Don’t Describe the Issue in Your Response
Don’t add credibility to an issue by stating it in your voice
When something surfaces publicly—an allegation, a rumor, a bit of speculation gaining traction—it can feel like we need to step in and say something to set the record straight. That impulse is understandable. But one of the most useful lessons we’ve learned on our team is that how we respond in these moments can either calm things down—or make them worse.
One of the most common missteps is putting the issue into our own voice. The moment we repeat the problem in our response—even just to acknowledge, clarify, or deny it—we give it weight. We confirm it. We give it structure. And sometimes, we give it a headline.
The same pattern shows up in cybersecurity. Imagine a reporter reaches out about an online post claiming there’s a vulnerability in your product. If the response is, “We’ve investigated this vulnerability and found it to be low risk,” that statement does more than provide context. It confirms the issue, repeats the term “vulnerability” in your voice, and attaches it directly to your brand. At that point, the perceived existence of the vulnerability becomes the story. The severity feels secondary—the headline writes itself.
We’ve seen this happen in media responses, employee emails, even internal Q&A sessions. It’s rarely intentional—but it can be costly.
Why This Happens
There’s a reason this pattern is so common. Part of it comes down to how people process language.
Our brains are wired to lock onto potential threats. That’s negativity bias at work. We remember the words “data breach” or “fraud” long after we’ve forgotten the denial that came before them. And when we say, “We are not under investigation,” people still walk away thinking about… “under investigation.”
Then there’s the pink elephant problem. If I say, “Don’t think of a pink elephant,” you already did. That’s what happens when we repeat the very language we’re trying to move away from. Even when we say it’s not true, we’re giving it more time, more space, and more credibility than it had before.
Best Practice
Our experience with all of these patterns—the way phrases get lifted into headlines, the stickiness of negative framing, the trap of well-meaning but poorly framed language—has led us to one of our team’s core rules for response messaging:
Don’t describe the issue in your response.
It’s not about being evasive. It’s about being intentional with language, so we don’t accidentally give an accusation more weight by putting it into our own voice.
What Should We Do Instead?
On our team, we’ve developed a practical approach to help shift the conversation in moments like these.
It starts with acknowledging the concern without amplifying it. If people are asking whether we ignored customer complaints, we don’t say, “We did not ignore customer complaints.” Instead, we might say, “We take customer feedback seriously and have a process in place to address concerns as they arise.” That message still responds—it just doesn’t repeat the negative framing.
We also look for actions we’ve taken or that are already in motion. If something is under investigation, being addressed, or already resolved, that’s worth pointing to. It helps ground the message in what we’re doing—not what others are saying about us.
In one example, when a researcher reported a potential local privilege escalation vulnerability affecting Windows, the response was direct but measured:
“We are aware of the report and will take appropriate action to keep customers protected.”
That phrasing avoids restating the specific issue or giving it new visibility, while still signaling accountability and intent. It keeps the focus on protection and action, not the problem itself.
Sometimes the best way to respond is through values or policy. When an issue involves content, conduct, or standards, we look to ground the response in the principles that guide how we operate.
In a recent case where bad actors attempted to misuse generative AI tools, the response was clear but focused:
“This activity is prohibited under the terms of use for our generative AI services and required deliberate efforts to bypass our safeguards.”
That kind of language reinforces that we have policies in place—and that we’re acting on them—without giving new visibility to the misuse itself.
And finally, we try to lead with a forward-looking message. Even when the issue is sensitive, we want to point to what comes next. That might sound like:
“We’re continuing to improve our process.”
“We’re investing in long-term changes to better serve our customers.”
We’re not trying to minimize real concerns—we’re aiming to address them without giving unnecessary weight to the wrong part of the story. It’s about choosing a message that reflects what we stand for, where we’re headed, and how we lead through difficult moments.
One Final Test
One question we often ask when reviewing a draft is:
“If this quote ends up in a headline, are we okay with that?”
That simple test helps us catch phrases that might unintentionally reinforce the problem.
Handled well, an issue stays manageable. Handled poorly—or repeated in our own voice—it can become the story. And in those moments, message discipline matters.
Closing Thought
This is one of the practical tools we’ve come to rely on, and I’ll be sharing more in future posts. Because responding well isn’t just about avoiding mistakes—it’s about helping people see what you stand for, even in the tough moments.
If you’ve ever found yourself wrestling with how much to say—or how to say it—this rule can be a helpful compass. And it’s just one of several we lean on to stay grounded, clear, and focused when the pressure is high.