Why companies should defend reputation like they defend networks

Cybersecurity teams spend a lot of time trying to find vulnerabilities before an adversary does. In a recent episode ofCyber Focus, Preston Golson argues that companies should start doing the same thing with reputation. As McCrary Institute Director Frank Cilluffo puts it, “Reputation itself is a target.” 

Golson, a director at Brunswick Group and a former CIA officer, says reputation is no longer just something a company worries about after a crisis. “Companies have reputational vulnerabilities,” he said, and if they identify those weak points early, “hack your own reputation” and build defenses before someone else exploits them. 

In the same way organizations use red teaming, penetration testing or threat hunting to expose technical weaknesses, Golson says they should be looking for the criticisms, controversies and blind spots that could be turned into a broader narrative attack. Many of the most damaging false narratives, he says, are not invented from scratch. They are often rooted in “legitimate criticisms” that then get “turned up to 11 and distorted.” 

That does not mean every hostile claim online deserves a response. “We don’t play whack- a-mole,” Golson said. “Not every narrative deserves a response.” In some cases, he warns, engaging too quickly can “give it more oxygen.” Instead, he argues that companies need to get better at sorting real threats from background noise by asking three questions: Is the claim believable? Could it have real impact? And does it have the potential to spread? If the answer is yes across the board, he said, “you have a high-risk narrative.” 

That is where red teaming, message testing and what he calls “prebunking” come in. Golson argued that companies need to build trust and credibility early so audiences are less likely to buy into false claims later. He points to the run-up to Russia’s invasion of Ukraine as one example, when the U.S. and UK publicly laid out some of the arguments Moscow was expected to use to justify the war before those narratives could fully take hold. He described the same basic idea in corporate terms: if a company knows a criticism or controversy is likely to be used against it, it should be communicating early, through credible voices and clear evidence, rather than waiting to respond after the narrative has hardened. 

The same logic now extends to AI-generated search results, as more people rely on one-click summaries from tools like Gemini, Grok and Perplexity instead of digging through multiple sources. That shift, he said, makes a company’s own website and public-facing content more important, because those systems often pull directly from material an organization controls. In that sense, the challenge is not just responding to a reputational attack. It is shaping the information environment before one takes hold.

For more on this and other important cyber topics, check out the full catalog of Cyber Focus podcasts