Article

CIOs under fire and in front of the camera

Zach Church, News Writer
There's no mistaking the CIO during a data security breach. He's the guy scrambling to figure out what happened and how to rectify the problem. But it appears the days when the CIO was the scapegoat for a breach are behind us. In fact, some experts suggest that the CIO is the best executive to handle questions from the media in the event of a data leak. If the idea catches on, CIOs could find themselves in front of the camera, instead of facing a firing squad (although it may seem like the same thing).

And they need to be ready.

With 42 states (as of press time; see sidebar) requiring public notification in the event of a data security leak, how a company handles itself is critical. Running from the TV cameras and print reporters could negate all the business value that comes from a swift, lawful notification process. In most cases, it's the public relations executive handling the press. The CIO is tucked behind the scenes.

    Requires Free Membership to View

    Login

More on security breaches
Top IT execs could take heat for TJX breach

CIOs take heat for security snafus
Jim Maloney, president and CEO of consulting service Cyber Risk Strategies LLC in Santa Fe, N.M., said companies might want to rethink that strategy.

"I think [customers] would appreciate it if the CIO, the CSO were the spokesperson as opposed to the PR person. I think they'd like to see that person up front facing the music," he said. "It can send the wrong message if it's marketing or PR."

Putting a CIO out front as a media contact could be a good idea, said Mark Bernheimer, principal at Los Angeles-based MediaWorks Resource Group, a media training agency.

Data notification laws
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
Florida
Georgia
Hawaii
Idaho
Illinois
Indiana
Kansas
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Montana
Nebraska
Nevada		New Hampshire
New Jersey
New York
North Carolina
North Dakota
Ohio
Oklahoma
Oregon
Pennsylvania
Rhode Island
South Carolina
Tennessee
Texas
Utah
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
District of Columbia
Source: National Conference of State Legislatures

But allowing a CIO who lacks media savvy to speak for the company is a bad idea.

"C-level executives have to always remember they can do everything the law requires and do exactly what the law requires of them and simultaneously lose the PR battle," said Bernheimer, a former CNN reporter. "If this is going to be a case where it's only a matter of time where it becomes a public matter, then it's much more advantageous to come from the company itself than from a furious customer or authorities."

By leading the IT department, Maloney said, CIOs are uniquely qualified to speak accurately about exactly how a data breach occurred and how the company has since secured itself. The presence of the top IT officer would ideally add a weight of authority to the company's public comments.

As with the legally mandated notification, a company spokesman will have to speak accurately without giving out more information than is necessary to inform the public and assure customers that the company is back in control.

But Bernheimer said the preparation of a media plan can't be reactive. There simply isn't enough time after a data breach to determine who will speak for the company and prepare that person for challenging confrontations with reporters.

Fess up, clean up, don't let it happen again

Bernheimer said a data breach response should contain three elements:

  • The company must first take responsibility for what has happened, a tricky line to walk if there is potential for litigation.
  • The spokesman must be able to show the company knows and can explain what has happened. That's where Maloney said the CIO could make a positive impression.
  • The company must also explain how it will stop a data breach from happening again, another spot where the top IT officer carries weight.

It's much more advantageous to come from the company itself than
from a furious customer or authorities.
Mark Bernheimer
principalMediaWorks Resource Group
Media training programs like Bernheimer's usually consist of a day of training, as well as time for follow-up consultation. At MediaWorks, C-level executives face professional television cameras and Bernheimer pelts them with tough questions. Executives learn how to carefully phrase answers to questions and find where reporters might "cut you some slack," Bernheimer said.

But as with all other aspects of a data breach response and notification, media training for CIOs is moot if it isn't conducted before a breach actually occurs. In the wake of a data breach, the deadline-driven media world won't wait for a company to train executives on how to answer questions.

"In many ways, it's too late," Bernheimer said. "The perception is they've waited to level."

Let us know what you think about the story; email: Zach Church, News Writer

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top