When the Normal Channels Fail

How to establish trusted executive communication when email, messaging, directories and normal devices may be unavailable or monitored.

The answer

Incident communication requires more than encryption. Participants must know who is speaking, which channel is trusted, what information may be shared and how decisions are recorded when normal systems are degraded.

The communications plan usually depends on the incident

Escalation lists live in the corporate directory. Response rooms use the same single sign-on. Executives carry the same managed phones. Contact details sit in the email system. The plan assumes all of them remain available and trustworthy. During a serious compromise, that assumption can be wrong. An actor may monitor messages, control accounts, alter directories or use the response itself to learn that detection has occurred. CISA’s ransomware guidance specifically recognizes the need for out-of-band communication during containment. Moving to another app is not enough. The organization must re-establish trust.

A trusted channel has four properties

  • Identity — participants can verify who is speaking without relying only on the suspected environment.
  • Confidentiality — information is protected from unauthorized access appropriate to the incident.
  • Availability — the channel works when corporate identity, network or devices do not.
  • Record — material decisions can be preserved without turning uncontrolled chat into the system of record.

Encryption addresses only part of the problem. A perfectly encrypted conversation with the wrong participant remains a failure.

Define the activation threshold

Alternate communication should not be improvised at the moment everyone becomes uncertain. Define the conditions in advance.

  • Suspected compromise of executive or administrator email.
  • Loss of confidence in corporate identity or device management.
  • Evidence that an actor is monitoring response activity.
  • Material outage of primary communications.
  • A physical or travel condition that makes normal verification unreliable.

Activation should be declared by a named role, communicated through more than one route and recorded once a trusted record becomes available.

Build the minimum viable channel

  • A current offline contact set for essential decision-makers and specialists.
  • A pre-agreed method for verifying participants independently.
  • A communication platform not dependent on the suspected identity domain.
  • Clean or specifically designated devices for the core response group.
  • Rules for classification, forwarding, screenshots and personal accounts.
  • A scribe and decision log outside casual conversation.
  • A method for bringing providers or counsel into the room without weakening identity assurance.

The first ten minutes

  • Confirm the activation authority.
  • Verify the first two participants through independent means.
  • State what is confirmed, inferred and unknown.
  • Agree which systems and channels are not trusted.
  • Name the incident director, decision owner and scribe.
  • Set the next update time.
  • Do not distribute sensitive evidence until participant identity and need are established.

This small discipline prevents the alternate channel from becoming another uncontrolled source of truth.

Return to normal is a security decision

The organization should not drift back to corporate email because it appears to work again. Return requires confidence in identity, devices, monitoring and the actor’s removal or containment.

  • Define who can authorize return.
  • Re-bind credentials and devices where necessary.
  • Move the authoritative decision record into the approved system.
  • Reconcile participants, files and actions taken outside normal operations.
  • Close temporary accounts and access.
  • Review whether the alternate channel revealed new dependencies.

The position

Secure incident communication is not the possession of a second messaging application. It is the ability to recreate identity, confidentiality, authority and record when the normal environment cannot be trusted. The channel is alternate. The operating discipline cannot be.

Sources

  1. CISA — StopRansomware GuideCISA

    Industry guidance

  2. NIST — Contingency Planning GuideNIST

    Primary authority

Adam J. De CollibusFounding Partner, Svperior / Systems Engineering

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry