Most organizations think of security communications as ‘crisis management’: what to say when something goes wrong. But waiting until an incident occurs to build relationships, establish trust, and create communication channels severely limits your response options.

By then, you’re responding with one arm tied behind your back.

Security communications isn’t episodic. It’s strategic. Every interaction with security researchers, every statement about your security posture, every decision about transparency, builds or erodes the credibility you’ll need when it really counts. The companies that emerge stronger from incidents are those that have been building trust and influence long before anything goes wrong.

In this episode of Velocity’s Edge, Melanie Ensign explains why proactive security communications is a business imperative. She and host Nicko Goncharoff explore critical questions: How do you build the relationships and political capital you’ll need during an incident? Why do security teams need influence beyond their reporting lines? How can incidents actually become opportunities to demonstrate credibility?

The challenge isn’t just external communications. It’s internal, too. Security teams must develop the skills to negotiate and lead across departments, understanding what matters to their colleagues and how security objectives align with broader business goals. As Melanie puts it: “In order to call a friend, you have to have a friend.”

Melanie Ensign is on the EPSD advisory board, and is founder of EPSD partner Discernible, a security and privacy communications firm. She has led security communications for Facebook, Uber, and AT&T, and ran DEF CON’s press operations for a decade. She knows how to communicate when the world is watching, helping teams build credibility and influence with business leaders through her expertise in high-risk incident communication.

As in all our episodes, we speak in plain, executive-summary business terms, framing complex business and technology strategic challenges in context, using language that makes them more accessible and actionable.

Listen here, download it from Apple Podcasts, Spotify, or find it wherever you get your podcasts.

Episode Information Season 1, Episode 3
Length: 22 minutes, 07 seconds
Host: Nicko Goncharoff
Guest: Melanie Ensign
Recorded: VOXPOD Podcast Studios, Parsons Green, London
Engineer: Dayna Ruka
Editor: Dayna Ruka, Jeet Vasani

Nicko Goncharoff: Hi this is Velocity’s Edge podcast. I’m Nicko Goncharoff and with me today is Melanie Ensign.

Melanie Ensign: And it’s so great to be here with you today, Nicko.

NG: Can you briefly introduce yourself, please?

ME: I am first and foremost on the advisory board for EPSD, and I also founded and run a security and privacy communications consultancy called Discernible, which is also a partner to EPSD. We work with them on client engagements, particularly around incident and security communications.

Just to explain a little bit about what security communications is, and I know we’re going to get into this pretty deeply in our conversation today… For a long time, most organisations have really only thought of security communications as incident response or crisis communications. And truth be told, that kind of limits your options, as well as how good things can go when an incident actually happens. Waiting until something goes wrong before you start thinking about how you’ve been communicating or building trust in this particular area of expertise… We have found that our clients do so much better in those moments where it really counts if they have been proactive and had an ongoing communication strategy for security all along.

Prior to starting Discernible, I led security, privacy, and engineering communications at Uber. I’ve done security communications for Facebook and AT&T, and within that time frame, I also spent 10 years leading the press department for DEF CON. I think it’s fair to say that the last two decades of my life have been pretty decidedly dedicated towards the security community, particularly the professionals who work in this space and helping them become more effective communicators themselves.

NG: That is truly fascinating. Based on your experience, and I’m sure you’ve helped set these up, what characterizes an organization that has set itself up to be proactive in terms of security communications, versus reactive?

ME: So the big thing is, and this is based off of the thousands of incidents that my team and I have have been through across our careers, is when something happens– when you enter an incident scenario– the relationships, the trust, the favors at times, the processes, the communication channels and infrastructure… all of those things are a million times harder to build when things are on fire. When you’re in the heat of the moment, it is so much harder to establish those things, and oftentimes it’s impossible to build those things.

We have this saying in the communications field that in order to call a friend, you have to have a friend. So if you have not already forged those relationships ahead of time, you’re really going to be limited by how you can respond to an incident.

A lot of the times when we see these kind of tone deaf or, I would say even kind of superficial and shallow, responses from companies– and I’m not even just talking about their public statements, although that is incorporated here– but you don’t have a lot of options as a company in how you respond to an unexpected event if you haven’t built all these things in advance.

So deciding first and foremost that you want your incident response to actually be good and helpful and valuable, and not just hope that you come out unscathed or minimizing damage… we have a really strong philosophy with my team that incidents are an opportunity to build more trust, to demonstrate more credibility. You can actually come out from a reputation perspective better than you were before all of this happened if you are adequately prepared, and if you have those relationships put in place.

One of the challenges that we’ve had with companies who come to us once an incident is already happening is they don’t have the infrastructure. They don’t have the relationships, and they don’t have the credibility or the influence. Which means that we’re essentially responding with one arm tied behind our back. Whereas bringing us in early and actually having a proactive strategy for… instead of asking what could go wrong, asking what could go right, and reverse engineering a strategy so that a best case scenario is, in fact, possible.

NG: Before we go into how you put together that strategy and prepare a company to be more proactive, I’m just curious. One thing that you mentioned really fascinates me. You said “the favors you have to call upon.” That suggests that when these incidents take place, not everybody shares the same view of the urgency of the problem or the severity of the problem.

ME: Yeah, I think that’s true. Certainly within organizations, most of the people that we need to influence and persuade as a security team don’t report to us. Actually having the skills to negotiate and lead beyond reporting lines is something that we work on a lot with our clients so that they are able to call in those favors when needed. And of course, in order to cash in a favor, you need to be willing to do favors yourself, right? This reciprocity across disciplines and departments is something that doesn’t seem to be intuitive to a lot of security teams.

The other thing is that sometimes these favors are from people outside of the organization. Maybe it’s a partner or peer or somebody else in your industry who has intel about a threat actor or a particular incident that’s happening. It is so much better to go through an incident like this with your friends or your industry peers, or even if it’s another company that has learned something from their investigation that perhaps you don’t have the same information on your end for whatever reason. All of these things make your response so much better. But if you don’t have those contacts, if you haven’t built enough trust and enough credibility with these individuals, why would they even answer your phone call?

NG: Whether they’re working with Discernible or on their own, take us through how a company can prepare themselves to… how they can adopt and implement a security communications strategy.

ME: The first step is we actually sit down with the security team, and then we talk to their most important stakeholders. We will map out: What is it that you need to accomplish as an organization? And who else in your company, or perhaps even outside your company, do you need to have a relationship with? Do you need to influence, or do you need to persuade them to do something?

There’s kind of two camps of relationships. The way that I think about it is: those people who can help you accomplish what you’re trying to achieve, and the people who are standing in your way. I want to maximize the leverage we have and the trust we have with the people who can help us. And I need to grease the wheels for the people who might be standing in the way.

And sometimes a lot of the people standing in the way aren’t doing it on purpose. It’s a cold call kind of a situation, where they’re not an active opponent to what you’re trying to achieve, but they’ve never heard of you, they’ve never had a conversation with you. You’re going to call and ask them to do something that’s very urgent, and they’re not going to understand the context, and they don’t know who you are.

We really focus on: What are those relationships that you need to have in order to achieve your goals? And we rate them, and we measure how warm or cold they are in terms of influence and trust.

Then we build programs with the security team on how do you develop relationships with those people? What’s important to them? How can you do favors for them? How can you build up that political capital within your organization?

And that’s really step one, is understanding which relationships do you need to have? Where are the gaps? And let’s build the… oftentimes it’s communication skills… for the security team so that they can be really good ambassadors of their own mission inside the company.

Because, as I always say, I’m not really trying to convert everybody to a particular religion. I just need to get them into the building. Understanding what they really care about and how we can help them as a security organization is the first step in getting all of our ducks in a row so that people will answer our calls when we need them to. And based on those relationships, we can then get more precise into negotiating for security outcomes, into a product roadmap, working with SRE teams and other on-call folks when an incident happens.

And of course, the CISO the whole time is supposed to be head of state… needs to be developing those relationships at the most senior levels of the company so that we can make a decision, like taking a service offline, and being able to do that quickly.

The more prepared you are for the incident, the more options, the more choices you have, in how you could potentially respond.

NG: And this preparation work, as you describe it, it could help fundamentally change the perception of security within the organization. Right? Instead of thinking of them as “Doctor No,” people might understand why they’re there and how they’re important to the business, and even to their own roles and their own goals.

ME: Yeah, absolutely. And at the very least, they will understand that “if you help me out with the security thing right now, I will help you out with your thing tomorrow.” Or even something as simple as closing this bug bounty ticket because this researcher will not shut up about it, and they have the ear of a journalist, so let’s just get it done so we can move on.

NG: Right. Okay, so Melanie, let’s say you’ve come in with your team and you’re helping a company put in place a proper security communications program. Once you go, who’s in charge? Who’s going to manage it? Who owns that?

ME: It really depends on the organization. Again, the first thing we do is map out the nodes of influence. I know I have the org chart with the official reporting lines, but I’m talking to everybody to understand who’s really calling the shots, who has the ear of the decision makers. And ownership really depends on who is going to be best positioned to get decisions made quickly. In my previous roles when I worked in Silicon Valley, I was part of the corporate communications team, and the security team was my internal client. I reported into Comms, but my responsibility was the technical teams.

And for what the company needed from me at that time, that made sense, because I think for a lot of companies, employees who are outside of the communications organization are not authorized to speak publicly about a lot of these things. So for that particular role at that time, I needed to have authorization to be able to speak publicly about what was happening inside the company and the things that we were learning through various investigations. It really would have been a huge moment of “lost in translation” if I’d had to go through another person in order to communicate that externally.

For us it worked really well that I sat in the corporate communications team and could be the spokesperson on all things security and privacy. But at other companies, that’s not always the best option. Sometimes the owner will end up being the CISO, especially at smaller companies, because they are the most senior person who can speak publicly. So they will often have a communications support that will work with them on anything like media interviews or public statements, and of course, legal is involved in these things as well.

The ownership is really about who cares the most about how this goes. Who has the most skin in the game and is going to be the most dedicated and committed to making sure that we are thinking about what could go right. One of the challenges that I have seen in a lot of traditional corporate communications organizations that don’t have dedicated security expertise is that they view these things as episodic chapters, that they can close the book on and move on to other things. And they don’t really grasp that security communications has a snowball effect.

It’s not just the actual incidents, like a network compromise or a data breach. It’s rumors within the industry about how you treat security researchers and how you prioritize security features within your products. Every single one of those factors builds on top of your credibility and your trust with your customers and the public in terms of your level of commitment and sincerity when it comes to security investments.

And if you haven’t been doing any of those things in between the big emergency level incidents, then every single time you have an incident, you’re either starting from scratch, or you’re actually starting with a deficit, because you haven’t recognized all of the historical context that you know is either adding to your reputation account or it’s making withdrawals from that account.

The short answer to your question is it really does depend on which organization and which role within that organization is going to help the company achieve its goals. And sometimes that person sits in communications and sometimes they don’t.

NG: Right. And obviously one critical factor is who has the relationships and who has the persuasiveness, as you mentioned earlier. It sounds like as part of the overall security communications strategy, one thing you need to take into account is including security in your marketing and your thought leadership strategies, right? So that you’re actually addressing this in-between incidents… there’s visibility about what you’re doing in terms of your attitude toward security, your security policies, your security measures, your attitude towards customers. Is that correct?

ME: Yeah. I think one of the challenges that a lot of companies have when they look at these things from an internal perspective is they like to divide incidents up by topic or theme. So, today they might be dealing with an HR incident, and tomorrow it might be a legal incident, and then in a couple of days it will be a security incident. And what they often forget is to the outside world, we don’t differentiate the topic or the theme of the incident. If you suck at communicating your HR incident, that’s the reputation you have going into your security incident.

It matters that you think about the context from across the organization, and not just think that because this is security, it is somehow something different and our stakeholders and our audience are different. There will be some, I would say, unique stakeholders when it comes to security incidents. But if your primary audiences are your employees and your customers and regulators, depending on what industry you’re in, that is true. Whether we’re talking about an engineering performance issue, maybe it’s a service outage, maybe it is like a high-profile security compromise of some kind, maybe it’s an executive kidnapping– whatever these things are, they all tie together when it comes to the way that the outside world perceives the situation that you’re in and how you respond to it.

I think something that I don’t think a lot of people know… and so I’ll share this with you, and for the folks who are listening… a lot of people are aware of the situation with Joe Sullivan several years ago at Uber. I was unfortunate enough to be subpoenaed to testify in that trial. And it was fascinating to me, the external conversation that the industry was having around liability for CISOs and how companies should respond in certain situations. And it was understandable that that’s what people were focusing on, because the press coverage was all about what had happened over that two- or three-year period.

And what a lot of people don’t realize is the reason the FTC was investigating Uber in the first place, even before Joe joined the company, was because there was a 2014 incident that proved that a piece of marketing copy on Uber’s website was, in fact, not true. All of this really snowballed from the fact that they weren’t thinking carefully about security communications in their marketing and in their public statements. And it sparked this chain of events that ended up, I think, pretty badly for everybody involved. It certainly could have been worse. But a lot of people don’t realize that all of this started with really bad security communications and marketing on the company website.

NG: Right. So the FTC, and actually the wider world, was already predisposed to distrust Uber when it came to security, among other things, perhaps. From the point of view of a CEO or COO, what can one do to improve your organization’s security, communications program, and strategy without having to necessarily bring anybody in? What are some things that you can do tomorrow to start improving the situation?

ME: I would start by bringing together your lieutenants who you think should have ownership over the decisions of an incident. Before we even get to the specific communication tasks or programs or tactics, we need to get the decision makers together and there needs to be a documented matrix, is usually what I use, of who makes decisions about which things.

In my experience, the thing that trips companies up the most in terms of speed in their response, and sound judgment in their response, is that there is in-fighting about who makes which decisions. And we waste time in the internal politics in a moment where we need to be moving very quickly and confidently. So that’s where I would start, is go through all of that drama, turf wars, whatever have you, inside your organization… Do that now, during the quiet period. Because trying to do it when something is on fire is really going to limit how good your response could be.

NG: And maybe one way to start doing that process is to look at a past incident, either at your company or at another one, and as you said, reverse-engineer it. Say, imagine that this is happening, how are we going to deal with it? Make it come out to be a positive?

ME: And you can start by looking at other types of incidents that are already happening at your company outside of security. How do you respond to a service issue? How do you respond to a customer’s support issue if a service isn’t available? I know that a lot of these companies have policies around, what If there is a physical safety threat to their employees or their executives?

There are existing plans and playbooks inside a lot of these companies, and you don’t have to start from scratch. There are some unique things about security to consider when you’re developing those plans. But truth be told, for everybody outside of security, my best bet of a successful response is if the actions and decisions I need them to make for a security incident are very close, if not identical, to what they’re already used to from other types of incidents.

I don’t want this to be something that they have to relearn every single time. I want them to have that muscle memory. So looking for what already exists inside the organization, how decisions are made, documentation, tools, infrastructure– all of those things that we can repurpose– not only gives you an advantage in terms of being able to start a couple steps ahead, but it’s also cost effective to not have to build all of that from scratch if it’s something another team already has.

NG: Right. And it also reinforces this idea that security incidents and security communication are not unique. They’re actually part and parcel of the broader approach around communications and incident response.

ME: Absolutely.

NG: Melanie, thank you so much for your time today.

ME: You’re more than welcome. It was a pleasure.

NG: This is Velocity’s Edge. I’m Nicko Goncharoff.