The news just keeps getting worse: We now know that more than 45 million credit and debit card numbers were stolen in the TJX Companies Inc. data breach. Over the past few months, the scope of the problem seemed to grow with each announcement. The public didn't learn the (presumably) final toll until late March, when the Framingham, Mass.-based company filed the figures with the U.S. Securities and Exchange Commission.
Even now, with the news out there, company officials aren't eager to talk: Calls seeking comment for this story went unreturned. And this kind of response is all too common. Coverage of last month's massive BlackBerry outage stressed that users were less annoyed by the failure of service than by the lack of communication from the vendor, Research In Motion Ltd.
Yet IT executives who have successfully handled data breaches and other incidents say communication is actually one of the most effective ways to contain a crisis.
"Transparency both inside and outside the organization is very important, and an important role that a CIO can play is communicator," says Darryl Lemecha, CIO and senior vice president of shared services at ChoicePoint Inc., a data aggregator in Alpharetta, Ga., that suffered a security breach in 2005 and learned firsthand the critical role that honest communication can play.
CIOs are making headlines these days, but not always for the right reasons. Security breaches, crashed Web sites and other public technical snafus create the kinds of crises that put IT leaders front and center.
Are you prepared?
You'd better be, because how you follow up in the immediate aftermath of a crisis can affect not only how the event is perceived, but also how successfully you'll avoid trouble in the future. It's not so much what occurred that matters, says Mike Tainter, IT service management practice director at Forsythe Solutions Group Inc. in Skokie, Ill. It's "how it was handled and communicated afterward. That's what really matters," he says.
As CIO, you can't leave crisis management to other executives, even if you're buried in the immediate task of solving the technical problem that precipitated the whole mess. You need to both lead the IT work and play a key role in the business's efforts to cope with the aftermath. Here's how:
Rely on your plan.
This is no time to wing it. "You shouldn't stand back and scratch your head and say, 'What should we do?'" Tainter says. Instead, get out your incident response plan and put it into action. As your IT people start running down the technical causes of the crisis, you should start implementing the plan that lays out your business responses, your key contacts, and your public and regulatory obligations.