Rethinking Cyber Crisis Response: A Conversation About Transparency, Fear and Change 

By: Mike Kuczkowski

Cyber incidents are becoming increasingly common. In addition to the human impact, they are costly to businesses, averaging $4.88 million per data breach in 2024, according to IBM. When organizations face a cyber attack, conventional wisdom pushes them toward minimal disclosure: Say little. Share less. Wait it out. But new research suggests this response may need rethinking. 

We recently sat down with Lily Williams, winner of the 2024 Orangefiery Best Master’s Thesis award, whose research examined how companies navigate communications during cyber incidents.  Through extensive interviews with crisis communications professionals, Williams uncovered intriguing patterns around transparency, stakeholder engagement and the evolution of crisis management and response in an era where cyber attacks have become almost routine. 

Her findings challenge some fundamental assumptions about crisis and issues management while highlighting opportunities for more effective stakeholder engagement. Here’s our conversation, edited for clarity: 

Q: What drew you to study cyber security communications?  

A: I started in journalism, originally wanting to be a foreign correspondent. But even as editor of my high school paper, I found myself drawn to the strategic aspects – really understanding audience needs and tailoring stories accordingly. My first internship at Lenovo opened my eyes to technology communications, particularly cybersecurity. What fascinated me was the dual nature: you have both the product side of security offerings and this whole crisis dimension that unfolds when incidents occur. 

Q: Your research focused on how companies communicate during cyber incidents. What patterns emerged? 

A: One of the most striking findings involved how communications teams engage – or don’t engage – with cyber analysts and influencers. Every practitioner I interviewed monitored these analysts obsessively. They tracked their articles, followed their social media, watched every quote. But when asked about actually engaging with analysts, the universal response was “Oh no, we stay far away from them. We advise clients to stay far away.” 

Q: That’s a fascinating disconnect. Why such resistance to engagement? 

A: Fear drives a lot of it. When practitioners described even hypothetical outreach to analysts, they spoke from a position of weakness. There’s this deep concern about putting the organization at risk by revealing vulnerabilities through conversation. Most view analysts as potential adversaries who might spotlight problems, rather than partners who could help shape understanding of an incident. 

Q: Yet your research found some organizations taking a different approach? 

A: Yes, and their experiences were illuminating. The few participants who viewed analysts as potential partners described much more productive relationships. One CMO at a major cyber company explained how analysts would sometimes provide advance notice about vulnerabilities they’d discovered, allowing her team to address issues proactively. It completely reframed the dynamic from adversarial to collaborative. 

Q: How do you see this field evolving as cyber attacks become more common? 

A: We’re approaching an interesting inflection point. There’s a kind of cyber fatigue setting in – I’ve heard people casually remark “Well, I know my social security number is out there.” As the public becomes more accustomed to the reality of cyber attacks, organizations have an opportunity to be more transparent about their response. 

The question isn’t whether you’ll face an incident, but how you’ll handle it when you do. The old playbook of minimal communication made sense when cyber attacks were rare and shocking. But in today’s environment, stakeholders are more focused on how organizations respond and support them through an incident. 

Q: What does more effective cyber crisis response look like going forward? 

A: It starts with being clear about actions and priorities. Social media and cyber analysts can be incredible channels for telling that story – but it requires getting past this instinct to immediately go dark when an incident occurs.  

The most effective practitioners in my research were those who could balance appropriate caution with strategic transparency. They understood that while legal and technical considerations matter, the ultimate test is whether stakeholders feel supported and informed through the crisis. 

Q: Final thoughts on where this is headed? 

A: I hope we’ll see practitioners become more comfortable with transparency around these incidents. We can still be strategic advisors while being bolder in our positioning. The opportunities are there—we just need to evolve our approach to match today’s realities. 

The implications of Williams’ research extend beyond cyber incidents to core questions about crisis communications in an increasingly complex and transparent world. As practitioners, we may need to challenge some of our fundamental assumptions about stakeholder engagement, information control and the role of strategic communications in navigating modern crises. 

The 2024 Orangefiery Best Master’s Thesis Award is organized by the Institute for Public Relations. The award celebrates contributions to the advancement of research-based knowledge in the field of public relations, recognizing work that develops or advances theories within the public relations context, examines industry practices, explores societal impacts or provides critical insights into the field.