On today’s episode, David Damato, the CISO at Gemini Trust Company, joins us to speak about what occurs within organizations during and after a breach—and what should happen for the best outcome. He emphasizes communication, confidence, and clarity.    David’s Journey  David works for Gemini, one of the few regulated crypto currency exchanges out there. It is regulated by the New York Department of Financial Services, along with other entities. They must demonstrate that they’re a legitimate organization, as the field as a whole has had a lot of problems. They prioritize building trust, and David believes the industry is evolving to a more mature state.    Before Gemini, he spent about 10-15 years working at scrappy, small organizations. He had a lot of fun helping them grow into larger institutions and sharpened his expertise.   The Planning  David has aided over 100 organizations directly during a crisis, and indirectly has helped a couple hundred. In working with many institutions, he has found that the best outcomes occur when the company executes on the practice and the planning they had done prior to the breach in an organized manner. Planning starts way before a breach and is structured around the architecture, logging system, data and if the team engages in mental exercises.    David also explains that the size of the organization affects the outcome, as well as security’s status within the institution, and the two type of panic that rise: panic that people will find out or panic over the safety of the customers’ and their data. How David is often viewed, either has help or a hindrance, reveals the priorities of the leaders. An organization can either be grateful for his team exposing flaws so that they could fix them, or they try to hide mistakes. Listen to the episode to hear more examples of behavior that influence the crisis management.    Branding and Communication Next, David speaks on communicating both internally and externally about the breach. An effective security team communicates with the rest of the institution about the importance of the job. If you can advertise to the right people about the threat and what you can do, you can receive more funding. If not, you might struggle to solidify your place in the institution.     David also points to the branding of the company as having an impact on how the breach is viewed or manage. He gives Google as an example. They have great trust in them and they participate on boards and at events. When there was a breach, they talked about it and talked about it in the right way. People already liked the business and the brand before the breach occurred, so they were more forgiving when it did. All of these factors helped the breach be better received.    Additionally, the figurehead of managing that breach is also important. David finds that non-technical executives need training so they can know what to say when a breach happens. Without this training, executives can sometimes misspeak out of lack of knowledge, or overshare without realizing this could worsen the threat. He emphasizes training and practice.  During and after a breach, how an organization communicates to the public is key. Therefore, those points of contact must be taken seriously: from phone calls, to interviews, to the letter. As an example, David and Steve run through a practice interview. Listen to the episode to hear what David presents as a solid response, an incompetent one, and the difference between the two.    David iterates on how institutions should have relationships with reporters who they trust and like. When these relationships are established, the news can be reported accurately by someone who understands cybersecurity. Additionally, they organization needs someone who understands what information should be public and what shouldn’t, for the safety of everyone involved.  Evolving Controls  David touches on how many institutions need to catch up with the evolving controls. Even n