All Posts

    Noam Morginstin Noam Morginstin
    Mar 06 5 min read

    Three communications best practices for incident handlers


    The importance of well-managed communications when handling IT and security incidents cannot be overstated.

    If updates are not communicated in a timely and accurate manner, misunderstandings, misalignment, and costly errors will occur. Not to mention, resolution will be prolonged.

    And if highly sensitive information is communicated to those who should not be privy to such, then the risk of legal ramifications is high, as would be the damage.

    This is why it’s so important to make sure that the following three key best practices are in place for driving effective communications during incident handling:

    • Assigning a communications lead to be the single point of contact from trigger to lessons learned.
    • Assuring real-time, personalized updates that are tailored for specific stakeholders and groups and which are dispatched at every step of the incident resolution journey.
    • Protecting legal privilege to avoid the risk and damage of exposure in court.


    Let’s take a closer look.


    Assigning a communications lead

    Incident communication is not just about the process of alerting users that there’s a breach, outage, or a degradation in performance.

    The incident impacts multiple internal and external stakeholders, including incident handlers, Sales, Marketing, management, Legal, PR, customers, and – of course – the breach insurance carrier.

    They all need data.


    Controlling the conversation

    Accordingly, it is critical to assign the communications task to someone who will know when to communicate what to whom. And this someone should also have the business acumen to control the conversation with each audience type, with just the information they need – in a way that will enable them to carry out their duties (internal) or to feel confident (external) that competent and accountable professionals are carrying out the requisite tasks.


    Owning the message

    Furthermore, it should be this person and this person only who serves as the central point for crafting messages.

    There are so many different nuances associated with each incident, where sensitivity to how these nuances should be communicated is critical. For example, it wouldn’t serve the organization well if the tech lead communicates to customers or other stakeholders that the resolution being considered for a security incident is to wipe the server and restore it from the back up.

    Customers may be concerned about the integrity of their personal data. Legal and management will be concerned about evidence preservation.




    Assuring real-time and personalized updates

    The incident journey is one that unfolds quickly and changes constantly. Incident handlers, management, and all the other stakeholders mentioned earlier need to be kept appraised of the real-time status of the incident, who is doing what, what actions have been taken, by whom, and what was the outcome of each.

    Accordingly, updates need to be sent in real-time and to the right people with the right information.

    Though, this can be a difficult task, when the incident lead and team are busy taking care of the actual incident. Chasing everyone for a status update, constructing a report, and sending it out in real time comes with a huge overhead. It’s time consuming, complex, and extremely challenging.

    What complicates matters even more is that the same update is not relevant for all involved. Each communication needs to be tailored to the intended audience. Executives are interested in different information than the NOC team, Legal, or Sales, for example.

    The key to overcoming the challenge is to aggregate data from all relevant incident tools and systems in one place and to be able to create role-based updates that are compiled automatically (as based on this data) and dispatched at the touch of a button.


    Protecting legal privilege 

    During the incident resolution effort, information is exchanged between and among many different parties.

    The information that is being shared can be very sensitive, the kind which the organization will not want to be read out during evidence presentation in court. However, difficult questions do need to be asked, and sensitive answers do need to be provided.

    The key to protecting this type of information exchange and to minimizing the risk of losing legal privilege and having confidential incident related communications and documents disclosed, is to assure that incident communications take place exclusively in a closed system that restricts access through role-based permissions.


    Virtual War Room


    In conclusion

    There is no doubt, effective communication is strategic to skillful, accelerated, and successful incident resolution. And the key is to have:

    • A communications lead with incident knowhow and business acumen for crafting effective messages and controlling the conversation.
    • Data aggregation, consolidation, and automation for real-time updates that are tailored to each incident stakeholder type and can be created with one click.
    • A closed system that limits communications through role-based permissions, for assuring confidentiality and privilege protection.


    To learn how Exigence can help you implement the three key best practices of effective incident communication, we invite you to reach out to book your free demo here, or reach out to us at


    New call-to-action

    Critical Incident Management major incident management CyberSecurity Incident Response Automating Critical Incident Management

    Critical Incident Management major incident management CyberSecurity Incident Response Automating Critical Incident Management