CIOs under fire and in front of the camera

By Zach Church, News Writer 16 Apr 2008 | SearchCIO-Midmarket.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

And they need to be ready.

With 42 states (as of press time; see sidebar) requiring public notification in the event of a data security leak, how a company handles itself is critical. Running from the TV cameras and print reporters could negate all the business value that comes from a swift, lawful notification process. In most cases, it's the public relations executive handling the press. The CIO is tucked behind the scenes.

More on security breaches Top IT execs could take heat for TJX breach CIOs take heat for security snafus

Jim Maloney, president and CEO of consulting service Cyber Risk Strategies LLC in Santa Fe, N.M., said companies might want to rethink that strategy.

"I think [customers] would appreciate it if the CIO, the CSO were the spokesperson as opposed to the PR person. I think they'd like to see that person up front facing the music," he said. "It can send the wrong message if it's marketing or PR."

Putting a CIO out front as a media contact could be a good idea, said Mark Bernheimer, principal at Los Angeles-based MediaWorks Resource Group, a media training agency.

Data notification laws Arizona Arkansas California Colorado Connecticut Delaware Florida Georgia Hawaii Idaho Illinois Indiana Kansas Louisiana Maine Maryland Massachusetts Michigan Minnesota Montana Nebraska Nevada New Hampshire New Jersey New York North Carolina North Dakota Ohio Oklahoma Oregon Pennsylvania Rhode Island South Carolina Tennessee Texas Utah Vermont Virginia Washington West Virginia Wisconsin Wyoming District of Columbia Source: National Conference of State Legislatures

But allowing a CIO who lacks media savvy to speak for the company is a bad idea.

"C-level executives have to always remember they can do everything the law requires and do exactly what the law requires of them and simultaneously lose the PR battle," said Bernheimer, a former CNN reporter. "If this is going to be a case where it's only a matter of time where it becomes a public matter, then it's much more advantageous to come from the company itself than from a furious customer or authorities."

By leading the IT department, Maloney said, CIOs are uniquely qualified to speak accurately about exactly how a data breach occurred and how the company has since secured itself. The presence of the top IT officer would ideally add a weight of authority to the company's public comments.

As with the legally mandated notification, a company spokesman will have to speak accurately without giving out more information than is necessary to inform the public and assure customers that the company is back in control.

But Bernheimer said the preparation of a media plan can't be reactive. There simply isn't enough time after a data breach to determine who will speak for the company and prepare that person for challenging confrontations with reporters.

Fess up, clean up, don't let it happen again

Bernheimer said a data breach response should contain three elements:

• The company must first take responsibility for what has happened, a tricky line to walk if there is potential for litigation.
• The spokesman must be able to show the company knows and can explain what has happened. That's where Maloney said the CIO could make a positive impression.
• The company must also explain how it will stop a data breach from happening again, another spot where the top IT officer carries weight.

It's much more advantageous to come from the company itself than from a furious customer or authorities. Mark Bernheimer principal, MediaWorks Resource Group

Media training programs like Bernheimer's usually consist of a day of training, as well as time for follow-up consultation. At MediaWorks, C-level executives face professional television cameras and Bernheimer pelts them with tough questions. Executives learn how to carefully phrase answers to questions and find where reporters might "cut you some slack," Bernheimer said.

But as with all other aspects of a data breach response and notification, media training for CIOs is moot if it isn't conducted before a breach actually occurs. In the wake of a data breach, the deadline-driven media world won't wait for a company to train executives on how to answer questions.

"In many ways, it's too late," Bernheimer said. "The perception is they've waited to level."

Tags: Leadership and strategy for the midmarket,  Data privacy for the midmarket,  Information security management for the midmarket,  Compliance management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Leadership and strategy for the midmarket Change management strategies: Best in IT Leadership Series Improving your business process management strategy: Chapter download IT project failures not the only reason CIOs get fired Midmarket CIO Briefings: Information technology resources IT and business management: Service, process and project performance An IT governance model needs risk and communications components Software vendor evaluation criteria: Sample scorecards for IT projects Application consolidation: Learning to let go of legacy systems Information technology management e-book downloads for midmarket CIOs Social networking, real-time data feeds -- where does that leave IT? Data privacy for the midmarket Data storage technology: Know your FAQs and options A guide to managing the risk assessment process Information technology management e-book downloads for midmarket CIOs The price of data center outsourcing: Security, costs and more explored From software prices to EHR security: The latest advice for CIOs Locking down security in the move to electronic medical records Identity and access management planning guide for the midmarket Data protection trumps threat pursuit in SMBs' 2009 security spending Database security: Who should have access? Federal breach notification stuck in Congress Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary