Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, cybersecurity council at the law firm of Newman DuWors. Visit them at cyberriskopportunities.com and newmanlaw.com.

Kip Boyle: Hi everyone. Jake is on vacation this week, but don't worry because we have a fantastic guest who you will really enjoy meeting. Today, we're going to talk about how to protect one of your most valuable assets during a cyber crisis. And that's your reputation, quite possibly your number one digital asset. We're going to do that with the help of Casey Boggs. He's the president of ReputationUs, which is based in Portland, Oregon. Casey has a strong track record of protecting valuable reputations. Casey, welcome to our podcast.

Casey Boggs: Oh, thank you very much. Very glad to be here. Thank you.

Kip Boyle: Now, Casey, you've been an entrepreneur in the public relations space since 2007. Is that right?

Casey Boggs: That's right. Yeah. Got the business bug at that time, and really been enjoying the process, learning quite a bit about the ins and outs of businesses, but smitten by the business, but also a PR practitioner for over 25 years.

Kip Boyle: Well, my path is very similar. First, I was in cyber risk management and then I became an entrepreneur and there's so much to learn beyond what my technical specialty is, but that's okay. I enjoy that. I like being an infinite learner. How about you?

Casey Boggs: I think the most exciting thing I've done though within the business world is just meeting other people. As a technician in-house or with another agency, I don't think I've ever had the access that I had as an entrepreneur. And that's been my favorite part of it, frankly, that I get to meet people who are doing the same thing, grinding it out, but also too just as far as finding experts in their particular field, such as your world as well. So it's been a great journey. Love to do it. It's not easy, but certainly a fun journey nevertheless.

Kip Boyle: Now, Casey, one of the things I know about your work history is you had an amazing experience helping a very large insurance company called AIG through a very rough time with public relations, with an episode that was going on with them. Would you tell us about that?

Casey Boggs: Sure. You're right. So I was a director of PR for AIG and before the implosion happened with the crisis of 2008, I was brought in even earlier around 2003, 2004. It was funny I skipped that I was brought in to play offense, meaning in the world of public relations, you either are a promoter or a protector. I was brought out for the most part to share all the great services and the wonderful opportunities at AIG. So a lot of the many different variations of the products that they actually have specifically in the financial services world, that was my job. But when I came on, immediately there were issues. Not so much with issues with AIG, but things that we needed to deal with.

One of them was the ouster of their CEO, Hank Greenberg, and Eliot Spitzer dilemma. So, that was my first array of crisis management. Then it bled into other pieces where reporters are asking all the right questions, are you guys too big to fail? Are you too broad and diversified in your offerings? Are you beyond insurance at this point? So it became a exercise in listening to what the public sentiment was, as well as addressing it. And then later on, that obviously bled to the financial crisis as well, which I saw at the very beginnings of that. It was a wonderful experience, 12, 15 hour days and learned quite a bit. So I cut my teeth into crisis management, reputation management really, and how to communicate, not only to the media, but also too internally as well.

Kip Boyle: Now, Casey, when you told me this story originally, all I could think was, oh my goodness, Casey ran into a burning building. Who does that? Most people stand back and wait for the professionals, but that's what tells me you are professional. I really admire that about you. That's, I think, what makes you very well qualified to explain to our audience how public relations helps in a cyber crisis like a data breach. So please tell us more about your background and about the work that you do today.

Casey Boggs: Sure. So, thank you for that. In fact, a lot of the findings of ReputationUs came through the work at AIG. When we were in the thick of the crisis, we were brought in from a communication side to first understand what the problems are, understand the audiences we needed to communicate to. But what we found there is that reputation was one of the first times I actually heard the word to this capacity saying, Hey, how will this affect our reputation? I didn't know what that meant. So I looked at it from that lens points and I participated to saying, "Okay, how is this going to affect our reputation?" So inaudible, what is reputation? When I uncovered it a little bit further, I did figure out distinction between brand and reputation.

I'll try to do my best to describe that in a succinct way here. But as I found out that brand is really what you say about yourself. So all the things that you develop with your logo, your website, everything about your business, your people, your product and your service, everything you say about yourself, that's your brand in my definition. Reputation is what other people say about you. And it's really challenging during a crisis. A cyber security incident is when you start looking at it that, Hmm, how will this affect a reputation?

I just translate that saying, what will people say? How will people react? What are the perceptions here? What are the things that we want to make sure that we are very clear in what we're trying to accomplish here? For instance, if it's an incidence, it's potentially a reputation issue or the malicious actors are attacking your reputation or exacerbates the issue that, if you potentially have a bad reputation, a cyber attack might actually make things worse. So when I see reputation, I look at from the lens of what potentially are other people saying about you inside your organization, outside your organization, and what can we do to safeguard that valuable, valuable reputation?

Kip Boyle: Casey, tell me, is there a relationship between brand, which is what companies broadcast out to the world, and reputation, which as we're learning is something that other people say about you? Can I manage my brand in a way that actually enhances my reputation?

Casey Boggs: I think so. If you look at a business, if you look at it from three perspectives, I think all businesses have it. And it's not necessarily my thinking, but in general, businesses are made up of their people, their product and their process. People, the product, and the process. And each one of those elements has their own brand, meaning that you define the company by the people and that's who they are. You want to personify them and accentuate how great your people are. And the product or the service that you're offering, you develop a brand and packaging around that as well. So you, yourselves, either as a marketing or as an organization, the operations develop what your brand is on that side. And then you look at, from the process, how your products and services go to the market and the audience you're trying to attract.

How is that process look, what's the brand behind that? You attempt to do your best on that side. When I look at that, I think, okay, great. That's fine. That's what you say by yourself. But when we look at it, reverse engineer this, what is it? What are other people saying about it? Is it exactly what you want it to be? Is exactly how you are articulating it either verbally or online, social, et cetera, and juxtaposing what you're saying about yourself and to what other people are saying about yourself and really matching those two together. So, that's really the fundamental side of it all. It doesn't necessarily have to be a negative thing. It has a crisis, but I think that information is valuable when you're saying, Hey, we have a strong brand. Okay, who says who?

You know the term, your reputation precedes you? Yeah, that's the idea. So if your reputation precedes you, you are who you are, but your reputation's in front of you. What are people saying about you? What are they not saying about your product, your process and your people? So, that's what we're looking at. And then within that, we look at the vulnerabilities that you might have from your reputation or the gap between your brand and reputation, what are their opportunities? You look at your competition, that type of thing. So you want to make sure that you can close that gap as much as possible. So when you look in the mirror and say, Hey, this is what I see myself as, but then other people see you as something else, there might be a disconnect. We're trying to make sure that is as parallel as possible.

Kip Boyle: So, Casey, it sounds like a corporate brand is similar to a personal brand, right? So, what individuals have or try to put out there. In graduate school, I learned about the Johari's window. For example, part of that model says that there are things that you know about yourself, that everybody else knows, but that there's also the opposite, which is, there are things about yourself that you are oblivious to. And yet everybody else knows that part of you that you're not in touch with. So is part of your work helping executives see the hidden things about their reputation?

Casey Boggs: You nailed it. It's like peeking around the corner, knowing what they don't know, would that be valuable to them? Not so much for the branding purposes. And I want underscore this, this is not a marketing and branding exercise, it's actually an all operations. So for the executives, why this is important as they're journeying through the unknowns, is this the reputation per season? The industry that they're servicing, the other different elements here, that's important to them to products and services. So what is the appetite? What are their perception? What are the issues that are actually surrounding them? The big one here, inaudible, is the HR.

Now more than ever at 3.5% unemployment rates, recruiting and retaining is key. So what are people saying or not saying about your organization? So if you are about to hire an employee, they are coming armed with a lot of information right now saying, "I've never heard about your company or I have heard about it." We did some research and what are people saying about it on Glassdoor or talking, the word of mouth, that type of thing? All this is reputation, and your reputation precedes you. So all this information hopefully is valuable to the organization as they are plotting a course for the future, not just for marketing purposes, but for everything.

Kip Boyle: Your point is that reputation is pervasive and that it can even affect the class and the caliber of talent that you want to attract to your company.

Casey Boggs: That's right. That's right. And there's so much to it, yeah.

Kip Boyle: So Casey, let's transition to crisis communications during a cyber event, such as a data breach. Tell us, what are the key planning points? What do our listeners need to know?

Casey Boggs: Of course, and you hit the word planning, it's the aspect that I want to underscore on this. It's no fun to talk about what happens when a cyber incident happens, but the idea here is preparation is key. I like to say crisis mitigation is 99% preparation, 1% execution. I know it's sounds silly, but it really is. The key here is that to be prepared for this really does help to mitigate against the issues and what that is specifically.

Kip Boyle: Oh Casey, your comment reminds me, we had a guest a little while ago, Melissa inaudible. She was an attorney in the army, and she said that the military does an excellent job of preparing to fight so that when fighting does happen, they're ready. And her point was that it's all about preparation. She felt that the private sector could learn a great deal from this habit that the military has of always preparing.

Casey Boggs: That's right.

Kip Boyle: What else, in terms of planning and preparation for crisis communication, does our audience need to know?

Casey Boggs: Yeah. So one of the things that we do as well is develop a plan. And develop a plan is not this is full extensive thing, but I want to look at, who are the players on this? During an incident, there is two things going on inaudible. One is that you are taking care of the problem, you're fixing the problem, or at least trying to address the problem from forensic scientists, legal, et cetera. Our job is from a communications side. So there's fixing the problem and communicating during the problem. So the preparation piece here is, who is on your communications task force? And this drills down just a smidge in here, is that we want to make sure that someone ahead of time has been deputized to lead that component.

So from a quarterbacking, who do we need to communicate to, what do we need to communicate? Why are we communicating to them? Is there a call to action? That type of thing. But drills down a little further as well, and this means that we have to have someone else to focus on internal communications, means staff, to even customers, vendors, third party vendors that we're communicating incident or the developments of that internally. Ensure there are regulatory requirements as well to this end. But it's important during the incident, that this is not forgotten. So the internal part, communicating first.

I like to say, we take an insight out approach to communications, meaning we want to make sure the audience internally is done. And then externally, someone else has been focused on that, meaning your broader customers or your public, media and social media, or other community partners that need to be communicated to. It drills down further, but that part of it all having a task force from a communication side ahead of time preparing them so when this happens, you are not necessarily fumbling over what you need to do. That is really key. Again, I can give more details, but the idea here is there should be some familiarity on who's doing what before the incident happens.

Kip Boyle: I want to just take a moment and just confess something here. So, I started my career in systems. I worked in IT departments. Looking back on it now, I must have been a horrible, horrible communicator. When I became a chief information security officer, my eyes really, really became more open to what you're saying about the fact that you have to prepare to communicate, that there's multiple audiences. And I used one of these people who thought, oh, we're going to make a change, I'll just send an email. It'll be right. Just blast an email out there and everybody will read it and it'll be fine and all will be well.

I would be amazed when that wasn't the case. Finally, I ended up working with our marketing department and they had a whole structure for this, which is what you are explaining, of isolating the audiences, making sure that we're being very clear about what we want to communicate to each one of those audiences. And it just completely opened up my mind to what effective communication really is. So, that was my awakening, my first awakening to what you're sharing with us right now.

Casey Boggs: That's right. I do see in our experience, a disproportionate amount of information is coming in, which is typical because there's a lot of gathering information, but not enough going out. Even if it's small, even if it's something that, what's actually happening. So a lot of times during a cyber incident specifically is really when things were communicated to and what was communicated to. So we try to make sure that doesn't happen and be smart about that as possible.

Kip Boyle: And as an incident commander is somebody who... I have experience actually being the person who is running an incident and the last thing I'm thinking about is communicating with people. The first thing I'm thinking about is getting this incident under control. One of the things that I learned is that I may not, as the incident commander, incident manager, I may not have the bandwidth available to do communications. But I learned that I had to have somebody who was standing right next to me, whose primary job was to communicate and to know when to communicate and to whom we should be communicating and what we should be saying to them.

Because it's so human for people, when something bad's happening and they're not getting information, there's a blank in their mind. There's this like, this is happening. And they will fill in those blanks with the worst possible thoughts. They'll take it to an extreme and they'll be thinking things like they don't like me. Oh, they're just crapping all over my day, they don't care. They just make all this stuff up and the reality is probably nothing like that. Just for the lack of communicating, you're seeding control of your reputation.

Casey Boggs: You hit the right word, control, do your best to control that communication. People have an insatiable appetite to understand what's actually happening. So if they do not get that information, they're drawing their own conclusions as you pointed out. And that crosstalk is not a good thing. It's okay for someone like yourself, and the situation that you provided, to take care of the situation, but why not have someone else that's been looked to to help communicate to that end? So that's what crosstalk here. And that's, what's the preparation to it all? It's maybe counterintuitive crisis or cyber or whatever, having that team in place and ready to go inaudible.

Kip Boyle: Yeah. Okay. So we talked about preparation, 99% preparation, 1% execution. What are the other important points that our listeners need to consider?

Casey Boggs: That's right. It goes to when you communicate. One of the things where we're seeing more of the incidents happen lately and certainly through legacy incidents, such as Target, and now with Capital One, it's the when they communicated. We understand that there's a lot of things actually happening, but part of the communication side is finding that right tempo. When's the best time to communicate and to who to communicate to? So through preparation, you get in this pattern of understanding these are two important elements, when and to who to communicate to.

Maybe it's to who and then to when, but regardless, it's important that the timing of that is important. Because afterwards, if folks found out that they were breached and there's an issue and they're like, okay, that stinks and it's become more common, but they found out later on that you held that information for a few weeks, ooh, now that's on you. So the part here is to get in this mindset and this muscle memory that we need to communicate. Even if it's something we're still investigating the matter, we are gathering information as it becomes available, that's communication. But if you don't and you hold on, although unintentionally, it might go bad against you and that's a bad perception.

Kip Boyle: Oh yeah. I've got a couple of stories about that. So if you want to see an example of an organization that's done a very good job of communicating in a timely way in the midst of a cyber crisis, I would suggest looking at Norsk Hydro. This is a big aluminum producer in Scandinavia, and they sent their chief financial officer out to the microphones very, very early to communicate with the world what was going on. And that guy got high marks, not just for the timeliness of his communications, but also so the authenticity with which he communicated and the transparency of his communications. So I think that's a very current great example of what we're talking about when we're discussing timing. Now, another example that I'll point out, which I think is illustrative, love to use that word-

Casey Boggs: Good word.

Kip Boyle: Think about the Home Depot credit card hack and the target credit card hack. Now, I've studied these two hacks, these two data breaches. And one of the things that I learned was that Home Depot's total cost of their data breach was something like $100 million less than Target, even though Home Depot disclosed more records than did Target. When you peel into it, one of the things that you see is that Home Depot was very quick to release information. In fact, they communicated with people about the data breach before they actually were in a position to 100% confirm that they had a data breach. So they had suspected that they had one and they leapt in front of those microphones and started talking about it before they had even confirmed it. I believe that that is one of the reasons why the cost of their hack was so substantially lower than it was for Target.

Casey Boggs: That's right. Absolutely. When we are talking about communicating the win side, this is also too, we're working alongside the legal teams. And this is a key element because there are regulatory issues and also requirements. And then also too other industries such as the banking world and healthcare that have requirements for us to win to do so, that sometimes that's forgotten, but it's also to adding some more substance behind what you're communicating. That's a key aspect.

So, one of the things I want to underscore here as well is having developed statements ahead of time. And then actually, it can be general for sure. But during the fog of war, when you are actually arguing all this information from the incident and what happened of sorts, working with your legal team ahead of time to have a statement or have various amounts of statements that you can tailor and add some more substance to it and humanize that statement, that's going to be key.

I bring that point up because inaudible, this really goes back to my AIG days as well, is that we have to require to communicate something. What do we want to communicate? Can be too legally, is has to have some substance, but also too, what are we asking the audience to do? Either staff or your customers, is their call to action. Should they change their password? What is it that we're asking them to do? So a lot of this could be potentially done ahead of time through some prepared statements.

Kip Boyle: Yeah, I would think so. You brought up lawyers. If Jake were on the episode here, I would really include him in this comment that I'm about to make, but my experience is that lawyers generally don't want you to talk. Have you experienced that where you are encouraging a customer to talk, and then there's an attorney also present who's saying, "No, no, don't do that. That could cause increased liability?"

Casey Boggs: We've come to have a world where we coexist, meaning that they are dealing with court of law and we're dealing with a court of public opinion.

Kip Boyle: I love that.

Casey Boggs: I've seen their world. I understand why they're a little bit more reluctant to communicate because potentially, the information that we're offering at that particular time could be presentable in the court of law. However, in the court of public opinion, which is potentially even more damaging, we need to strike that balance. So we coexist in a good way, but it's certainly an area that when we're talking about bringing a communications firm, bring them in simultaneously with the legal team. Because that's the element that we want to make sure that we have a fair shake in this and that's an important element. Because when we-

Kip Boyle: Right. And to the extent that there's clash, you should have that all worked out ahead of time. Right?

Casey Boggs: That's right.

Kip Boyle: Otherwise, you're trying to resolve it in the midst of the heat of the moment. I'm sure that goes really well.

Casey Boggs: It does, very much so. Very much so.

Kip Boyle: Okay. So Casey, what are the other planning points that our listeners need to be aware of in terms of protecting their reputation during a cyber crisis?

Casey Boggs: I believe also, have procedures and policies in the play for your staff, for your executives, for the task force of sorts. Make sure that there's a strong communications line. So really looking at the channels of communications. Are you using email? Are you using Slack? Are you calling? So having everyone's contact information. But say, for instance, the actual incident itself it's typically doesn't come up from the executives. It usually comes in from frontline staff. I'm generalizing here, but it sometimes comes in through, oh, hey, looks like there's some inaudible going on. So they communicate through their customer service.

That process, that streamlined communication should already be developed ahead of time. So the task force that's designated for your incident response team, both from fixing the problem, as well as communicating the problem, that streamline process and procedure should already be ahead of time and test that. Because sometimes lost time or miscommunication is developed just because they simply don't know. So that piece of it all, I can't underscore enough, and that just takes a little bit of understanding of what their process is internally, but also the channels of communications. And then once that information is relayed to the appropriate people, then what? So I really emphasize the policies and procedures need to be not only developed, but also practiced.

Kip Boyle: Yeah. Now, let me speak to a moment about the point you made just a few moments ago where you said that the crisis rarely presents itself directly to the executives or they're not immediately at ground zero when the crisis occurs. And when it comes to cyber risks, let's take data breach, for example, the way that most executives find out that they have had a data breach, it all comes from the outside. It's either a customer complains because something bad's happened.

So you're already on the defensive because you've got a customer coming at you. Or law enforcement calls you up and says, "We're conducting an investigation of company ABC, and during the course of that investigation, we found your data in there." That means you've already been data breached, and it could have been six months, 12 months ago. So here's law enforcement and you're on the defensive. And the last, the third way that typically that they find out is member of the media will approach them, send them an email, make a phone call, whatever, and say, "We're about to run a story about how you've suffered a data breach. Would you like to comment? We go live at five."

Casey Boggs: Yes.

Kip Boyle: Again, you're reacting.

Casey Boggs: crosstalk. That's right. A lot of times the malicious actors understand this psyche, and they will use that information and provide it to sources like the media and saying, "Hey, we got that as information they have not been playing ball. We're going to give that information to the media." Whoa, why are we getting this information from the media first? So there's lot to this, but certainly plenty of examples to provide. But yet I know we're a little bit short on time, but that's a key element because rarely does the... And I've really frankly, not seen an incident specifically when things like cyber attack come in from the top down, it's usually from a different sources. And that process-

Kip Boyle: Yeah. That's crosstalk.

Casey Boggs: ... should be figured out.

Kip Boyle: Yeah. And if you don't have it, then you get to make it up in the moment. Oh, that always goes well, right? Let's make it up in the moment. I'm telling you right now, I've seen that. I've been a party of that. That is horrible. Talk about stress, man. Oh my gosh. Okay. Well, Casey, any final thoughts as we wrap up our episode?

Casey Boggs: My only thing is I always use sports analogies, but certainly before you go into the playing fields against your opponent, this faceless opponent as we know as malicious actors, to prepare. So you practice and practice and practice and practice. So when you go into the game time, you feel a little more comfortable about the game itself. And there's going to be some variables here, but you're going to be a lot more confidence dealing with situations and odd scenarios that come available if you practice as much as possible. So preparation, preparation, preparation, and from the communication side, that can't be any more relevant.

Kip Boyle: Okay. So it's all about preparation. Casey, thank you so much for being our guest today. I think you've shared some really valuable information. Where can our listeners learn more about you and your work?

Casey Boggs: Yes. At our website, which is reputationus.com. It's the word reputation, U-S.com.

Kip Boyle: That's great. Okay. Well, thanks again for joining us today, Casey. And that wraps up this episode of the Cyber Risk Management podcast. Today, we talked about how to protect your reputation in the middle of a cyber crisis. And we did that with our guest, Casey Boggs. Thanks everybody, we'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. Remember that cyber risk management is a team sport and should incorporate management, your legal department, HR, and IT for full effectiveness. Management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk business strategy program. Find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.