We live in an age where data breaches are not uncommon, and consumer trust continues to fall to precarious new lows. For this reason, the relationship between Chief Information Security Officers (CISO) and public relations has never been so important and yet, these two business functions continue to operate largely in silos. To address the ongoing pandemic of low consumer and public trust in corporations, especially those that hold data, CISOs and PRs need to become more integrated. So, what do CISOs really need their PR teams to understand and where is the knowledge gap? Let's delve deeper into how to bridge the gap and really understand what CISOs wish PR teams knew.
Speed without accuracy can be dangerous
When a cyber incident does occur, PR professionals are often the first to feel pressure. The leadership team, executives, media, customers, and investors all expect the PR team to "get ahead of the story." While speed is undoubtedly important, accuracy is more important. CISOs understand better than anyone the gravity of releasing information that is either incomplete or in some way misleading. One wrong statement can compromise the integrity of the investigation, trigger unwanted or even unwarranted legal consequences or irreparable damage to a company's corporate reputation.
PR teams recognise that although transparency should be the backbone of external communications after an incident, immediate transparency doesn't always mean immediate detail. Coordinating a well timed and well written messaging statement for media that reflects the real time understanding of the incident is far more valuable than a rushed statement that may later need to be redacted, causing additional stress down the line.
Security incidents aren't just "bad publicity"
From the perspective of the CISO, a data breach or incident isn't just a publicity crisis: it's a threat to internal systems, the security of customer data and in extreme cases (or for the dramatically inclined), national security.
PR teams view these crises through the lens of reputation management, rather than through the technical lens the CSIRO can see from. Often, the PR and corporate communications teams may downplay the severity of the issue to manage the optics, but this may, in the long run, incur reputational damage and a loss of security credibility.
CISOs want PR professionals to take the threat landscape seriously and to respect the technical work being done behind the scenes. PR teams should therefore frame the incident with the integrity it deserves and avoid inflaming the narrative by using phrases like "sophisticated attack" or "catastrophic breach." Evading blame should also be avoided while an investigation is still underway.
Security messaging is proactive, not reactive
To our earlier point about working in silos, many PR teams still only interact with CISOs when a crisis hits but this misses many valuable opportunities. Just as trust and credibility is built over time, as a foundation of a building might be laid, building a cyber narrative during "peace time" sets up corporations to better handle incidents as they arise. This is especially true in the context of investor relations and reputational management.
Positioning the organisation as security-conscious (with pre-prepared statements) shouldn't start with a breach. There should always be a clear, consistent message about the company's commitment to data protection and risk governance.
With greater understanding comes greater strategy
CISOs don't expect PR practitioners to be cybersecurity experts. What they do expect is that PRs understand the basics and how they inform external communications: what ransomware is, why threat intelligence matters and what a zero-day exploit means. With this foundational knowledge, PRs can act not just as a messenger, but as a trusted partner, better able to shape communications strategies that support both reputation and risk mitigation.
Ultimately, what CISOs wish PR teams knew isn't especially different from what great communicators already understand: the power of storytelling is best when its grounded in truth, context, and trust.
The best PR outcomes happen when both sides are engaged early, speak a shared language, and are aligned on a single goal: protecting and preserving the trust of customers, employees, and stakeholders. When that happens, security teams and PR teams don't just coexist, they become mutually reinforcing strengths.