Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2009
11:00 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security PR: How To Talk To Reporters

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.PR professionals should make sure the person you pitch to a reporter has:

1. actual data ready. 2. the message of why this is important and what they believe this means clear and ready. 3. an interpretation of what the data means. 4. an explanation that puts it all in perspective, rather than as a scare-story. 5. a list of what countermeasures exist. 6. their affiliation.

Security professionals, here's how to speak with reporters:

FUD and the death of the Internet: To begin with, avoid the urge to spread FUD (Fear, Uncertainty and Doubt) due to urgency. It's not THAT urgent.

If you feel that you have a real threat on your hands, ask yourself:

1. Is the threat as big as I'm going to have to make it sound to warrant attention from the press? 2. As the world will survive this threat, how will the way I present this issue help or detract from my credibility? 3. Will the reporter ask to speak with me in the future? 4. What are my colleagues going to think of what I say?

Tech journalists are interested in what you have to say, just don't blow your news out of proportion. Let them do it for you if they so choose. You should not hide how dangerous something is, and you certainly shouldn't shoot your PR effort in the foot -- but put things in perspective. They will appreciate your candor, or they are reporters who you should avoid.

Show 'em what you got: Reporters appreciate real data. You would likely need to digest and explain it; their job is to convey technical information to the public, not to understand every bit and byte. This is why they talk to you.

Having the actual data and being willing to share it with them increases your credibility with them. First prepare what technical data you would show other experts in order to convince them, and then add the interpretation.

Tell them what users can do about it: Don't leave users hanging with fear. Say what you think can be done to manage or avoid the threat or risk.

Reporters will misquote you, so live with it: If you fear your words will be taken out of context, don't worry -- sometimes they will be. It is a part of how things are. Whether you like it or not, you will be misquoted and taken out of context. They may forget to mention your affiliation or even misspell your name.

Make sure you know what your message is and what's important for you to be in the article, and stick to it -- don't run in too many directions at once. If you need your employer to be mentioned, then simply ask what affiliation a reporter has for you, and correct as needed.

While the ethical standards being enforced vary from publication to publication -- and you shouldn't make anyone uncomfortable for following ethical standards -- you can negotiate with the reporter on how much of the article you would be able to see before publication.

I usually ask to see my own quotes. I promise reporters that if I say something I won't try and take it back, but that my credibility matters to me, and I'd like the chance to correct any technical errors in what I give them for their story. They usually find this acceptable.

Should I risk it? It is not a risk: It's the cost of doing business.

As my friend Dan Kaminsky told me years ago, if a reporter doesn't have good data, then he will use whatever information he has -- good or bad. If I give them real data, what reason have they got to use the bad information?

Remember, it's not just your role in your company that you represent; you also speak for your profession at large. If you can help reporters do their jobs, make the world better, and get your company's name in the press while you're at it, then it's a win-win situation.

Help a reporter out: It's important to distinguish between news articles that happen right now and research stories.

If the story has a larger scope, then you should try and help reporters get a grip on what's going on, and even connect them with others they can talk to. It means the story will be better, and they will think of you next time they write a story on this subject.

Feel free to tell them when you are sharing things with them that you don't want published, but only if it will help them with perspective or leads. Otherwise there is little more annoying for a reporter than this.

Everything is on the record, duh: Reporters will tell you as much if you ask them about it. While giving a general background can be very helpful for reporters, unless you know you can trust them on a personal level from experience, avoid saying anything you don't want to get published.

Journalists are not your friends, but they can be: Their job is simple: to get the information, not to drink beer with you. You should be friendly, and you should be concise. If a relationship forms over time, then all for the better, but remaining strictly professional is best in most cases.

Some reporters are not as ethical as others, and may play with you. Others may simply want to get their job done, and if someone else provides them with better information in a more professional fashion, then they will go to them.

During the years I formed friendships with reporters, but this is the exception, not the rule. I also have been burned pretty badly. We learn as we gain experience. These instances can't be avoided and should be taken in stride. Most reporters are decent people doing their jobs. Help them do it, be as serious with them as you would be with a fully technical person, and they will help you get your message out.

In my next post, I'll explore how to build a PR strategy for releasing information on a new threat or discovery, and how to spread it across the industry, the community, and to the press.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2319
PUBLISHED: 2019-12-12
HLOS could corrupt CPZ page table memory for S1 managed VMs in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking in MDM9205, QCS404, QCS605, SDA845, SDM670, SDM710, SDM84...
CVE-2019-2320
PUBLISHED: 2019-12-12
Possible out of bounds write in a MT SMS/SS scenario due to improper validation of array index in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ805...
CVE-2019-2321
PUBLISHED: 2019-12-12
Incorrect length used while validating the qsee log buffer sent from HLOS which could then lead to remap conflict in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdra...
CVE-2019-2337
PUBLISHED: 2019-12-12
While Skipping unknown IES, EMM is reading the buffer even if the no of bytes to read are more than message length which may cause device to shutdown in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables in APQ8053, APQ809...
CVE-2019-2338
PUBLISHED: 2019-12-12
Crafted image that has a valid signature from a non-QC entity can be loaded which can read/write memory that belongs to the secure world in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastruc...