20.4 Media Relations and Public Perception¶

High-profile supply chain incidents attract media attention that extends far beyond your direct stakeholders. When the Log4Shell vulnerability emerged in December 2021, security teams were still assessing exposure while journalists were already publishing articles, analysts were appearing on news programs, and social media was amplifying every rumor. Organizations found themselves responding not just to the technical incident but to a media cycle that moved faster than their investigation. How you engage with media during these moments shapes public perception in ways that persist long after the incident is resolved.

Media relations during security incidents requires balancing multiple competing pressures: the need for transparency against the risk of inaccuracy, the desire to control narrative against the reality that others are already shaping it, and the impulse to minimize damage against the imperative for honest communication. Organizations that prepare for media engagement before incidents occur navigate these tensions far more effectively than those who improvise under pressure.

Working with Communications and PR Teams¶

Security teams and communications teams often operate in separate spheres until a crisis forces collaboration. Effective incident response requires breaking down these silos before they impede response.

PR team coordination:

Establish relationships pre-incident: Security leaders should meet regularly with communications counterparts, sharing context about potential incident types and their implications. Communications teams cannot craft effective messaging about threats they do not understand.
Define roles clearly: During incidents, determine who approves technical accuracy (security), who approves messaging and timing (communications), and who has final authority for external statements (typically executive leadership).
Create feedback loops: Communications teams hear external questions and concerns that may not reach security teams. Establish channels for this intelligence to flow back to responders.
Respect expertise: Security teams understand technical accuracy; communications teams understand media dynamics, message framing, and audience perception. Neither should override the other's domain expertise.

Coordination workflow during incidents:

Security Team                    Communications Team
     │                                   │
     ├── Provides technical facts ──────►│
     │                                   │
     │◄── Seeks clarification ───────────┤
     │                                   │
     ├── Reviews for accuracy ──────────►│
     │                                   │
     │                                   ├── Develops messaging
     │                                   │
     │◄── Shares draft statements ───────┤
     │                                   │
     ├── Confirms accuracy ─────────────►│
     │                                   │
     │              ┌────────────────────┤
     │              │ Executive approval |
     │              └────────────────────┤
     │                                   │
     │                                   ├── Issues statement

Organizations without dedicated communications teams should identify who will fill this role during incidents—whether an executive, external PR firm on retainer, or designated internal spokesperson.

Preparing Spokespersons¶

Not everyone who understands the incident should speak to media. Spokesperson preparation ensures that those who do speak can communicate effectively under pressure.

Spokesperson selection criteria:

Authority: Can speak on behalf of the organization
Knowledge: Understands the incident sufficiently to answer questions
Composure: Remains calm under challenging questioning
Communication skills: Translates technical concepts for general audiences
Availability: Can respond to media requests promptly

For major incidents, consider designating different spokespersons for different contexts: a CISO or security leader for technical media, a CEO for business media, and a communications professional for general inquiries.

Spokesperson preparation checklist:

Brief on current facts: What do we know? What don't we know? What are we still investigating?
Develop key messages: 3-5 core points to communicate consistently (see below)
Anticipate questions: What will journalists ask? Prepare clear, accurate responses.
Identify boundaries: What can we say? What can we not say (ongoing investigation, legal constraints, uncertainty)?
Practice delivery: Rehearse responses, especially for difficult questions
Establish ground rules: On-the-record, background, off-the-record—ensure spokespersons understand distinctions

Handling difficult questions:

Question Type	Response Approach
"How many customers were affected?"	Provide numbers if known; otherwise state "investigation ongoing" with timeline for update
"Was this preventable?"	Acknowledge you're reviewing processes; avoid blame or premature conclusions
"Is customer data on the dark web?"	State what you know; if unknown, explain monitoring efforts
"Who is responsible?"	Avoid attribution unless confirmed; focus on response and protection
"Will you pay ransom?"	Company policy to not discuss; focus on recovery efforts

Key Message Development¶

Consistent, accurate messaging prevents the confusion that arises when different sources say different things. Key messages are the core points you want every audience to understand.

Key message framework:

# Core Messages

1. **What happened** (factual, accurate, non-speculative)
   "We identified [vulnerability/compromise] affecting [scope]"

2. **What we're doing** (active, specific, reassuring)
   "We immediately [containment action] and are [ongoing response]"

3. **What customers should do** (actionable, clear)
   "Customers should [specific action] to protect themselves"

4. **Our commitment** (values, forward-looking)
   "We are committed to transparency and will provide updates as we learn more"

Every spokesperson, every statement, and every communication should reinforce these core messages. Consistency builds credibility; contradiction destroys it.

Message testing:

Before finalizing messages, test them:

Can a non-technical person understand the key points?
Are statements factually accurate given current knowledge?
Do messages answer the questions stakeholders are asking?
Are there any statements that might prove inaccurate as investigation progresses?

Avoid language you may need to walk back. "We have no evidence of data exfiltration" is defensible even if evidence later emerges; "No data was exfiltrated" is a statement you cannot unsay.

Social media accelerates information spread—and misinformation spread—during incidents. Security researchers often disclose or discuss vulnerabilities on Twitter/X, Reddit, and specialized forums before traditional media coverage begins.

Social media monitoring:

Track relevant keywords: Organization name, product names, vulnerability identifiers (CVE numbers), incident-specific terms
Monitor security community: InfoSec Twitter, Reddit r/netsec, Hacker News
Watch for emerging narratives: What are people saying? What questions are they asking? What misinformation is spreading?

Monitoring tools and approaches:

Tool	Purpose
Hootsuite, Sprout Social	Social media management and monitoring
Google Alerts	Web mention tracking
Mention, Brand24	Brand monitoring across platforms
TweetDeck	Twitter/X monitoring
Manual monitoring	Security-specific forums, Discord servers

Social media response strategy:

Acknowledge awareness: "We are aware of [issue] and are investigating. Updates will be posted to [official channel]."
Direct to authoritative sources: Point people to your status page, advisory, or official statement rather than engaging in extended discussion.
Correct dangerous misinformation: If false information could lead to harm (wrong remediation steps, false "all clear"), correct it promptly and clearly.
Avoid arguments: Engaging with critics or trolls rarely helps. Provide facts and disengage.
Maintain professional tone: Even when criticized unfairly, respond professionally. Your responses are visible to everyone, not just the person you're addressing.

Handling Speculation and Misinformation¶

During incidents, speculation fills information vacuums. When organizations are slow to communicate, others fill the void—sometimes with inaccurate information.

Misinformation response approaches:

Type	Response
Minor inaccuracies	May not warrant direct correction; will be superseded by your authoritative statements
Dangerous misinformation	Correct directly with facts; prioritize user safety over perception management
Malicious rumors	Document for potential legal action; correct through official channels; avoid amplifying
Speculation about cause/attribution	Neither confirm nor deny; state that investigation is ongoing

Principles for countering misinformation:

Lead with truth: Proactive, accurate communication reduces the space for speculation
Correct calmly: Avoid defensive or aggressive tone when correcting misinformation
Cite evidence: Where possible, point to specific facts rather than simply asserting "that's wrong"
Don't amplify: Sometimes responding to fringe claims gives them unwarranted visibility

The best defense against misinformation is a steady stream of accurate information from authoritative sources.

Case Studies: Good and Bad Handling¶

Effective handling: Cloudflare's Okta response (March 2022)

When the Lapsus$ breach of Okta was disclosed, Cloudflare published a detailed blog post within days explaining: - Exactly how they were potentially exposed - What they found in their investigation (no compromise) - Technical details of their security controls that limited exposure - Specific improvements they were making

The post was praised for transparency, technical depth, and proactive communication. Cloudflare emerged from the incident with enhanced reputation despite being an Okta customer during a major breach.

Problematic handling: Okta's initial response (March 2022)

Okta's initial communications stated that only "approximately 2.5%" of customers were impacted and characterized the breach as limited. Subsequent disclosures revealed that 366 customers—including major enterprises—were affected, and the breach had occurred months earlier. The gap between initial minimization and emerging facts damaged trust significantly, leading to customer criticism and stock price decline.

Lessons from contrast:

Proactive transparency (Cloudflare) builds trust; reactive minimization (Okta) erodes it
Technical detail appropriate to audience demonstrates competence
Acknowledging uncertainty is better than overstating certainty
Speed matters, but accuracy matters more

Long-term Reputation Management¶

Incidents end; reputation effects persist. Organizations must plan for reputation recovery alongside technical recovery.

Reputation recovery timeline:

Phase	Timeframe	Focus
Acute response	Days 1-7	Accurate, timely communication; visible leadership
Investigation	Weeks 1-4	Regular updates; transparent findings
Remediation	Weeks 2-8	Demonstrate corrective actions; publish learnings
Recovery	Months 1-6	Rebuild through consistent behavior; security improvements
Long-term	Ongoing	Sustained investment; proactive transparency

Reputation recovery practices:

Publish post-mortems: Honest analysis of what went wrong and what you're doing differently signals maturity and commitment
Demonstrate investment: Announce and execute security improvements; actions matter more than words
Maintain transparency: Continue regular security communications beyond crisis period
Engage constructively with critics: Address legitimate concerns; acknowledge past failures without defensiveness
Let behavior speak: Over time, consistent good practices rebuild trust that words alone cannot

Media Engagement: Do's and Don'ts¶

Do: - Respond promptly to media inquiries, even if only to acknowledge receipt and promise follow-up - Prepare statements and Q&A documents before engaging - Bridge to key messages when answering questions - Acknowledge what you don't know; commit to updates - Thank researchers and reporters for responsible engagement - Review coverage to understand perception and correct record if needed

Don't: - Speculate about attack attribution, impact, or timeline without evidence - Blame third parties publicly, even if they bear some responsibility - Say "no comment"—it implies guilt; instead explain why you can't comment - Make promises about future security you cannot guarantee - Engage in arguments with critics on social media - Let frustration show in communications, even when coverage feels unfair

Recommendations¶

We recommend the following media relations practices:

Build PR relationships before incidents: Communications teams who understand your threat landscape provide better support during crises.
Prepare spokespersons in advance: Identify and train potential spokespersons before you need them. Media training is an investment that pays off during crises.
Develop messaging frameworks: Create templates for key messages that can be adapted to specific incidents, reducing time to initial response.
Monitor continuously: Social media monitoring during incidents provides early warning of emerging narratives and misinformation.
Prioritize accuracy over speed: Fast but wrong is worse than thoughtful and accurate. But thoughtful and accurate should still be fast.
Plan for reputation recovery: Incident response includes the weeks and months after technical recovery. Plan communication through that arc.
Learn from others: Study how peer organizations handled their incidents. Both successes and failures offer lessons for your preparation.

Public perception during incidents is not solely determined by what happened—it is shaped by how you communicate. Organizations that communicate transparently, accurately, and consistently emerge from incidents with reputation intact or even enhanced. Those that minimize, delay, or contradict themselves face lasting damage that exceeds the incident's direct impact.