Cross cultural aspects of breach response strategies


The phones are ringing off the hook at headquarters, your web site traffic is exploding and your email boxes have reached capacity.

Why?  Your enterprise systems have been hacked, exposing millions of confidential customer personal and financial records. It’s impossible to determine where in the world the hack originated, but the implications are surely global considering the diverse customer base.

Because of time zones, news about the incident has been released in Asia before headquarters in Boston is out of bed. Asian stock markets are reacting negatively to the breach.

Ten years ago, this case would have seemed contrived, but in an age of borderless technology and distributed data centers around the world, this is the reality.

Let’s take a look at some of the key elements that must be addressed in every enterprise breach response strategy.

Culture eats strategy

Much has been written about the need for CSOs to develop a culture of security among employees and the need to implement zero trust security models. Many of us have been “tested” by our cybersecurity teams who send out phishing emails to see who responds. These training exercises are not foolproof, but they have raised awareness about emails that don’t pass the smell-test and how foolish it is to put passwords on the bottom of your keyboard.

While no one would argue against the critical importance of preemptive breach training, many organizations ignore the “during and after” aspects of these training programs. Most important, a single, coordinated breach response strategy that is applied globally is not an option. Cross cultural communications strategies are challenging, especially given the locale of headquarters could be the foundation of that corporate culture. Even though many companies claim to have a “citizen of the world” culture, the HR recruiting brochure copy and reality are two totally different things, especially during emergencies.

For example, some cultures inherently feel “silence is golden.” Anyone who has been in meetings in a Japanese board room know it is not unusual for the lead executive to go into “thinking mode” where no words are spoken. It is actually a form of nonverbal communication saying, “I am pondering.” To the American this quiet period (that seems like hours when it’s only minutes) is sheer torture. On the other hand, in many cultures communications flow rapidly across citizens and employees, whether formally or informally.

Add to this challenge the fact that the culture of the media can vary dramatically when it comes to covering major corporate breaches. Again, since breaches almost always have some global implication, employees and executives will be required to respond to press organizations that may not operate the way they are used to.

Hopefully you’re getting the picture being painted about the challenges of global breach response strategies. I’ve written frequently about the need for corporate communicators to take a “Global chassis … Local body” strategy around the world. In essence, you have a strict global foundation that does not change, but there is latitude to customize country-specific elements.

Establishing culture-sensitive best practices

For example, in a global breach response strategy there are strict communications elements that are standardized regardless of the country. This may be a headquarters statement from the CEO about how the firm is sensitive to the anxiety of customers and that every effort is being made to identify the cause and to minimize damages. Everyone in the headquarters organization, from the C-Suite to receptionist, is trained on these central talking points and warned of the consequences of going off script.

At the same time, country-specific breach response strategies must be deployed that are sensitive to how communications are sent and processed by the institutions and customers of that country.

It is also important for every employee to be keenly aware of the Butterfly Effect of Breach Response Communications. A butterfly flapping its wings (or perhaps lips) in Beijing can cause a hurricane at New York headquarters.

This balancing act is providing local in-country customers assurances that take into account the nuances of the local culture, while being sensitive to the fact that even simple statements in a small office in Singapore can instantaneously appear on The Economist news wire around the world.

Savvy cyber breach “first responders” will tell you that two key principles apply just as they do in a physical disaster.

The first is that enterprises need to conduct “cyber drills” in much the same way they train for fires, hurricanes or tornados.

Second, there must be a clear global cyber chain of command the moment a breach occurs. Many firms hire former military officers for these positions, not because of their knowledge of defense, but more for their experience establishing these command chains.

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.