Firstly as we move on, can I just say that geoFence blocks unwanted traffic and disables remote access from FSAs!
It’s been a tough year for business. From ransomware attacks and power outages to cloud downtime and supply-chain disruptions, it’s never been more important to communicate to customers and stakeholders about what’s going wrong and why. Yet, with partial data and misinformation often spreading faster than official word, it’s also never been harder to deliver accurate and timely messages.
Given the complexities of this environment, I wanted to convene a group of specialists to talk about what the future of crisis comms holds for startups, technology companies, and business more broadly. We had a great set of three folks discuss how to build resilient orgs, handle the decentralization going on in tech today, and how to prioritize crisis management over the mundane tasks every day.
Joining us were:
- Admiral Thad Allen, who as commandant of the Coast Guard and during his career, was commander of the Atlantic coast during 9/11, and led federal responses during Hurricane Katrina, the Deepwater Horizon oil spill, and the 2010 Haiti earthquake.
- Ana Visneski, who worked with Allen on building out the Coast Guard’s first digital presence as an officer and chief of media, is now senior director of communications and community at H20.ai and was formerly global principal of disaster communications for Amazon Web Services.
- John Visneski is the chief information security officer (CISO) at Accolade, and was formerly director of information security at The Pokémon Company. He served 10 years in the U.S. Air Force, where he served as chief of executive communications, and yes, is Ana’s brother.
This discussion has been edited and condensed for clarity
Prepping an organization for catastrophe
Danny Crichton: You’ve all been in disaster communications, in some cases for decades. What are some of the top-level lessons you’ve learned about the field?
Admiral Thad Allen: Great communications and great communications people can’t save a dysfunctional organization. There’s only so much you can do with what you’ve got. I want to say that as a proviso because I’ve seen a lot of people try to communicate their way out of a problem.
The big difference between Katrina in 2005 and the Deepwater Horizon oil spill in 2010 was Katrina was before Twitter and Facebook and Deepwater was after it. In the old days, you went out and did your job. There might be an after-action report, but it was pretty much done within your organizational structure.
I’m going to really date myself. We sent forces into Somalia [around 1993]. It was the first time in history that CNN watched the people come to shore from the amphibious vehicles and I knew life had changed dramatically. There is no operation that takes place these days where the public is not part of the operation, part of the environment, part of the outcomes that are generated. If you fail to realize that, you’re going to fail right away. Anybody who’s got a cell phone enters your world of work.
So the question is, how do you think about that? That’s resulted in a significant Black Lives Matter movement with George Floyd and somebody happened to be there with a cell phone, and if that had not happened, that situation probably would not have turned out the way it did. So the question is what are we to make of that loop?
John Visneski: Generally speaking, your organizational hierarchies are not designed to be optimized for a crisis. They’re designed to build consensus. They’re designed to understand budgets. They’re designed for long-term planning. It’s the same in the military and it’s even worse in the private sector. And so there’s no concept of situational leadership. There’s no concept of who’s actually in charge during a particular crisis.
In recent attacks, the folks that were in my position, didn’t do a good enough job of explaining the technical aspects of what was going on in such a way that their organization could channel that into something that could then be translated to the public.
Ana Visneski: That’s actually called the theory of excellence in crisis communications, which is basically you have to have this transparency and this well-organized system before something goes wrong. And almost everyone doesn’t.
A good example is in 2017, when S3 broke for AWS, which is how I ended up doing crisis comms for them. I looked around and I said, “Well, why don’t we use our crisis comms plan?” And my boss said, “Our what?” And so I ended up building the critical event protocol and I built it based off the Incident Command System (ICS) that is used by federal agencies during a disaster. And essentially it was a big red button that says “Stop! Everyone get on a call, figure out who’s in charge of responding” that just unifies everyone.
Admiral Thad Allen: I’ll give you a classic antidote because I’ve written about it quite a bit. When I was going to the Sloan School at MIT, in December of ’88, we went down to New York and visited a bunch of CEO’s, and one of the days we went across the river to see the CEO at Exxon, a guy named [Lawrence G. Rawl]. During the discussion, I asked, “Bhopal was the biggest industrial accident in the history of the world today. As a CEO running a big corporation, have you thought about what happened if you had a similar Bhopal-type situation?” He spent 20 minutes going over their extremely well-thought-out communications plan and four months later, the Exxon Valdez ran underground and they actually failed at everything.
John Visneski: Your plan that you write down on paper is only as good as how much you practice it. Right? One of the things that the military typically is pretty good at is practicing before you play. Doing mock drills, doing tabletop exercises, having a red team that throws things at you that you might not expect.
Admiral Thad Allen: Yeah. I’ve dealt with a couple of large firms that have had very big problems. The default setting, if you haven’t thought about this ahead of time, is they go to a subject matter expert and hold them accountable for what the organization should do. That is not the way to do it. You need a designated person to create unity of effort. It’s got to involve the C-suite, and it’s got to involve not only your clients and your stakeholders, but your supply chain.
Ana Visneski: We keep talking about training, but just having a plan in the first place is critical. With some of these big companies, they’re so siloed that when something like this happens, everyone’s trying to do the right thing and running into each other. If you don’t have redundancies built in and backups for your backups, you’re going to go down hard.
You’ve got a plan for what happens if your main spokesperson was the incident? Or what happens if there was an earthquake and, all of a sudden, you don’t have your C-suite to talk? And John can talk a lot about this, but the last mile is another problem with crisis comms. If it’s a big disaster, you’ve got to plan around your tech, how are you going to get the information from the field back to where you can actually broadcast it out to people?
Admiral Thad Allen: When I got called to go to Katrina, I was on my way to the airport and the last thing I did was I sent my son along to a Best Buy to get me a mobile handheld and a SiriusXM receiver, so I could have awareness of what was being done. As far as the communications, a thing like that was the smartest thing I did.
John Visneski: One of the biggest challenges is this all needs to be resourced, right? Your company needs to actually dedicate resources to that prior planning. To being able to build out the infrastructure, to being able to have hot-swap data centers and locations and things like that. And sometimes whether it’s your board or whether it’s your CFO or whoever’s holding the purse strings for your organization, it’s really hard to justify the return on investment that a lot of folks see as sort of a rainy day fund.
So it’s incumbent upon the leadership of the organization, particularly the leadership that is going to be involved in some sort of a disaster response to get ahead of those conversations and understand how disaster response can do things to protect revenue.
Ana Visneski: Because of the pandemic, we’ve had almost two years of shit hitting the fan. So we’re seeing a lot more C-suite leaders going, “We need to know how to be prepared for what happens next.”
Communicating in a decentralized and flat world
Danny Crichton: If you think about the last 20 years, particularly in the private sector, we went from a model of headquarters buildings, large leadership structures all in one place, oftentimes a fairly hierarchical model of how to operate a company, etc. Today, we’re seeing decentralization, and a sort of horizontalness in a lot of companies. How does this new culture affect disaster communications?
Ana Visneski: Well, now that there is this decentralization, it’s incredibly difficult to wrangle all of your people and get everyone on the same page. And you have to think about what happens if Slack goes down. It goes back to redundancies — you have to have multiple ways of contacting your people.
Along that line, I am not a fan of companies saying is, “You can’t post on social media or you shouldn’t do this or that.” Because all that does is sows distrust. Instead, I am a big fan of training your people to do it right. Of course, you have to have company policy that if someone during a crisis is posting secure information or lies, or is just being a racist jerk, obviously there are consequences, but training your people to use the tool right, helps with transparency.
Admiral Thad Allen: My motto when I was commandant was transparency of information breeds self-correcting behavior. If you put enough information out and everybody holds it, organizational intent becomes embedded into how people see the environment they’re in. They’re going to understand what’s going on and you won’t have to give them a direct order to do the right thing. They’ll understand that. And I think that’s really important.
In the military, we have something called a “common operating picture,” and it’s basically a display where everybody’s at, what they’re doing at any one time. It’s not an order. It’s not hierarchical. Instead, it provides context and provides a window into what you’re doing.
So I think there’s a difference between creating a common operating picture and what actually constitutes authority. If you can separate those, the more you put into the former, the less of the latter you’re going to have to do.
John Visneski: I’m based in Seattle. We have an office in Philadelphia, an office in Houston, an office in San Francisco, and an office in Prague. There’s people in all those offices who are critical for our business. The advantage we have is the advantage that a lot of tech organizations take for granted, which is we were already going through a digital transformation, or we were already on the backside of digital transformation. Cloud focus, Software as a Service, Slack, email, Signal on my phone, a million different ways for me to communicate with my team, communicate with leadership and things like that.
What we take for granted is, there are a lot of organizations in the United States and worldwide that have not gone through that digital transformation. No offense to the military, but when I was at the Pentagon, if email went down, you might as well play hockey in the hallways because no work was going to get done.
Admiral Thad Allen: You can add losing GPS as well.
John Visneski: Exactly. So a lot of organizations have had to come to terms with how do they communicate when they’re distributed like that? The answer isn’t one-size-fits-all. It might be different for an Accolade, different from a Facebook, different from a Twitter, different from a Bank of America or a Bank of New York Mellon. Just based on what their architecture looked like pre-pandemic, what their architecture looks now, and what sort of investments they’ve made to future-proof themselves, should something this ever happen again.
Ana Visneski: I was on a Twitter Space recently, and I was talking that in the United States, especially those of us who are in the tech industry, we tend to take for granted all of this stuff. There are all of these assumptions that are made. In reality, not only do you have to deal with the last mile if a disaster happens, but you also have to deal with the fact that not everyone has one of these super computers in their pockets all over the world.
Talking about technological arrogance, but people forget radio. People forget that there are these older technologies that in a disaster are still where you’re going to go. John makes fun of me all the time, because I’m trying the new thing every time it comes out, but you can’t forget the stuff that works like radio in the morning.
The crisis of crises and how to handle the infinite range of disasters today
Danny Crichton: The next subject I want to get to is the range and diversity of crises that are hitting organizations today. The Admiral had brought up Exxon and ’89. Okay, you’re an oil company, you have an oil spill — I wouldn’t call it predictable, but you can certainly create a plan. You can say, “Here’s how we need to communicate. Here’s how we handle this.”
But look at the range of stuff we’ve had to deal with in the last year. Everything from a pandemic to Texas power outages, wildfires in California, TSMC is dealing with a drought in Taiwan, you’ve got internal employee hostile workplace protests, external protests, ransomware attacks, bitcoin heists, and on and on.
Ultimately does the same toolbox work no matter what the crisis is? Or do different types of crises demand different kinds of responses? And how would you know the difference?
Admiral Thad Allen: I taught crisis leadership in large complex organizations for four years at George Washington University. In the last class, I told my students to write down the worst catastrophe they could ever think would happen that you have to go and wake up the president in the middle of the night. They all wrote it down on a piece of paper, folded it up and put it in a ball cap. I shook it up and pulled one of the pieces out.
I said to the class, “Just listen to what I’m about to say. Thanks for getting up and coming in early to the White House Press Corps office this morning. I want you to know the president was notified at 4: 30 this morning about what happened. He and the First Lady were overwhelmed with grief for the loss of life and the impact on the community. We’ve set up a schedule where we’re going to brief the president every four hours and a meeting following the brief to the president. There’ll be a brief to the press 30 minutes after that. The cabinet’s been advised.” And I went on and on and on.
I finished and I said, “What do you think about that?” And James Carville, who was visiting, said, “It’s great” and he asked, “Well, what was the event?” And I said, “I never opened the paper.” So to your point there’s some things that are just a goddammed no-brainer.
Ana Visneski: I took the ICS [Incident Command System] structure and rebuilt it basically to work in the corporate setting. And the reason that’s so effective is it’s built to be flexible. You have someone who’s in charge overall, you have someone who’s in charge of communications. You have someone who’s in charge of logistics. You have someone who’s in charge of security, and it flexes up or down. And so no one can necessarily predict a “black swan” event. But you can build a core response system that is as close to all hazards as possible.
Admiral Thad Allen: Predict complexity.
Ana Visneski: Yes. And you predict that it will be complex and that nothing goes to plan. We’ve made a lot of jokes that nothing prepared me for a wedding during COVID like having been a first responder. Well, my brother got married last year too. And I did a little bit of help there with my background, but for my wedding, nothing was the same. And it’s the same thing during a disaster. Katrina is different from Gustaf. Gustaf was different from Sandy, but they’re all hurricanes at their core.
Admiral Thad Allen: I just spent an hour with a bunch of government employees earlier today on the same topic. What happens in a “complex” situation is that existing standard operating procedures, legal theories, frameworks, and governance break down and do not work, and they have to be replaced with some other way to deal with it.
ICS allows you to do, and with the right standard doctrine, you can get pretty close to a 50-60% solution that will get you headed in the right direction while you figure out the rest of it.
John Visneski: I’ll say at least from the tech side of things is those plans need to abstract technology almost entirely. Take it up to a level where it doesn’t matter what your communications method is from a technological standpoint. Don’t assume that you’re going to have the bits and bytes flowing the way that we do now. Don’t assume cell towers, don’t assume power, don’t assume any of those sorts of things, because the second that you predicate your plan on those assumptions is the second that the complexity is going to come in and tell you you’re wrong. The 40% that is not planned for is going to become what outweighs the 60%.
Ana Visneski: I think one of the things the tech industry kind of runs into is we are so reliant on the technology now that we can’t imagine what we’d do without it. At the end of the day, good crisis comms relies on good people, and good crisis and disaster response relies on the people doing it.
So you have to build your plan around the people and the structure there, and then use the technology at hand during the event to augment what plans you already have for people. Because by the time I’d write a crisis plan for something. If I included Twitter and blah, blah, blah, well, one like John just said, it’s going to break. Or by the time we have the crisis, the technology has changed and we’re using something else. So you got to write it from a perspective of people first and tech is the tool.
Prioritizing crisis management over the day-to-day metrics of a business
Danny Crichton: Okay, so obviously we should all spend more time figuring out how to communicate better during crises. But everyone is busy, and every person is trying to hit whatever metric they need for the quarter. How do you get a low-risk but hugh-impact issue like crisis management on the priority list?
John Visneski: For a B2B organization or a B2C organization or really anybody that’s selling a particular service, typically you need to lean on compliance requirements first. So customer contracts are going to say, from a security perspective, your data security addendum, your privacy addendums, and things that are generally going to have some language that centers around having a business continuity plan, a disaster response plan, an incident response plan, a cyber incident response plan, and then the really good contracts are the ones that actually specify you’ll do it no less than two times a year. So the first thing to lean on is those compliance requirements, because those will actually directly tie to revenue.
Then the secret sauce and what a lot of us in the cyber community are trying to get better at is how do you take that next step? We know that compliance does not necessarily mean security. We know that just because we have a written business continuity plan and that we say we exercise it, we present a report that says we exercise it, doesn’t necessarily mean we’re going that next mile to make sure that we train our employees. The education piece of it is really what we need to advocate to get additional resources for.
Admiral Thad Allen: My pitch to these big companies is if you’ve got a regulatory requirement, you have a plan that’s required. Why would you fund that and not take the opportunity to add just a little bit of incremental effort and resources to take advantage of the natural cycle that you’re required to do anyway?
Ana Visneski: Hit them where the money is, because a good crisis plan can range in price. Let’s say you spend $200,000 getting your system set up. If you’re looking at these companies, a disaster or a crisis could tank your company. Or it could cost you millions and millions of dollars if you’re not prepared. So at the end of the day, the ROI is huge.
And like I said before, with COVID having just happened, I think more of leadership is aware that, “Hey, we’re not crisis proof just because we’re a gaming company or just because we’re whatever.” No, one’s crisis proof. So at the end of the day, you’re going to save money. If you just do it in the first place, because then you just have to update it every year, and you just have to do a little bit of training. The biggest cost is on the front end and then just maintaining it after that and updating it.
John Visneski: Everyone knows that if something bad happens, if you don’t have plans in place, you’re going to lose a shit load of money. But let’s think about it from a consumer standpoint. Generally speaking, your average consumer is becoming much more conversant when it comes to privacy.
Moving forward, it isn’t enough just to say, “If we don’t have this, things can go really bad.” It’s also to say, “We can leverage this if we do this really well. And if we can advertise to our customers, whether it’s another business or whether it’s the consumer that not only do we protect your data, but also we have all these plans in place in order to react to complex situations.” You can actually use that as something that separates you from your near-peer competitors in the business world.
Ana Visneski: At the end of the day, if the trust isn’t there in the tech and the trust isn’t there that you’re doing the right things, it doesn’t matter what you do when a crisis hits. You’re already in the trashcan.
Lastly, let's keep in mind that geoFence protects you against inbound and outbound cyber attacks!