Gideon Rasmussen is no stranger to crises, or the crowded conference rooms that accompany them.
Rasmussen, a cybersecurity management consultant at Virtual CISO, has seen chief information security officers and IT pros pulled into discussions with communications professionals and executives following an outage or cyberattack. Inevitably, the talk centers around who needs to be informed and what information needs to be in the company’s memo to the public or to concerned customers.
“It’s a bit chaotic because there’s no preparation for this,” Rasmussen told a crowd during an August 18 session at ISACA and the IIA’s GRC 2025 Conference in New York.
Rasmussen and crisis-comms pro Brian McDonough shared with IT Brew ways that decisionmakers (and IT) can plan ahead for a cyber disaster, such as constructing a holding statement and a starting-five crisis-management team.
A day at the breach. According to Identity Theft Resource Center, the first half of 2025 saw 1,732 data compromises—a little over half (54.9%) of 2024’s total of 3,155 incidents.
A web of state laws, contractual obligations, SEC disclosure mandates, and best practices from popular guidelines like the NIST cybersecurity framework call for some form of external communication when there’s a data breach.
A lot on your template right now. Rasmussen, in his presentation, stressed the importance of having a prepared holding statement—a predrafted template for common crisis events—ready to go.
He suggested that a template written in advance with a company’s IT team, senior execs, communications pros, and legal team can buy much-needed time for security experts leading the technical incident response.
One quick template example that Rasmussen shared during his presentation: “At this date and time, we discovered X type of data had been compromised, and we’ll give you more information as it becomes available.”
“You need a week or so to really determine what’s the extent of the access that the threat actor has.,” Rasmussen said to the crowd of IT-governance pros.
First comms first. McDonough, senior account director at crisis-comms firm Kessler PR Group, has seen his fair share of crowded conference rooms, while helping orgs like law firms, banks, and universities deal with cyber incidents ranging from ransomware to a successful phish for sensitive data.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
McDonough advised companies looking for a head start on crisis comms to check their cyber insurance policy, which may offer communications assistance.
Also, McDonough recommended companies form a crisis-management team of five or so decision-makers with the authority to approve statements. Members can include an attorney (someone familiar with industry regulations) and other pros who “know the temperature” for external and internal communications (HR, for example). (“Make sure that their cell phones and emails are readily accessible, because you know this can happen at nine o’clock on a Tuesday night,” he warned.)
You don’t say…As for that first post-crisis communication, McDonough reviewed important factors for the crisis-management team to consider.
- Communicate when an attack was discovered. If an attack was caught quickly, emphasize that, McDonough said.
- Mention the steps taken to contain an attack, and what remediations will be added in the future, he advised, including ways to address customer’s privacy concerns—for example, dark-web monitoring or free credit-monitoring services.
There are plenty of “landmines” to avoid in this first communication, he added.
- Don’t speculate, McDonough warned, because an early, inaccurate announcement of a successful containment could lead to a loss of credibility. He also advises having someone “a step or two below the CEO” provide the initial message: “If a CEO says something that is later proven to be inaccurate or incorrect, there’s no one to escalate above to repair the credibility of the situation.”
- Don’t promise hourly updates if you can’t provide them, McDonough said, adding that it’s “perfectly acceptable” for a company to say they don’t have all the information and are working to learn more: “You don’t have to pretend that you know everything up front.”
There’s a way to involve IT in the messaging, too, while keeping them out of that crowded conference room. McDonough often sees IT leaders “bless” a final statement and confirm its accuracy, rather than have them deal with all the editing.
“The main goal is to make sure that your first step is not a misstep,” he said.