Season 2 E10: Breach Mode – How to Survive a Cyber Crisis | Red Sentry ft Casey Boggs

Show Notes

Ctrl-Alt-Secure Podcast: Breach Mode – How to Survive a Cyber Crisis
Host: Valentina Flores (Red Sentry CEO)
Special Guest: Casey Boggs (President, ReputationUs)

Are you a CISO or CIO preparing your organization for the reputational fallout of a cyberattack? In this episode, we dive deep into the critical, often-overlooked side of cybersecurity: reputation management. Join Valentina Flores and Casey Boggs as they discuss real-world strategies for crisis communication, incident response, and protecting your brand when the unthinkable happens.

Key Topics:

• Why reputation is as important as technical response
• Common mistakes companies make after a breach
• Building a proactive incident response and communication plan
• Industry-specific challenges (healthcare, finance, tech, and more)
• Authenticity and transparency in crisis communications

Chapters:
00:00 – Introduction & Guest Welcome
02:10 – Casey Boggs’ Background & ReputationUs
05:30 – The Real Impact of a Cyber Breach on Reputation
09:00 – Who’s to Blame? Internal & External Stakeholders
13:20 – Common Mistakes in Crisis Response
18:00 – Timing & Transparency: When to Communicate
22:45 – Building a Smart Incident Response Plan
28:10 – Legal, Insurance, and PR: Who’s on Your Team?
33:00 – Industry-Specific Considerations
37:15 – Success Stories & Lessons Learned
41:00 – Proactive Steps for CISOs & CIOs
45:00 – Final Takeaways & Resources

About Our Guest:
Casey Boggs is President of ReputationUs, a leading firm specializing in reputation management and crisis mitigation. With over 20 years of experience, Casey has helped organizations across industries navigate the aftermath of cyber incidents and protect their most valuable asset: trust.

Connect with Us:
🔗 Red Sentry
🔗 ReputationUs

Find more about Red Sentry.

Chapters

• 0:00: Introduction & Guest Welcome
• 0:13: Casey Boggs’ Background & ReputationUs
• 1:03: The Real Impact of a Cyber Breach on Reputation
• 2:00: Who’s to Blame? Internal & External Stakeholders
• 3:30: Common Mistakes in Crisis Response
• 5:00: Timing & Transparency: When to Communicate
• 7:00: Building a Smart Incident Response Plan
• 9:30: Legal, Insurance, and PR: Who’s on Your Team?
• 12:00: Industry-Specific Considerations
• 13:30: Success Stories & Lessons Learned
• 15:00: Proactive Steps for CISOs & CIOs
• 17:00: Authenticity in Crisis Communications
• 19:00: Final Takeaways & Resources

Transcript

You're listening to the Control Alt Secure podcast, where we talk all things cybersecurity. I'm your host, Valentina Flores, CEO of Red Sentry. Welcome! 

 Hi everyone. I'm Valentina Flores, CEO of Red Sentry, and this is the Control Alt Secure podcast where we talk all things cybersecurity. And we have a really cool guest today, Casey Boggs, uh, president of Reputation Us, and we're gonna be talking. We talk all the time about technical fallout and how to prevent the technical sides of hacking, but what Casey's gonna talk about today is when you get hacked, what happens to your reputation afterward?

How do you come back from that kind of event? So, really excited because I think it's a very underrated and under talked about part of cybersecurity. So, Casey, really excited to have you here today. If you wanna give your background and what you do.  

Sure. Well, thanks for having me background. I've been doing this thing called public relations for 20 years now. My background's with two large PR firms and then I was in-house at AIG as a director of PR for AIG during the financial crisis, and then started my own firm about 15 years ago. And for the most part, we've handled the, the ugly side of public relations.

That's reputation management and crisis mitigation. So been doing this for quite some time and then backed into the cybersecurity world for over 12 years just because of the nature of the beast.

 And right now, do you do mostly cybersecurity or you do do a little bit of everything in terms of reputation?

   A little bit of everything. Yeah. Today's world is moving at quite the break. Next beast. Certainly on the administration to issues that are, talking about taking a stance to, issues happening with hr. But cybersecurity is certainly lurks its head often for what we do. Mm-hmm.  

Like I said, you know, we talk about the technical fallout from cyber attacks so often, but the reputational damage is just as severe, if not more. A lot of time for companies. Why do you think this is such an underestimated side, or why are people not talking about this more?

Yeah, I like that question. In fact, we posed that question when we did a recent cybersecurity survey to understand, engage, what the impact is on attack to really a company, but also the consumer confidence. And so as I listened to your question, Valentina, that I think through what the results were of that survey and simply said that that if an attack happens, who's to blame? Right? Is it the. You know, if you can point the finger at the malicious actor, or you put the finger and then point the finger at the company and almost a 50 50 split I think it was 54% said the malicious actor, the other 46%  said the, the company is to blame when the attack happens. So onus, while seemingly is easy to, to say, well, shoot, we were a victim.

No. Today more than ever, you're not a victim. You should be prepared for such a thing. Granted, it's not your fault for it happening but it's your fault for not being prepared. So, the fallout from all that is reputational damage. You know, were you prepared? Are you protecting your customer or your patients in the world of healthcare? Are you protecting their most valuable piece? And that's their data. It's who they are, and the answer is no, because of an attack, then that will certainly have ramifications on a company's reputation.  

Yeah, and you mentioned pointing the finger at either the hacker or the company. And even within the company, every person within the company is pointing a finger at a different person. And it's just this blame game. Instead of trying to figure out like, what do we do now? How do we go forward? And you know, if you own a company or you're responsible, or even if you.

Any person in the company, you are responsible  for cybersecurity and it's everyone's job  and doesn't matter whose fault it is, it's your problem now and you have to be prepared and fix it. So are there any kind of common mistakes that you see companies making, um, when responding to attacks? Because I think we all kind of see things in the media.

You know, it's kind of been chaos the last few years. We see a lot more of it. Are there any like big mistakes?

 Where do I begin? No, but there's quite a few mistakes and I, I'll share just two broader categories and then it can go more to the specifics of sorts. But we look into the world from a public relations side as the, the who, the what, the why, the when, and the where. So I, I bring up the who first because to blame is to say, okay, if something happens,  who do you need to communicate to to make sure that  the issue's being, you know, mitigated or the issue being addressed, and then the who could potentially be customers, right?

So I think the fault sometimes lies in who needs to be communicated to first. And if you don't necessarily know who that answer is that's. Number one out of your training tool book. So what I mean by that more specifically is that we just learned about a, an attack, right? Should that go to the, the hands  of the IRT incident response team or the executive level communications, or who is that?

Right? So that's the who. And then once you find out was impacted. issue that we see and how the reputation piece plays in a key role is that the, who is not being communicated to long after the fact after attack happens. So then the second aspect of that is the  when we see a lot of the missteps happen.

Now, as far as  the timing. The timing of the when of when is communicated. So you hold this information, hopefully just kind of go away, or you're trying to resolve it. I get it. We understand that sometimes you don't necessarily want to be too cavalier and communicate when you necessarily don't know all the details.

However, if you hold onto that for 2, 3, 4 days, you know, a week that's on you. That's  on 20 years ago you might have gotten away withholding it, but nowadays probably not so much. Is there a standard window or is it just dependent on the situation and kind of the circumstances of the company?

Yeah, it depends on the situation is the best way of saying it. But there's no harm in saying it happened. We've experienced it. Uh, we're investigating it, and we're gonna be communicating regularly to let you know what's actually happening. Now, that holding statement can be. succinct and, uh, it didn't necessarily be harmful at all.

But there is no harm in telling folks that's, that's what's happening in our book. but yet in general, if you don't do it, there is harm because hey, we need you to know about that. Why didn't you tell us that earlier? We would've been okay if it, at least you told us, hap, this is happening.

Yeah, and I mean, we do incident response plans all the time with companies or we see them as part of our process with pen testing. And very, very rarely is the communication side talked about. It might be like one little line in the incident response plan. Everything else is about the technical. And I mean, obviously we want to contain and we wanna do all those things, but someone should be responsible for that side of it.

And. We very rarely see it in, um, incident response plans. So I'm glad we're having this talk today. And kind of going into that, so what does like a well coordinated smart incident response plan look like from the PR side? Like what should companies be working on?  

Yeah, I'll, I'll, I'll package this into a few areas here. One is just simply have a, a plan of attack and, uh, developing a plan, which essentially is a playbook, right? If you think about a sports metaphor, you wanna have a play, a playbook before you actually go into the field of battle, right? So what's that playbook look like? And then how does it correspond with the the IRT? Right. If the event that something does happen, what's their playbook and how does it mesh? Well, with the communications playbook for the communication side, essentially identifying who is responsible for bridging between the incident itself and to the communication side.

And then who's responsible for communicating to the parties that are affected. And that could be executives, that could be staff, that could be, uh, the customer or patient, depending on what you're talking about here. And then later on, who's communicating to the external factors. And that's, you know, certainly social media.

It could be vendors, it could be media, those different aspects. So having a plan is the first thing outta the blocks, right? Uh, who is responsible for when this actually happens? The second piece is to develop, um, you know, a, a training mechanism. You know, we simulate these trainings quite a bit for, uh, companies.

Now, there's no doubt you brought up pen testing, but this is a pen testing on the level of how would we communicate if this actually happens. And not to be, again, too cavalier on going out there and communicating. But, hmm, let's strategize first. Who do we need to have on that  team? And that's the IRT.

It's the, uh, the insurance. You  know, we make sure the insurance, uh, has been notified because they actually might be, uh, bringing in their breach team or the panel to, to help in this capacity. Legal, we work. Completely in correspondence with legal. Uh, and what I mean by that is we are making sure that what can we legally say?

When can we legally say, and what can we do to, uh, ensure that we're infor, we're informing the affected parties without having any self-inflicted wounds. So

And is that when the incident happens or ahead of time or both? Ideally.

 It is a, it is ahead of time. It is ahead of time. And I'll give you an example of if I can, uh, of when this actually happens. We represent an NBA team, which I have to go without saying who they are, uh, we represen a pretty large NBA team and they do this on a quarterly basis. So they have an IRT and a communication side.

'cause there's a lot of different pieces to this NBA team. Part of this is we wanna make sure that we, they have all the proverbial, uh, people on the right bus when this actually happens, and when it becomes a, what we call a priority one, uh,  attack, meaning it has a lot of different ramifications here. They wanna make sure that the legal teams brought in immediately the insurances were, were protected on that side. Obviously the IRT and how they're communicating throughout that, throughout the communication side. So different scenarios. We concoct different parts of what would happen if and who should be connected with and what if about this and our job throughout that process to say, Hey, did you think about communicating to them? Or, boy, you missed a step here. And that's a whole idea, is you want to fail on your time and

Right.

the fog of war.

Yeah, of course. And I know we talked about transparency, and obviously transparency is really important. Where is the line between, and obviously depends on the legal team and the insurance and that conversation, but where's that line usually between honesty and transparency and then oversharing when an incident is still kind of fresh and happening? 

Transparency is always a, a good fallback to things, and it's okay not to have all the answers. And I think it's really important to have communications that are real authentic and saying that we are finding information out as much as possible and what is actually being done. So that gives some degree. Comfort to  those who are affected by the incident, right?  And that's when the legal and the communication piece tap dances with each other. Because frankly, in the past, you know, legal doesn't necessarily wanna say too much at all, if not anything. But we're saying, Hey, uh, we need to communicate something.

So we find a common ground to, to, to share information Now. A little bit of information goes, uh, uh, could be a dangerous  thing, right? So we wanna make sure that when we're  communicating, it gives them a sense of what we're doing and what they should, they, the, the audience should expect next. So that gives you a degree of fluidity of the communications, and it gives me, if I have a customer, a sense that something's in control here, right?

We're getting the most latest information. Conversely to that, Valentina, the opposite is don't communicate.   Let the information flow as it, it is, uh, social media or customers calling, um, or typing in, uh, Hey, I'm having an issue, and no one responding. That's a hot mess. So if you have those communications set in stone ahead of time or on a regular basis, that's good transparency, but that's good practice and it's good form.

 Yeah, I mean, I'm sure social media, I'm sure you get pulled in all the time and misinformation has already started to spread. It's already kind of taken over, and then you're kind of there to clean up the mess. So

 That's getting  proactive, getting ahead of it is a huge component of this. Right.

  Yeah, it's hard to put a toothpaste back in a tube when it's actually out there because to demystify some false information that's actually out there, you know, there's a couple different lone wolves who might be sharing information that's false. But if there's a theme going on there, I heard this, I heard this, I heard this, and you're not communicating that vacuum of communication's being filled by the wrong people,  

For sure. And how does it matter? Does it matter like what industry you're in? Obviously like healthcare, tech, you know, public sector. How does industry affect or does it how you should respond?

Yeah, I, I think the biggest, uh, change in that is, uh, regulation. You know, there's some parts where they, it is highly regulated, like in the banking industry or the financial services industry, or accounting, those types of things that are, uh, they require, uh. certain degree of communication is on a regular basis, right? some don't, but certainly the healthcare industry is I important because of HIPAA and other shareable laws that, you know, we wanna make sure that, uh, if your information is breached, we need to communicate, right? So industry by industry, there is a slight nuance, in general, uh, it's, it's still the same form of communicating, often being transparent and being smart about when and how you are. Communicating.

 And if a company, you know, obviously. My job is to try to prepare companies so they don't get attacked. But if they do get attacked or when, and your team comes in, how does that, I guess if you, you do early, you're transparent, you do all the right things. In terms of this pr, how does the company's transformation look like afterward?

Like are there success stories? Is everyone pretty much taking a hit or how does that process go? 

Yeah. Success sometimes is that, uh, nothing  happened,

Yeah.

No one, no one afterwards celebrates a, a good cyber attack. Uh, they only are. Crying after a bad one, right? So a success really looks like, hey, uh, we communicate throughout the process. It resolved itself. Um, you know, we were transparent in, in regards to what happened, who was affected, and we corrected the problem.
all hands on deck with our customer service to answer these kind of questions, nuance as they might be. We took a very. approach to handle that problem. That's when people are saying, good. Uh, they're not gonna give you credit or give you a star rating on how well you handle the part, but what they will do is not say anything that is a victory. And it's weird to celebrate that, but that is usually an indicator . And you move from that victim mindset that we talked about earlier into, Hey, we had this problem, we, we did this, this, and this. And you know,

right. giving your clients confidence that you're handling it. I think that's one of the most important things. Like it's not really about the hack, it's about your response to it and.

Are you taking proactive measures? You know, what have you done? What are you going to do? What are your next steps? You know, just gives everyone more confidence around it. And do you think, I mean, obviously this area has changed a lot over the last few years, not only on the social media and. The visibility side, but also on the cyber attack side.

I mean, both sides are kind of running rampant at the same time. Do you feel like companies are being held to a higher standard, or is there a difference now? Do you think it's gonna change going forward in terms of what companies have to do in these incidents?

 Yeah, lemme go get my crystal ball and find out exactly how this is all going to play out. But, uh, all joking aside, I do see a transformation on the communications flow and how quickly it, it's actually happening. What I mean by that is. Uh, what we're seeing is, um, the attacks are being affected or being impacted by those who are, you know, uh, Hey, I just learned about this.

This seems funky. What should I do? And the communications channels are coming in from social or through the other, uh, channels, communication to the company, right? And that seems like a higher volume. So. an ideal world, you learn about the attack through,  you know, the IRT and you, you resolve the issue and then you communicate accordingly. That kind of outside in approach to it all. But no, it's coming in from the inside and going out and like, oh wow, we didn't, we heard about this through different channels. That seems to me from our examples, what we're dealing with, uh, at a, a different volume, a different pace, a different, um. Dynamic that we were originally brought in for, meaning, you know, uh, you know, 10 years ago it seemed to me, okay, we, we've heard about this.

What are we gonna do about it? Now no other people are hearing about it. What are we gonna do about it? So that pace has changed and I think it's continued to change. 'cause the lightning fast way of people are communicating and sharing information.  

Yeah, and you know, I love to leave everyone with, if there was one thing that they take away from this, that's. Kind of easy to do that they could do this quarter to start getting more proactive with this. Um, especially for companies that think, you know, it's never gonna happen to them, or even if it does, like they're the victim and you know, they just haven't really thought about this reputation loss yet.

Um, what would be your advice for those companies?

Uh, three words. Uh, prepare, prepare, prepare. I say that because, uh, the preparation is very telling on how good you will respond from. The incident itself on the technology side and then the communication side. And the whole purpose of preparing is to fail or learn from, right? I used the me the sports metaphor earlier, but it applies here.

Now that you have a game plan, you test it, you go to  practice, and then game time, you have no idea what's going on in the game. Any game's gonna be different. That's why we watch games, right? 'cause there's just too many, too many variables. An attack. There's so many different variables, but at least you have, you understand who the players are, you know who's doing what and when.

And you can at least navigate and, uh, call timeouts if necessary to regroup and re-strategize. But if you don't necessarily have that game plan or even that practice ahead of time, then you are destined for failure, uh, on the playing field.  

Well, one thing I really liked that you said earlier was about being authentic with it, and I think a lot of people think preparing means. Asking chat GBT for, you know, a breach response and keeping that saved in a doc somewhere. And you know, the response side is not just that phrase or that, um, you know, that messaging, but it's like you said, who's communicating it?

What's our timeline? Who are all the different people?  And it's just, it's part of the incident response   plan. So just as teams are. Establishing this plan on the tech side and the executive side, you know, have your entire team come together and really you have to cover all these different sections because hacking does not just affect the technology stack, it affects the entire company.

It's a business problem, not just a tech problem. Um, so we have to be proactive with all sides of it.  

Yeah, I'm glad you brought the word authentic because of all things is last year's Mion Webster's, uh, word of the Year being authentic and authentic. People are smelling out what's authentic and what's not.

  Yeah.

  thing about AI and chat, GPT and all these different other, uh, applications, which we're all using, which is good, uh, but they can smell out. Hmm. Who wrote that? Right. And or is that just an automated way to communicate? That's, people need more than that. And, uh, you might be called out on as far as how you handled it, even though you are communicating, it's more, more lines of, that seems to be inauthentic and

Yeah.

you  might be paying for the, that, that piece of it.

Yeah. If your apology sounds fake, that's sometimes worse than saying nothing. Um, yeah, I've always used M Dash and now that chat, GBT uses it now, I can't even use it anymore.

said that. Or have a lot of bulbs outta nowhere. You're like, wait a second. What's going

I just like, I just like

Who's

bold font and now I can't even use it because people think it's, um,

Yeah. awesome. Well,   📍 Casey,

on.  

yeah, this was really helpful even just for me to hear and I think, um, everyone listening is gonna get a lot out of it, and I hope everyone takes away that, you know, it's. It's not the end of the world if you get hacked.

Um, be transparent, authentic, open about it and, you know, be proactive with it. Figure out that plan ahead of time and the reputation loss will be a very different situation after. So Casey, thank you so much for joining today.  

My pleasure.

Thank you.