Upskilling Communications

By Hadyn Green
Tuesday, December 16th, 2025

Sharing information in cybersecurity is vital for prevention and response. There’s a lot of technical processes available, and best practice to learn from. FIRST, for example, was created for that exact reason back in the 90s, to share techniques and information between teams.

Given how prolific and talkative communications experts are, it’s surprising that there are very few conferences and groups where we get together to discuss our work and collaborate. This is why I set up the Communications SIG and why the good folk at CISO Lens – including FIRST board member, and my former workmate, Nadia Yousef – set up Comms Lens, and we recently met in Melbourne.

Nadia was the head of incident response and my star spokesperson at CERT NZ, so she understands the importance of communications for cybersecurity.

Comms Lens is a collaborative group of communications experts working in cybersecurity across Australia and New Zealand, both private and public sector. The group have regular meetings online and a few in person, and they’re all about sharing real world experiences. Meetings are run under the Chatham House rule, allowing for the free sharing of information without worry of exposure.

It also means I can share some cool things I have picked up and will be “stealing” or expanding on for the future.

Photo 1

The vital importance of alternative communications channels

Having a second secure channel during an incident is something a lot of teams already use. Sometimes it’s text messages, (ok), sometimes it’s Signal (good), sometimes it’s Gmail and Drive (also good and allows for work on documents).

One communications lead from a telecommunications company used phones from their competitors’ network. So, if a large-scale attack took down their own network, they had a simple back up. It can be a tough thing to put into a budget (let’s pay money to the competition) but will be worth it in a crisis.

The need for a third-party coordinator

Part of the communications training I run has a section on regulations and legal requirements. Your team should be across which laws they need to follow and which agencies, regulators, and organizations must be communicated with, both local and international.

However, for smaller organizations, businesses and CSIRTs this can be a huge task. In Australia they have National Office of Cyber Security (NOCS) who have a defined role to coordinate government agencies during an incident. If you are attacked you should be able to contact NOCS and they bring in all the relevant government agencies, saving you a lot of time and effort.

This is something that, depending on capacity, NatCSIRTs could look into as another way of assisting their constituents during an incident.

Photo 1

Allowing authorities to speak

Generally when there’s an incident, most organizations stop communicating. This leaves room for commentators to join the discussion without any knowledge; this can lead to bad outcomes. So why not, share the communications load with official agencies?

Sadly, this does come down to policy, however, allowing government agencies and NatCSIRTs to speak on behalf of the affected organization relieves a lot of the communications load. This can also be done with trusted partners in cybersecurity who are known experts.

I don’t mean talking about the details of the incident, but to give background on what the type of incident is, how long it can take to resolve the issue and what the level of risk is. It can also be as simple as: “Yes, we can confirm we are working with X”.

When you’re the target of an attack, the last thing you need is also having to answer questions from media about parts of the response (especially as most of the answers will be: “At this stage we are still investigating the cause and do not know the extent of the attack”.