would add one more consideration of my own that you should apply before you ask any question.

This relates to President Eisenhower’s quote:

“I have two kinds of problems, the urgent and the important. The urgent are not important, and the important are never urgent”.

Often, success in a crisis boils down to an organization’s ability to triage and prioritize problems because time and resources are scare.  This leads to a tendency to focus on the urgent at the expense of the important so before you ask anyone else a question, you need to ask yourself ‘is this urgent or important?’.

The next time you are faced with a crisis, make sure you differentiate between important and urgent and keep these five thoughts in mind when you are thinking about the questions you need to ask.  These thoughtful, precise questions will be the keys to unlocking the knowledge you need to develop and deliver the messages that will help you tell your story.

The post The most critical skill in a crisis is… appeared first on KITH.

]]>
Don’t be a gazelle – how to manage fear in crisis https://kith.co/fear-in-crisis/ Tue, 11 Sep 2018 20:42:36 +0000 https://kith.co/?p=2590 Don’t be a gazelle – how to manage fear in crisis I was recently watching Animal Planet with my daughter. The show was about predators hunting their prey, in this case a lion and a herd of gazelle. Gazelles have keen hearing and a good sense of smell but sensing the lion, their immediate response […]

The post Don’t be a gazelle – how to manage fear in crisis appeared first on KITH.

]]>

Don’t be a gazelle – how to manage fear in crisis

I was recently watching Animal Planet with my daughter. The show was about predators hunting their prey, in this case a lion and a herd of gazelle. Gazelles have keen hearing and a good sense of smell but sensing the lion, their immediate response was to freeze out of fear.

Quickly, most of the gazelles overcame their fear and bolted. But one remained frozen in place. She didn’t run. She didn’t fight. She just remained frozen. We saw the camera zoom in, showing her nostrils flaring and her heart obviously racing but she didn’t do anything. I started rehearsing my ‘it’s just the circle of life’ speech for my daughter ….

It’s unfortunate but true that if you’re a corporate communicator or a CEO who hasn’t been through a reputation-crushing crisis you might feel and react the same way: you might freeze. That’s a normal reaction – all animals react similarly to fear – but the difference between success and failure is how quickly we overcome that fear. Like the gazelles who bolted, you need to act or you will fail.

Each crisis is a shock and you have to overcome your fear, make a decision about what to do and act. In that initial moment, everyone will freeze to some extent but regular exposure to fear is a way to overcome it. However, unless you’re in retail, like Walmart, Starbucks, or Target, or aviation, you typically don’t have to deal with crisis situations day-in and day-out. So you might not have the opportunity to learn how to cope with your fear on a day-to-day basis.

However, another tidbit from the animal kingdom shows that just being exposed to fear isn’t the whole story.

I read a study recently about rats being conditioned out of their fear. The study went something like this. A group of rats was exposed to a loud, sudden noise. The rats looked up, saw where the noise was coming from but, because they weren’t affected by the noise, the rats went back to their business of being rats and didn’t express any signs of fear.

Those same rats were then exposed to the same loud noise and immediately given an electrical shock. Those rats froze in place because it just became personal. It wasn’t just a loud noise anymore: it now affected them clearly and directly.

But here’s the surprising part. Over time, those rats didn’t respond to either the loud noise or the electrical shock. They just continued going about their business. They had become conditioned to the noise and the shock.

These examples from the animal kingdom highlight two important difficulties we face in a crisis.

  • Firstly, fear causes us to freeze and this inability to act can be fatal.
  • Secondly, we can become conditioned to surprises – loud noises, electric shocks – and start to ignore them.

 

The model that we talk about at Kith is that speed is the major determinant of success in most crisis situations. For communicators that means filling in the vacuum of information as fast and as clearly as you can in a way that directly aligns with your mission and the values of the chain of command.

 

equation for crisis success

 

The problem is that in order to react quickly we need to overcome our fear so we need some degree of conditioning. However, we also need to avoid the second problem: becoming so conditioned that we are desensitized.

As I mentioned before, if you are in an industry or have been at a company that has been involved in these crises situations regularly, you might easily overcome your fear. But it is just as easy to hear a loud noise and not react.

This might be your competitor going through a crisis or reading something about a major change in your marketplace: you look up, evaluate it, maybe learn something, but decide it doesn’t apply to you and go about your business. You have become used to hearing the loud noises so you ignore them until the time you get an electric shock because it is your company this time.

Then you freeze.

The organizations that really excel in a crisis are those that can react to the stimulus, whether it’s a loud noise or a shock, overcome their fear and react quickly.

But how do we develop these skills for an executive team that has always been on the outer rings of the potential of crisis situations? Teams that might not have to do it every day but want to be prepared? How do we get ready? (Don’t worry, my solution doesn’t include lions or electrical shocks.)

The best way to prepare for this, in my experience, is some sort of simulation training to ensure that the team’s skills and responses are developed and can cope with stress. A well-prepared, challenging and realistic simulation will generate many of the same physiological and psychological pressures as a real incident. Even though no lives are on the line, the share price remains stable and the CEO is being interviewed by a tame journalist, I’ve seen simulations where people froze, cried and ranted, just as they would in reality.

This isn’t meant to be cruel, far from it.

By understanding what these pressures are like in a safe environment, people will be better able to overcome these difficulties in a real crisis and begin to act. This is what the military talk about when you hear them say the training just kicked in after an event. You almost stop thinking and just act: you’ve swapped the fear = freeze instinct for fear = act. Once you have overcome that inertia and initiated the first steps of your response, you can start to develop a more considered plan.

Another way to prepare is less intense but just as important. This exercise requires you to think about events as if these were affecting you. So when there’s a loud noise – you hear something about a competitor or read something in the newspaper – think ‘what if it was us?’.

  • Who would we get in the room to make decisions?
  • How would we respond?
  • How would this affect us today? (And how would this affect us tomorrow?)

 

It’s a simple stretching exercise that’ll make you better when you actually get hit with the stimuli. It’s also a good way to test the assumptions you have made in any contingency planning you might have already carried out for that kind of event.

Another way to do this is to have a risk-based discussion with your team to understanding the risks and issues that could impact your organization. This time, instead of relying on real events to prompt the ‘what if?’ question, you pose these to yourselves.

I’ve been in the room and felt this fear myself so I so empathize with leaders at companies who find themselves in these situations. It’s typically wholly unexpected and they are unsure of all of the facts. It is frightening to think of what could happen to this thing that we’ve invested our money, out time and our careers into and the implications that it could have. The fear is normal.

But these are also the situations where the stakes are simply too high for failure. If you are a corporate communication or senior leader at a company and you freeze, it could be fatal and every mistake is painful.

So as a counselor working with companies that find themselves facing a crisis – the equivalent of a loud noise or electrical shock – I know that the natural reaction is to be afraid and freeze. Where I add value is my ability to help teams overcome this inactivity and to get them moving, reassuring them that we’re going to get through this with a plan, a series of logical steps and actions that they need to take. This will allow them to address the situation, meet stakeholder expectations and answer the questions from those that matter most to them.

There is a moment in every difficult situation where we say, ‘Ugh, I wish this wasn’t happening to me’. That’s a natural reaction whether you are a CEO or a gazelle. And in both cases, whether survive you or not depends on how quickly you can overcome your fear, ignore that feeling and begin to act.

“I learned that courage was not the absence of fear, but the triumph over it. The brave man is not he who does not feel afraid, but he who conquers that fear.”

Nelson Mandela

The post Don’t be a gazelle – how to manage fear in crisis appeared first on KITH.

]]>
What about litigation? https://kith.co/what-about-litigation/ Tue, 04 Sep 2018 17:34:17 +0000 https://kith.co/?p=2580   In my experience, at some point in the discussions during a crisis someone will utter a phrase that will kill the conversation. “We need to think about litigation.” This sounds like a pertinent and important thing to think about but this statement is as useful as the head of communications saying ‘it’s blowing up […]

The post What about litigation? appeared first on KITH.

]]>
 

In my experience, at some point in the discussions during a crisis someone will utter a phrase that will kill the conversation.

“We need to think about litigation.”

This sounds like a pertinent and important thing to think about but this statement is as useful as the head of communications saying ‘it’s blowing up on Twitter: that’s to say, not very useful.

That might seem blunt but let me explain.

There is an ongoing, spirited dialogue between communicators and legal teams about what you can and can’t say in the wake of a crisis or critical moment. This is a natural and beneficial tension to have in the room.

Communications want to get ahead of the narrative and be proactive to allow you to tell your side of the story as quickly, clearly and honestly as possible. Meanwhile, legal will be pulling in the opposite direction, concerned that any statements made will be admissions of guilt or negligence opening the firm up to legal action.

The optimum approach lies somewhere in the middle: a dynamic, proactive communications effort telling as much as is possible, being steered by Legal where a statement may have other connotations or pull the company in a dangerous direction.

Unfortunately, this rarely happens.

Concern over litigation usually take over, making things overly reactive and cautious. This stymies your attempts to tell your story quickly, openly and honestly.  Instead you are slow, guarded and overly-nuanced. In some cases, organizations end up saying nothing at all.

However, in the same way that social media is just ‘there’, so is the threat of litigation.

There are multiple ways and places companies can face litigation in the US which make it impossible to get a complete picture but some of the numbers available are staggering. One report I saw recently identified almost 15,000 product liability cases being filed in Quarter 4 of 2017 alone.  That’s 125 cases each day. The same report also recorded 1,500 cases of commercial litigation and 5,600 employment cases all in the same quarter. (See the report.)

These eye-popping numbers simply reinforce my belief that if you have a public crisis, one that has been covered in traditional, social or trade media, it’s likely that formal litigation will be filed against you. It could be silly in its nature or it could be incredibly serious but whatever the case, you must be prepared for litigation.

So litigation is a real and present danger, particularly in a crisis, no matter what you do.  So the point is not to worry about if or when it happens, but to accept that it is likely and be prepared. However, holding back on your communications to protect your reputation won’t help and will tend to make matters worse.

And, even though I’m biased, this isn’t just the perspective of a communicator.

I worked closely with Home Depot during their 2014 data breach and their CEO at the time, himself a lawyer, made a similar case in a recent interview.

“This is where it helped being a lawyer because the help the lawyers will give you is not [going to] help. Because lawyers are going to say things like ‘don’t admit you did anything wrong because then you will be subject to litigation’.  But you need to understand that all that matters is taking care of your customers. So I actually [said] that nothing was going to be written by our legal team… it’s all going to be written by our person in charge of communications and all we are going to talk about is, as a customer, you are not liable and here’s what we are doing for you.  We decided to be really transparent and it’s really painful…but I think people appreciated that we were being transparent and focused on taking care of our customers.”

Frank Blake, former CEO of the Home Depot (full interview)

So, from a communications perspective, we need to keep in mind that no matter how careful, nuanced and legalistic our statements are on Day one, that won’t prevent someone bringing an action against you.

Of course saying things that can hurt you or are inaccurate must be avoided. Statements must be clear, honest and reflect your best understanding of the situation at that time. And if there is something you don’t know or cannot discuss, for example the exact cause of an event or the identities of those involved, just say so.

However, remember that something that is clear, open and honest to start with can seem evasive later on.  For example:

“At this stage it is too early to determine the exact cause of the event but we will be doing everything we can to get to the bottom of this. At this time, however, our focus is on the disruption this has caused and working with those affected to get things back to normal”

This statement would be understandable and widely accepted on Day One but this same statement will seem vague and evasive on Day 10.

But, this is exactly the kind of thing companies try to keep saying for as long as possible to avoid potential litigation.

However, not only will this not stop litigation, it might actually encourage lawsuits as people start to think that you are hiding something.  So while you need to avoid doing or saying anything that will attract litigation, your focus as a communicator is to tell your story as clearly and accurately to those who matter most, as quickly as possible.

So I think that the Day One strategy should be: ‘we need to do whatever we can to make the situation come to an end as fast as possible so that we can get back to our day jobs and doing what we’re intended to do’.

That means a rapid, open and honest dialogue with those who matter most alongside everything possible needed to bring any operational incident under control.  But this cannot be successful if everyone is second guessing themselves and holding back to avoid litigation – litigation that is most likely going to happen anyway.

Remember, the long tail of litigation will work itself out over time. The damage to reputation is felt today.

The post What about litigation? appeared first on KITH.

]]>
Are CEOs the weakest link in a crisis? They don’t have to be. https://kith.co/ceos-weakest-link-crisis/ Fri, 24 Aug 2018 13:59:25 +0000 https://kith.co/?p=2563 A recent article in the Harvard Business Review about CEOs and leadership found that 68% of CEOs weren’t fully prepared for the job.  One interviewee sums up the reason for this stark finding thus: “When you become the final decision maker, everything changes. It’s hard to train on this.”   Despite this high figure, the […]

The post Are CEOs the weakest link in a crisis? They don’t have to be. appeared first on KITH.

]]>
A recent article in the Harvard Business Review about CEOs and leadership found that 68% of CEOs weren’t fully prepared for the job.  One interviewee sums up the reason for this stark finding thus: “When you become the final decision maker, everything changes. It’s hard to train on this.

 

Despite this high figure, the CEOs reflected that they were very well prepared from a technical, day-to-day operational perspective.  These strategic and “running the business” components of the role came naturally, but the personal, interpersonal and accountability components were the piece that were missing.

 

While we can commiserate and perhaps empathize somewhat if we have found ourselves in a role that is new and unfamiliar, it is staggering that such a large number would feel unprepared.  After all, strategy and running parts of a business are not unique to the CEO’s role. Nor are personal or interpersonal relationships. So despite their years of experience, these CEOs felt unprepared for a position which in many ways should be an extension of their previous roles.

 

I have had the privilege of working with many CEOs over the years and my experience reflects these findings.  

 

Where I see CEOs as strong is with their strategy and business acumen; how to best run their business for superior performance for a quarter or for a year; how to manage teams to get the right talent in place to do the right things; making sure that the right products get to market at the right time to meet customer needs.

 

These are the strengths of a good CEO but all of those skills are focused on when things are going well.  But what about the skills required that are not a day-to-day requirement? What about the skills needed when things go wrong and, as CEO, the buck literally stops with you?

 

The times when things go wrong are the moments when CEOs are tested most.

 

Sadly, it’s been my experience working with some CEOs that they are generally under-prepared for these challenging times.  A crisis or critical moment is going to shape the reputation of their organization for the long-term but these situations happen rarely in the daily life of a CEO.  In this context, the CEO’s lack of experience is understandable: in fact, not having been part of a ‘real’ crisis may even be a sign of successful risk and crisis management practices in the past. And that is a good thing.

 

So what determines the success or failure of a CEO when they are tested like this?  I believe that it comes down to two things: preparation and leadership.

 

I will address preparation of a CEO in more detail in a separate article late this month as I have seen the benefits time and time again of preparation prior to an event.  Developing clear, simple plans, agreeing protocols and practicing as teams in realistic settings will pay dividends if a real event occurs. More on that later.   

 

But between these two, I believe that leadership is the key.  The phrase I love here (and use often) is

 

“The crucible of crisis doesn’t develop your leadership, it reveals it.”

 

Unfortunately, what it sometimes reveals is an underpreparedness for these situations when everything is going wrong.

 

The leader who can manage in the good times and navigate the bad is the leader that truly creates a reputation-resilient organization. It’s not easy to grow your reputation and it’s not easy to compete in a hyper competitive marketplace. In fact nothing about being a CEO is, or should be, easy.  This is a hard job.

 

But it is far more difficult to navigate through the disruption of crisis even when compared to the most difficult strategic decisions that companies face.

 

Obviously most of the decisions that a CEO has to make are difficult: that’s the singularity of their role.  If problems were easy, anybody could address them – as the old adage in US government goes, ‘nothing easy reaches the President’s desk’.  

 

But decisions in a crisis are an order-of-magnitude more complex.  Facts are in short supply, time is tight and careers – even lives – are on the line.   This is when the CEO really needs to come into the fore.

 

If you can keep your head when all about you   

Are losing theirs and blaming it on you…

IF – Rudyard Kipling

 

It is these reputation-defining challenges that make leaders who they are and determines how we remember them – for better or for worse.  How a leader performs in the most testing of times is always how we think of them whether they are from government, sport or business. A great performance will often seal their future success whereas a poor showing can be the beginning of their slide into ignominy irrespective of how they performed before or after the crisis.

 

So leadership is the key to this success or failure but the critical point to remember is that the crucible of crisis doesn’t develop your leadership, it reveals it.

 

And when it’s revealed, you don’t want to be surprised by what you see.  You need to make sure that you are as prepared as possible. There are specific crisis management skills to learn and lots of tactical pieces of advice such as being able to differentiate smoke from fire, to act swiftly but not become hurried and to stay focussed on the big picture.  These technical crisis management skills and specific tactics are important but cannot overcome a leadership deficit.

 

I believe that this was the biggest omission from the HBR article – preparation for when things go wrong.  

 

At the beginning of this piece I quoted a CEO who said “When you become the final decision maker, everything changes. It’s hard to train on this.”

 

I respectfully disagree.  

 

I have worked with and trained CEOs for the most testing of times and believe that if you can train for that, then you should easily be able to train for the day-to-day challenges of leadership.  These are two different skill sets but both can be developed to ensure that CEOs have the personal and interpersonal skill to make them better leaders at all times.

 

So you need to develop yourself as a manager and a leader for both the good times and the bad.  But please don’t wait until you are in the crucible to discover the kind of crisis leader you are.  By then it may be too late.

 

Links and references

The post Are CEOs the weakest link in a crisis? They don’t have to be. appeared first on KITH.

]]>
During a CRISIS – Who needs to be in the room? https://kith.co/during-a-crisis-who-needs-to-be-in-the-room/ Mon, 20 Aug 2018 14:55:26 +0000 https://kith.co/?p=2559 Who needs to be in the room when developing crisis response? ‘Is everyone here?’ It’s a pretty standard and innocuous question at the beginning of most meetings or conference calls but working out what we mean by ‘everyone’ during a crisis can be difficult.  Unlike a standard meeting, where there is a set schedule, agenda […]

The post During a CRISIS – Who needs to be in the room? appeared first on KITH.

]]>
Who needs to be in the room when developing crisis response?

‘Is everyone here?’

It’s a pretty standard and innocuous question at the beginning of most meetings or conference calls but working out what we mean by ‘everyone’ during a crisis can be difficult.  Unlike a standard meeting, where there is a set schedule, agenda and attendee list, crises can occur at any time and may be due to a wide range of situations. In a crisis, getting the right people to start tackling the problem ASAP is critical to success.

But who are these people?

Unfortunately, part of the answer is ‘it depends’ but in my experience, you can still plan ahead to ensure that the right people are available, aware and prepared to be part of the response.

The first key thing to ensure is that the people involved fall into one of two categories: decision-makers or subject matter experts.  Decision-makers – those with real authority within the organization – must be represented as, without their involvement, no actions can be taken.

However, the decision-makers won’t always have all the information they need on hand so ensure that the relevant subject matter experts (SMEs) for the situation are also there.  You will know who the decision-makers are in advance so that is easy but the SMEs will differ depending on the situation (this is the ‘it depends’ part).  Therefore, make sure each department and function has a few people identified and prepared to act as an SME.

Similarly, the size of the group will also depend on the situation.

I’ve been in conference rooms where we needed 15-20 executives to figure out what’s going on and what to say next. (BTW – it was a mess) Meanwhile, other firms had only three: the CEO, general counsel and someone responsible for external issues / communications.  While there is no set size for these teams, the key thing is to keep them as small as possible. Big teams will simply slow things down and it is too easy for large groups to become sidetracked but groupthink.

 

a note about too many

The second key element is to have people in the room that the CEO trusts, people that can make clear decisions and people that can keep their head when they’re in a crisis situation.  Lastly – and most importantly – these all need to be people who can actually get the job done.

Keeping these two key elements in mind will ensure that you have the right decision-makers being fed the necessary information in a proactive, solution-focused environment built upon mutual trust.  I have found this to be a great recipe for success. Lots of folks “think” they want to be in the room. But they don’t need to be in the room. Check in to see that you have the right people.

These are important guidelines as far as the type of person who needs to be in the room but let’s get a little more specific and identify some of the key people.

Obviously, as the key decision-maker and ultimate authority, the CEO or equivalent needs to be involved. (Although this is pretty obvious, you would be surprised by the number of times I have been told that the CEO will ‘join as needed. This could be culture or style but basic math makes things slow if the situation requires their involvement.

The other two main ‘players’ I suggest you always have involved are legal and external affairs. This ensures that the CEO always keeps the legal and external perspectives in mind as these are the areas where the biggest threats to the organization lie.

In addition to this core team of three, representatives from HR, finance, operations and safety / security are also commonly represented but their level and frequency of involvement will depend on the situation. You may also find that certain situations need other SMEs such as IT or compliance.

Two other participants I often see being overlooked are worth keeping in mind.

First, is the Chairperson or Board representative.  While they are not going to be in the room as such, the CEO needs to keep them in mind as they often have a say on how a major event should be handled.  They are also a vital source of advice and support for the CEO. Remember, crises are lonely times for the senior executive so having someone else to consult with candidly can be a great benefit.

The second group to think about is a small administration team or secretariat.  Although they won’t participate in decision-making, having a couple of people keeping detailed notes, logging actions and simply administering meetings will help immensely.

My final point would be to stress that the people listed here are the people you want around for strategy development and decision-making.  Who gets involved for other things will be very different.

For example, strategies thrive with robust, informed debate so have as many constructive people involved and use all the time you have available.  On the other hand, press releases and statements are strangled in committee. This slows your response down and results in reactive, rather than proactive, communications which will thwart your response.  Statements are best prepared by someone from the communications team with an SME to hand to help with accuracy and details. Releasing the statement still involves the senior leaders, but this is for their approval, not as additional editors.  So while the decision-making team will need to know what is in a statement, when it is being released and to whom, they shouldn’t be part of its development.

This leads on to a bigger topic of what the structure for an effective response looks like which I cover in the ‘Action’ section in Critical Moments.  I will tackle response structures in a later post but the main thing to keep in mind for now is that we are discussing the most senior decision-making team here and that there are several other parts to the response.

So although there is a degree of ‘it depends’ involved in this answer, I hope that you now have a better idea of who should be in the room when the CEO asks, ‘is everybody here?’.

Importantly, whomever these people are, they must be trained and prepared for this crisis role because the discussion they are about to be part of will be very different from what they are used to in day-to-day meetings.

The post During a CRISIS – Who needs to be in the room? appeared first on KITH.

]]>
What its like to work with KITH https://kith.co/working-with-kith/ Fri, 10 Aug 2018 16:54:29 +0000 https://kith.co/?p=2554 We are in the crisis business, which means we’re also in the business of risk evaluation and risk mitigation. Wouldn’t you love it if you could de-risk the hiring of a professional service provider — like a crisis and reputation management consultant? There’s a tremendous amount of unknowns in hiring a consultant. Most of you […]

The post What its like to work with KITH appeared first on KITH.

]]>
We are in the crisis business, which means we’re also in the business of risk evaluation and risk mitigation.

Wouldn’t you love it if you could de-risk the hiring of a professional service provider — like a crisis and reputation management consultant?

There’s a tremendous amount of unknowns in hiring a consultant. Most of you reading this I unfortunately don’t have a personal relationship.  You often don’t know what you’re going to get when you work with someone you don’t know.

One of the things we work with our clients on is “de-risking” or how can we lower their risk before a crisis hits. We prepared this FAQ as an aid to de-risk working with KITH.

The best way we grow our business is through referrals. People we have worked with in the past or friends we’ve developed a relationship with refer us to others who need a crisis simulation or are in need of rapid crisis response, and their referral opens the door, allows us to have a conversation, and see if there’s a fit.

But for those of you that have found us through the internet or have heard me speak somewhere, there’s a question of what’s it really like to work with this firm? In the spirit of that, we created the following frequently asked questions document. We took 14 typical, but sometimes provocative, questions and outlined the way we think and our approach to see if it’s right for you. My hope is that we can de-risk the relationship. It would be great if you feel compelled to pick up the phone and have a conversation. Crisis and reputation management is all we do – every day – and we would value the chance to have a conversation and meet.

I hope you enjoy learning a little bit more about KITH and learning a little bit more about me. I’ve shared this document with some members of my tribe and got direct feedback of, “Wow, we really learned a lot about you — that’s terrific.” So I hope you feel the same way. We’d love your feedback. Feel free to drop us a note with ideas and suggestions and other questions you want us to answer.

 

Click here to read our FAQs

 

The post What its like to work with KITH appeared first on KITH.

]]>
Embracing Social Media During a Crisis https://kith.co/embracing-social-media-during-crisis/ Tue, 07 Aug 2018 18:32:09 +0000 https://kith.co/?p=2552 “It’s blowing up on Twitter….” One of the phrases that I cringe at is ‘this is blowing up on Twitter’. I’ve been in a number of crisis situations where the person responsible for social media will run into the room, look at their iPhone, utter those fateful words and then disappear. However, as a crisis […]

The post Embracing Social Media During a Crisis appeared first on KITH.

]]>

“It’s blowing up on Twitter….”

One of the phrases that I cringe at is ‘this is blowing up on Twitter’.

I’ve been in a number of crisis situations where the person responsible for social media will run into the room, look at their iPhone, utter those fateful words and then disappear.

However, as a crisis strategist this is of very little use to me – I don’t have any context or an ability to evaluate whether that’s true or not. So, it’s not really useful information and certainly not enough to make a decision with.  Worst of all, it is a distraction and can cause anxiety with the rest of the team.

I understand that getting your arms around social media in a crisis is incredibly difficult but Facebook, Twitter, SnapChat and the like are just the latest examples of an accelerated media landscape.  Don’t forget, when 24-hour cable news came onto the scene, organizations had to quickly adapt to a news cycle that was no longer based on broadcasts at noon, 6pm and 11pm.

In the same way that organizations adapted to cable-news, we have to adapt to social media.  In fact, we shouldn’t just adapt to social media: I think we should embrace it, especially in a crisis.

Remember, social media allows you to quickly update the situation on a ‘one-to-many’ basis without the need for an intermediary like a reporter.  So, your organization’s Facebook page, Twitter feed or YouTube channel is a fast way to get your message out. Moreover, these channels often push newer posts to the top of a user’s feed, so they should automatically see the latest news.

The main thing to remember is that the basic tenets of good crisis communications remain, whatever your medium.

So the first thing is to articulate the facts.  Issue an initial statement and then update this regularly on a cycle that works for your organization and reflects the pace of the event.  This might be every half hour for something very dynamic and fast-paced like a fire or industrial accident. Conversely, something more slow-moving like a data breach might only need updates twice a day or even daily. Make sure that your announcements are as comprehensive as possible, articulating a beginning, middle and end where possible.

Even when the situation is developing gradually, and facts are emerging slowly, use social media to fill the vacuum with information as best as you can. This allows you to add layers of background information which put things into context.

These updates also provide an opportunity to reiterate your key messages.

As always, just be sure to exercise caution in what you say and avoid adding fuel to the fire by trying to say too much.  Only say what you know to be the truth at that point in time and don’t speculate. Law enforcement does a really good job of this, particularly when there is an active shooter situation.

Finally, don’t try to ‘win’ social media.

Remember, the goal is to communicate with those stakeholders who matter most, explaining your mission and values and doing it as quickly as possible. Social media is just another medium for this communication albeit one that is very fast-paced.  So don’t try to get ahead of social media. Determine and stick to a schedule that fits you and the situation.

And only engage in a back-and-forth on social media if you are sure that the person is a genuine stakeholder who has a credible point of view.   If you do plan to engage at an individual level, make sure you can commit the necessary time and resources to addressing their specific points before you start.  In short, if you wouldn’t have a discussion with someone in person, don’t do it on social media. Ideally take it offline and please don’t skirmish back forth for all to see.

So when you hear ‘things are blowing up on Twitter’, take a breath, get the facts and use social media to your best advantage.  Communicate directly with those who matter most, fill the vacuum with facts delivered in a smart, logical way and engage with prominent opinion formers to ensure your message gets across.

The post Embracing Social Media During a Crisis appeared first on KITH.

]]>
Trajectory of a Crisis: Are you prepared for what happens next? https://kith.co/crisis-trajectory/ Mon, 30 Jul 2018 23:08:56 +0000 https://kith.co/?p=2548 What I want you to do is look at the trajectory of a crisis shown below and look specifically for the dotted line. The dotted line is where most crisis response tends to stop. After something breaks — my least-favorite expression to hear in these moments is “It’s blowing up on Twitter!” — usually there […]

The post Trajectory of a Crisis: Are you prepared for what happens next? appeared first on KITH.

]]>
What I want you to do is look at the trajectory of a crisis shown below and look specifically for the dotted line. The dotted line is where most crisis response tends to stop. After something breaks — my least-favorite expression to hear in these moments is “It’s blowing up on Twitter!” — usually there are a set of rapid response tools that are deployed, and then the crisis plan is over.

I’m not necessarily saying this is a bad thing. You deal with the issues quickly and you hope it fades from memory relatively soon. But as you can see in the chart, there’s so much that happens after the dotted line — and often crisis communication approaches miss all that.

The bottom line for me in these situations is something I’ve been saying for years:

Crisis doesn’t develop your leadership; it REVEALS your leadership.

Let’s use one of the biggest crises of the last few years as an example — Larry Nassar at Michigan State University.

The Indianapolis Star has a detailed timeline of the Nassar tragedy, and it’s also covered in our webinar here:

 

 

As you can see in both sources, the basic timeline of the crisis breaking is around September 12-16, 2016 — that’s when things started to come out publicly. (On the Indy Star link, you can see that Michigan State relieved Nassar of clinical and patient duties on August 30th, underscoring that they probably knew what was coming.) He was officially fired on September 20 — so roughly four days into the crisis.

From September-November, the crisis was relatively managed along the lines of “We fired him, we’re investigating further.” In the winter, though, everything began to blow up again — in December Nassar was indicted on federal child pornography charges, then in January 2017 18 new victims came forward, then Texas charges emerged later that month, and federal officials added new charges in February.

Here’s where we come to the crisis of leadership. In that January 2017 filing with the 18 new victims, the lawsuit alleges that twice — in 1999 and 2000 — alleged victims raised concerns to MSU coaches or trainers and that the university conducted no investigations.

MSU hired a former major Chicago prosecutor, Patrick Fitzgerald, as a special investigator in this case — then totally botched the transparency side of what needs to be done in these situations. They essentially wanted Fitzgerald to both examine and defend what happened, according to The New York Times — and in late 2017, they even claimed the internal probe report didn’t exist. There’s also this:

A look at the contract with Patrick Fitzgerald’s law firm, which was obtained by The Detroit News, indicates he was brought on to do just the opposite. Fitzgerald is being paid $990 an hour to help shield the university from legal liability in the lawsuits filed by 150 victims of Dr. Larry Nassar.

Again: crisis doesn’t develop leadership. It reveals it.

This is how bad it got: one of his victims, in an emotional testimony, said that Nassar was “a symptom of the very sickness that plagues the very core of Michigan State University.”

Michigan State/Nassar was a situation handled very badly, but it illustrates how you need to actually walk through a crisis — specifically thinking about Rounds 2 and 3 as opposed to just Round 1 (the initial flash point). Michigan State was completely flat-footed when it came to the period that commenced in December 2016 with the new slate of allegations.

You need to see around corners and predict what’s next. Pattern recognition is the key to advanced crisis management. In the Nassar example, the August 30th relieving of duties before the September 12 initial story broke means they clearly knew the pattern was there. They needed to know all the steps that would come in an avalanche — and it looks like they didn’t. The end result was a tarnished brand and a $500M payout to the victims.

There is a predictable set of events that transpire in every crisis, and that’s what is important to understand when you face one. And oftentimes, the base equation looks like this:

If you know your core values, have a clear chain of command, and can see around those corners/recognize patterns, you can usually deal with issues quickly (the initial flash points) and then brace for how the trajectory will unfold. MSU did not. As you’d expect, their President lost her job — and the brand of Tom Izzo, their legendary basketball coach, was also tarnished. (Football could be the next domino to fall.)

Don’t be Michigan State. There is a better approach.

 

The post Trajectory of a Crisis: Are you prepared for what happens next? appeared first on KITH.

]]>
Sorry doesn’t have to be the hardest word https://kith.co/saying-sorry/ Tue, 24 Jul 2018 05:20:41 +0000 https://kith.co/?p=2517   It should not be so hard for companies to “Sorry.”   Recently, I was mulling over the different responses I normally see during a crisis meeting if the CEO asks, “What happens if we just apologize?”   General Counsel: panic.   “No. We can’t do that. We can’t accept blame because of the implications […]

The post Sorry doesn’t have to be the hardest word appeared first on KITH.

]]>
 

It should not be so hard for companies to “Sorry.”

 

Recently, I was mulling over the different responses I normally see during a crisis meeting if the CEO asks, “What happens if we just apologize?

 

General Counsel: panic.  

“No. We can’t do that. We can’t accept blame because of the implications it’ll have on us in litigation.”

VP of Communications: enthusiasm.

“Absolutely. We have to apologize, and you personally, Mr. CEO, is the one that has to do it but let’s be careful about the exact wording we use.”

VP of Operations: hesitation.  

“What are we apologizing for? We still don’t know what happened in this situation.”

 

Situations like that play out in most crises situations that I’ve been involved in. Companies repeatedly debate and wordsmith the details of what they say in statements to the media but often they fail to simply say, “I’m sorry” when it’s appropriate.

 

And I got to thinking that maybe Elton John was right.  Maybe sorry is the hardest word to say.  But why?

 

There are lots of reasons for not saying sorry and the General Counsel’s view above is just one of them.  In addition to the concern that saying sorry admits fault, there may be cases where the company thinks it has apologized but never actually uses the phrase “I’m sorry”.  At other times, the company may genuinely feel that they are not at fault.

 

Whatever the case, my advice is that when you have been part of something that has caused loss, damage, disruption or hurt, strongly consider saying sorry.

 

Exactly what you are saying sorry for relates to the event itself and we can use my basic risk framework to help understand this.

 

spe risk framework

I use this framework to look at the type of risk that the company has encountered before they take that big step of actually apologizing.  This helps me determine if they are dealing with a strategic, preventable or external risk as each of these will be handled slightly differently.  Each still requires someone to say “I’m sorry” at some stage but let’s see how the exact approach might differ.

 

A strategic risk is a risk that you took intentionally to achieve some strategic benefit.  Assuming that you have an appropriate reputation mindset, practice effective outreach and communicate with those involved, the fact that you are taking this risk shouldn’t be as much of a surprise as you announced this in advance.  Moreover, you were (hopefully) taking the risk for the right reasons – to improve the organization and how it serves others.

 

However, trying to do what you perceive as a good thing, even something as simple as giving away a free album, can backfire.  In the case of a strategic risk, you need to explain what you were trying to achieve but admit you got it wrong.  ‘We are sorry we got this wrong. This is what this change was intended to do.  Here are the reasons why we thought it was a good thing and here are third parties who think so as well.  Here’s how we are going to fix this.

 

Preventable risks, on the other hand, are risks where there is zero tolerance from those affected, from the public, or from regulators and the authorities.  These were not risks you took to improve things, but rather risks that you neglected to do anything about that could have been prevented. In this case, you are at fault and owe everyone an apology.  So you have to apologize and be as honest and forthcoming about what happened because people need to know what you are going to do and what they need to do. And clearly explain how you are going to fix it.

 

And the faster you can do this the better.

 

For example, if there is a contaminated product in the market, there are two parts to the recall.  The first is the company’s efforts to recover all the product that exists in the supply chain through to the point of sale.   The second is by consumers who need to check their shelves and to return or destroy any suspect product. Remember, a consumer cannot be contaminated by something that remains in the supply chain so this second public effort is critical.

 

The hardest thing with a preventable risk is that you are entirely at fault: you messed up and this is a hard thing to stomach.  Unfortunately, you still have to confess your mistake, no matter how hard this is. Avoiding saying sorry, or blaming someone else, will only make matters worse.

 

By the way, whether you say ‘sorry’ or not will have no impact on likelihood of litigation.  I have come to the conclusion that it is not a matter of if you get sued, it is when in the process do you get sued.

 

Finally, for external issues you are apologizing from a position of empathy because you are likely also affected too. External risks come from outside your organization and fall into the force majeur category which can include active shooter situations or severe weather.  In these cases, you are apologizing in recognition that you cannot continue with ‘business as usual’ but will do whatever you can to get things back up and running as quickly as possible for those who matter most. Power companies in the northeastern US have to go through this every winter as they try to restore service to areas that are blanketed with snow while their own crews may have no power at home and struggle to get to work.

 

Therefore, the type of risk will determine how you are saying sorry but that doesn’t remove the basic need to actually apologize. So, whatever the situation, there is still a need to say sorry as clearly and as early as possible.

 

Despite that, in late 2017 and early 2018 Facebook, Wells Fargo and Uber have all shown that sorry is still the hardest word. During this time, these companies spent millions of dollars trying to atone for past behaviors and trying to win people over with highly produced brand boosting ads. However, a lot of this spending took place when a simple ‘I’m sorry, we are going to fix this’ at the outset, along with a genuine attempt to solve the problem, could have fixed everything.

 

However, even when an apology is issued, a second problem often arises. Instead of clearly saying sorry, what actually happens is that the organization issues a non-apology.

 

The non-apology is easy to spot because it is followed by ‘if’ or ‘but’.  Adding caveats waters down the apology but worst of all, this can end up transferring blame to those who were affected. For example, if your CEO is caught on tape being abusive, racist or sexist, saying “We are sorry if anyone might have found these comments unacceptable” sounds a lot like the problem isn’t with the CEO, but the listener’s overly-sensitive ears.

 

The other non-apology flat out tries to shift blame.  This is what we saw with the earliest statements after the Deepwater Horizon disaster in the Gulf of Mexico where BP seemed to be trying to pin everything onto the rig operator.  A non-apology also happens when the company lets too much time pass before saying anything. That was United’s problem after a passenger was assaulted and dragged off one of their aircraft. It took United two statements and an internal memo before the CEO actually came out and made an apology.  The phase ‘a day late and a dollar short’ comes to mind here.

 

When you get to that stage of apologizing, there is a simple three-recipe for an effective corporate apology.

 

First say you’re sorry.  Take responsibility, be clear, be sincere, and do it quickly. And make sure that the most senior person in the organization makes the apology in person – a press release or front-page ad alone just won’t cut it. This is when the CEO must step up.

 

Second, quickly appoint a special committee/group to look into the situation, cooperate with investigators and make an honest attempt to find out what went wrong. If it is pretty straight forward jump to #3 and just fix it.

Third, fix the problem(s).  Announce the changes to policies, practices or personnel which get at the root of the issue and ensure that these changes are implemented.  Only when notable change has been enacted can you really say that the apology is complete. Like a promise, it only matters if you keep it.

 

So be clear, say sorry and, most importantly, follow up and fix the problem.  Otherwise, a half-hearted or non-apology is worse than saying nothing. This is when your reputation is destroyed and the cases where the litigators win.

 

That standard model has worked for years when companies truly did something that they simply should not have done. So make sure you understand your risks, talk about these with your team and work out what you might have to apologize for and how would do it.  That will allow you to be fast, apologize when you have to, empathize when you need to, but communicate in a way that allows you to tell the stories that are most important to you.

 

The post Sorry doesn’t have to be the hardest word appeared first on KITH.

]]>
The Risk Whisperer https://kith.co/risk-whisperer/ Thu, 19 Jul 2018 05:15:16 +0000 https://kith.co/?p=2515   The Chief Information Security Officer (CISO) gave his update to the group. ‘Someone accessed our user database with a set of compromised access credentials they obtained through phishing attacks. We think we’ve lost some PII and unhashed user login info. Unfortunately, it looks as though they also corrupted some of the logs in the […]

The post The Risk Whisperer appeared first on KITH.

]]>
 

The Chief Information Security Officer (CISO) gave his update to the group.

‘Someone accessed our user database with a set of compromised access credentials they obtained through phishing attacks. We think we’ve lost some PII and unhashed user login info. Unfortunately, it looks as though they also corrupted some of the logs in the SIEM and UEBA systems so we will struggle to work out what happened and identify malicious activity until we can reinstall the last stable instance of the database.’

As he finished, the CISO looked around the group, and received blank stares in return….

——

I don’t know about you, but as a crisis communicator, I’ve been forced to learn the nuances and details of all kinds of technicalities, FAST. Our role is to explain the intricacies of an event to a skeptical and worried public in a way that is clear and understandable, but also in a way that allows them to make appropriate decisions.

This has always been a challenge with anything technical but cybersecurity and data breach issues take this complexity to a whole new level. Therefore, to be effective as communicators, we need to stay up to date on technical issues but in addition to our own knowledge, we are reliant on subject matter experts. Unfortunately, this only works where we can communicate effectively with other teams which isn’t always the case.

And that’s the real subject of this article: how can we ensure that teams can communicate effectively when the subject at hand is very technical?

For example, we were recently engaged in a situation where we had three separate ‘war rooms’ set up to deal with a potential data breach. There was a legal war room, an IT war room, and a communications war room. We advocated for one single war room, coordinating and focusing all the activities associated with the response, but the company decided to set up the three teams with information shuttling between each room, virtually as well as physically.

This added a lot of procedural friction on top of something that was already complicated. But what it also did was hinder everyone’s understanding of what was happening. Worst of all, when teams did interact, we would have conversations like the one I recounted at the start of this article. The result: confusion.

One role that I had never thought about before became critically important in that situation. This was the go-between from the IT team who liaised with the other war rooms.

We nicknamed this person the ‘Risk Whisperer’.

In this case, the ‘whisperer’ was a cybersecurity expert who moved between the IT, legal and communications war rooms, explaining the technical response but in a way that everyone could understand. This ensured that everyone had the information they needed for their own decision-making and that teams could coordinate more effectively. This was highly effective and overcame many of the other issues we had running three separate teams.

That success caused me to think about the risk whisperer role in more detail and try to define it more specifically.

In my mind, the whisperer is a subject matter expert who has a deep understanding of the technical issues but can translate all of the specialist jargon and complex concepts into layman’s speech. Their role is to explain to other teams what is happening and the potential consequences of the event in a way that they can understand and use for their own planning purposes. In turn, the whisperer also takes the issues and concerns of other teams back to the technical team so they understand the wider response.

It is important that we remember everyone has their own jargon. So while we might be comfortable as communicators talking about stakeholders, issues versus incidents and deciding if we should conduct a down-the-line or face-to-face interview, others will be baffled by these terms.

This highlights that every team needs their own whisperer but not everyone will be suited to this role so I identified four key characteristics that you should look for when you choose a risk whisperer.

The first thing is that the person has to be a true subject matter expert. They have to have the credentials, the knowledge and really understand the topic at hand. Although this article uses the example of cybersecurity, there are many other highly complex issues such as food safety, health care delivery, financial regulations or infectious disease.

However, although the start point is selecting a real subject matter expert, that’s not all that is required.

The second requirement is that the whisperer has to have the ability and patience to explain complex, multi-layered issues in a simple, clear way which is still technically accurate. That links directly back to their subject matter expertise and I believe that those who truly understand something are the people that can really explain it best. But this need for technical accuracy is also important because the whisper’s role is not to dumb things down or gloss over the facts as other technical experts will still hear and read what the organization says about the event. Rather, their job is to explain things in a way that both the layperson and expert will understand what is happening.

Remember to not overlook the need for patience, especially in a crisis. People will quickly become frustrated trying to explain things to people who ‘just don’t get it’, particularly where time is tight. The risk whisperer may have to repeat the same thing to different teams over and over but a little patience, and taking the time to ensure that everyone understands the situation, can be the difference between the success or failure of the response.

The third thing that the whisperer needs is the confidence and force of personality to ensure that their perspective is heard and understood. Everyone will have an opinion about what critical information to share versus what is merely background. But there may be points which appear mundane to the layperson which are still technically relevant to the situation. The risk whisperer needs to ensure that these critical points aren’t cut from any messaging so that external subject matter experts still hear what they need to hear.

The fourth and final characteristic is that the person needs to be a good presenter themselves. When you think about an effective ‘talking head’ on television explaining a complex topic, they understand the very small window they have to explain something complicated. They will be adept at creating the right 8-20 second ‘sound bite’ as they’re answering the interviewer’s questions. Even if they aren’t called upon to show up on TV, the risk whisperer needs to be able to present information clearly and in bite-sized pieces (or in the case of cyber, byte-sized pieces) which will be easier to consume and understand.

Many subject matter experts have spent their whole career building their knowledge and expertise but without these other characteristics of patience, confidence and an ability to present, they won’t be an effective risk whisperer.

So the next time you are a crisis situation that has significant complexities, whether these are IT-related, legal matters, concern food safety or deep-water drilling, identify who is going to be the risk whisperer as early as possible. And remember, we have our own communications jargon and technicalities so make sure you practice what you preach.

——

The CISO’s deputy saw the blank stares and smiled. She looked at her boss who gave her a nod before she turned to the group.

‘OK. Let me put that in a different way. So what happened was that someone posing as an employee sent emails to staff to try to get them to reveal sensitive personal details. It looks as though they were able to get enough information on one person to recreate their ID and password to access the user database. It looks like they have downloaded a lot of personal information such as names, addresses, and emails along with these users’ login IDs and passwords. This data was not encrypted so everything they have is readable in plain text.”

She paused and seeing the team nodding in understanding, continued.

“We have two systems we use to monitor activity. The SIEM monitors our own IT system and the UEBA tracks user activity. Both are designed to detect unusual behavior but it looks as though the attackers have interfered with these systems too so we can’t identify what is normal versus abnormal behavior at the moment. We have a backup of these system logs which we know is unaffected and we will be reinstalling that later today which will allow us to start monitoring the system again.’

This time, instead of blank stares of confusion, the CISO and deputy saw that the communications team’s thoughts were already turning to how they were going to address these issues with customers and the public.

The post The Risk Whisperer appeared first on KITH.

]]>