Professional Accountability | Information Technology Security. Advice from Experts

Shareholder Communications in Crisis and Non- Crisis Situations

Every organization has shareholders or stakeholders involved with, or having a stake in, its operations, procedures and ultimate financial or citizen- facing results. As information technology is used in almost every business environment, shareholders are aware of the benefits and risks, and want to be kept current about good news and bad news. When operations are going well with few and normal problems, routine reports and e-mail updates every week or two is a reasonable frequency. However, should an information security breach occur causing organizational financial or legal exposure, shareholders require a very high level of communications with and between executives and senior management. The IT organization needs to establish four dimensions of communications:

Identifying shareholder and customer expectations
Establishing direct communication channels
Developing the message
Managing the message

IT executives and senior managers have the same problem as elected politicians : cutting through the noise to answer questions and provide information. In today s 24- hour news cycle environment, almost anything occurring in the world can turn good news cold, and bad news hot. It is a fact of life that shareholders and customers collect and review information on a 24x7 basis and compare the media provided information against management reports to understand the differences, if any. During times of crisis such as a major security breach, accidental release of customer files or information, loss of data during a storm , or the inability to handle high volumes of sales data, the volume of information impedes understanding exactly what is happening or happened . Complex problems must have simple explanations to gain political and shareholder support (which is often very difficult).

Here is a multi-prong approach to use to communicate shareholder information with both positive and negative information.

Dimension 1: Identify shareholder and customer expectations upfront

Learn the Why (Why are they interested in this situation?)
Define the When (What triggered their interest?)
Identify the Who (Exactly who is interested?)
Provide the How (How are they reacting or responding?)
Read hidden agendas (Why are some people upset and not others?)
Bridge the client-shareholder gap (Put yourself in both of their shoes.)

Ask questions to extract answers if information is not volunteered or easily available. Listen to who is speaking, and understand why others are listening. Determine who enjoys the largest benefits or advantages and who has the smallest gains. Confirm your assumptions with all parties, as details may not be obvious.

Dimension 2: Establishing direct communications channels

Why is this important? To avoid filtering or miscommunication of your message by others who may not have all of the information you may have. Communicating directly creates a single project voice that reduces the amount of confusion created by multiple perspectives for both good and bad news.

How can this be established?

Publish a monthly IT security newsletter
Build an organization IT security Web site having daily updates
Become the voice all the time, everywhere
Respond to questions on good news fast, and bad news faster

Dimension 3: Develop the message

Know your audience ” know what gets them interested and invested. Create a message that has a What s in it for them perspective from both the good news and bad news perspectives. If shareholders or customers will benefit from security improvements, let them know. It they will be negatively impacted financially or legally let them know.

Good messages reach through to the core issues faced by shareholders (image, financial impact and future growth) and customers (information privacy exposure, total loss, or access constraints). Learn what they get asked about from their customers or investors so that you can use their terminology. Keep the message brief and focused, and exclude specific dates, dollars or short- term issues that you are unclear about.

With good news, tell everyone why everything is going well, and the benefits or advantages to be recognized. With bad news, identify who is affected and who is not, possible causes, and possible solutions.

Dimension 4: Manage the message

Determining the frequency, methods to use and opportunities to present updates to your message are key management decisions. With good news, announcements can usually be established to accommodate everyone s schedule. With bad news, there is never a good time to update shareholders and customers. Whenever there is enough accurate information to explain what happened, why it happened and what corrective action plans are being started is probably the earliest a message can be presented. Having accurate information is better than providing speculation based on fast changing assumptions.

If updates will be needed, tell the audience when they will be provided and in what format (presentation, e-mail, voicemail, Web site posting, etc.)

External factors may have an impact on the IT security scope and resources, which should be mentioned to shareholders and customers during presentations. There are situations that are completely outside any plausible planning events or scenarios, such as the September 11, 2001 attacks on the New York World Trade Center and the Pentagon.