Crisis communications: A primer for teams (part 2)

Opinion
Aug 3, 20096 mins

* Author uses South Carolina governor's example of how not to convey a message.

This is the second part of a review of the book by Al Czarnecki, APR entitled Crisis Communications: A Primer for Teams.

* * *

The author identifies the key players in the crisis management team as follows (and provides role-specific details, which I am omitting):

• CEO—chief executive officer

• BC—business continuity manager

• HR—human resources manager

• IT—information technology manager

• PR—public relations manager

• FM—facilities manager (at crisis location)

• DH—department heads (full senior management team)

In this column, I want to focus on Czarnecki’s expert opinion and advice about how we in the information assurance (IA) field can work effectively with PR managers. First, here is the author’s summary of the key contributions of the PR function — quoting directly:

• Explains the role of public relations to new employees during orientation.

• Fosters two-way communication to mitigate issues before they become crises.

• Develops trust and credibility with employees, key stakeholders and the media.

• Promotes a common understanding of the organization: its mission, operations, role.

• Ensures that all components of crisis communications readiness are in place.

• Leads and coordinates the communications function during a crisis.

I think that the debacle in mid-June 2009 in which Gov. Mark Sanford of South Carolina disappeared for five days on what he had described as a solitary hike along the Appalachian Trail illustrates the danger of not working effectively with one’s professional public relations staff.

Czarnecki points out that some crises involve a breach of standards or trust. On the same page he describes how the term ‘just deserts’ goes back 500 years, and there must be some lesson in that. Nevertheless, Gov. Sanford and his team could have profited from reading this book.

First of all, this public official left his staff without adequate information about where he was going and what he was doing. Jim Davenport of the Associated Press wrote on June 23, before the scandal broke, “Sanford’s spokesman said the governor was hiking to clear his head after the legislative session, during which he lost a key battle. But critics … wondered why it took nine hours after reporters started asking questions for the governor’s staff to say what the state’s chief executive was doing. Sanford was expected back in his office Wednesday, but his aides stopped answering questions about his trip, including where he was on the 2,175-mile trail, whether he was with security and if anyone else could confirm his whereabouts. ‘If you’re not skeptical, then you have to think the governor’s office is in complete chaos,’ said Carol Fowler, chairwoman of the state Democratic Party…. His wife, Jenny, told The Associated Press on Monday that he needed time away from his four sons to write something. For hours, his staff would only say he was vacationing. It wasn’t until 10 p.m. Monday that they allowed he was hiking.”

So three obvious lessons for all of us who are struggling to cope with a computer security incident are clear:

1. Provide the organization’s PR department with clear, factual, up-to-date information on an ongoing basis.

2. Coordinate the release of information through one central source.

3. Don’t give different people contradictory stories.

The problem underlying the public relations difficulties turned out to be that Sanford had lied to his wife and to his aides. He was neither writing anything nor hiking the Appalachian trail: he was visiting a friend in Argentina.

So some more lessons for effective crisis communications include:

• Don’t lie.

• Don’t screw around when you are supposed to be working.

Commentators noted that Gov. Sanford’s press conference was surprisingly rambling. Aside from a gaggle of cartoons on the subject, his over-the-top litany of apologies prompted an article entitled, “How Not to Handle A Political Crisis” on National Public Radio. Reporter Ina Jaffe began, “South Carolina Gov. Mark Sanford’s news conference on Wednesday raised about as many questions as it answered. For some in the business of advising politicians, the main question was, why did Sanford go in front of microphones and cameras and bare his soul for nearly 20 minutes? A communications professional could tell from Sanford’s very first sentence that this news conference was not going to help him much. He kicked it off by saying, ‘I won’t begin in any particular spot,’ and he didn’t — rambling on about hiking and travel and then spending five or so minutes apologizing.”

Chris Lehane, an expert political consultant, commented in the radio interview, “I mean, watching it with a professional perspective … it was akin to fingernails on a chalkboard…. You could see every principle of crisis communications being violated on a moment-by-moment basis.”

Although we usually don’t have the kind of issue that Gov. Sanford faced when we try to communicate what we are doing in a computer security incident (and we don’t normally need to have our spouses present), the lessons from crisis communications experts are:

• Stick to the point.

• Be brief.

• Don’t engage in discussion that is off-script.

Al Czarnecki’s book prompts all kinds of considerations that will help your people work better as a team and communicate effectively during a crisis. I am recommending it to my colleagues in the Master of Science in Business Continuity Management and the Master of Science in Information Assurance as an additional textbook for the Computer Security Incident Response Team Management course.

Go buy it!

Al Czarnecki APR is an accredited public relations professional with twenty years of experience. You can read more about his book on his Web site.

By the way, my friend and colleague Robert Gezelter has an interesting post about a completely different but very important aspect of the Sanford case in his blog.

* * *

On another note: join me online for three courses in October and November 2009 under the auspices of Security University. We will be meeting via conference call on Saturdays and Sundays for six hours each day and then for three hours in the evenings of Monday through Thursday. The courses are “Introduction to IA for Non-Technical Managers,” “Management of IA,” and “Cyberlaw for IA Professionals“. Each course will have the lectures and discussions recorded and available for download – and there will be a dedicated discussion group online for participants to discuss points and questions. See you online!