markus spiske iar afB0QQw unsplash scaled

CEOs & CISOs Need a Crisis Communications Plan

Cybersecurity readiness is no longer just an IT function. It’s a leadership function.

When a cyber incident happens, an organization is judged by more than how quickly it contains the threat. Employees want clarity. Customers want candor. Regulators want timely information. Reporters look for gaps. Investors, partners and board members watch for signs of control.

That is why CEOs, CISOs, legal teams and communications leaders need to prepare before the breach happens.

The strongest cybersecurity response plans identify systems, vendors and forensic protocols, and they prepare leaders to communicate clearly, legally and credibly while facts are still developing.

Recent incidents show why this matters.

  • In 2024, Change Healthcare was hit by a ransomware attack that disrupted health care payments, claims processing and pharmacy operations across the country. HHS later reported that approximately 192.7 million people were impacted, making it one of the largest health care data breaches ever reported. (HHS.gov)
  • That same year, CDK Global, a software provider used by auto dealerships, experienced a cyberattack that disrupted operations at dealerships across the U.S. Many dealers had to process transactions manually while systems were down. The lesson: a cyber incident can become a customer experience, employee communications, vendor management and business continuity issue almost immediately. (Reuters)
  • AT&T disclosed in 2024 that threat actors accessed records of calls and texts for nearly all of its wireless customers during certain 2022 and 2023 periods, though the company said the content of calls and texts was not included. Live Nation also disclosed unauthorized activity in a third-party cloud database containing company data primarily from Ticketmaster. Both incidents show why precise language matters. Leaders need to explain what happened, what is known, what is not known and what customers should do next while addressing concerns across a broad range of stakeholder groups. (SEC)
  • In 2025, Jaguar Land Rover faced a cyberattack that forced a six-week halt at its UK plants, disrupted suppliers and cost the company hundreds of millions of pounds. This was not only a technology story. It was an operational, financial, workforce and supply chain communications event. (Reuters)

The takeaway is not that every organization can prevent every breach or cyber disruption, but that leaders can prepare the people, messages and decision paths that protect trust when pressure arrives.

Breach communications readiness gives leadership a clear operating system before an incident. That includes:

  • A CEO and CISO message map defining who says what, when and to whom
  • Stakeholder-specific messaging for employees, customers, regulators, partners, media and investors
  • Pre-approved holding statements for early-stage uncertainty
  • A notification workflow connecting legal obligations with communications timing
  • Spokesperson preparation for executives who may need to communicate under pressure
  • Tabletop exercises that test communications decisions alongside IT, legal and operations

The CEO and CISO need different preparation. The CISO must explain what is known, what is being investigated, what has been contained and what technical steps are underway. The CEO must communicate accountability, business continuity and care for affected stakeholders. When those roles are prepared in advance, the organization has an opportunity to act quickly and minimize reputational impact.

Regulatory timing also needs to be built into the communications plan. Public companies generally must disclose material cybersecurity incidents on Form 8-K within four business days after determining materiality. HIPAA-covered entities must follow breach notification rules for protected health information. The StopRansomware Guide also recommends maintaining and exercising an incident response plan with an associated communications plan. (SEC)

This is where tabletop exercises matter. A strong cyber tabletop should ask: What do employees hear first? Who drafts the customer update? What can customer support say? Who briefs the board? What does the CEO say if the story breaks before the investigation is complete?

These are not soft questions. They are business continuity questions.

Corkboard helps organizations prepare CEOs, CISOs and communications teams before a breach happens, with breach communications plans, executive message maps, spokesperson preparation and communications-integrated tabletop exercises.

When a breach happens, leaders need more than answers. They need the preparation, clarity and confidence to earn trust while the facts are still unfolding.

Photo by Markus Spiske on Unsplash

Why BEAD Success Depends on Building Trust
Screwworm Is a Test of Trust