Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/12/2010
02:05 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

We Have Nothing To Say -- Or Do We?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?This is the third in my series of posts on security PR (see "How To Talk To Reporters" and "How To Disclose A Vulnerability," plus "The Secret Sauce For Security Blogging"),

In that third post, I discussed how writing from on the ground so that people feel more engaged with your writing, as well as sharing real data along with your analysis, assures people that you know what you are talking about, and allows readers to participate.

In these two notions lays the secret of having something smart to say to the press. Specifically, marketing is always frustrated with having nothing new to say, and R&D is always frustrated with marketing being stupid (as they see it) and not getting them coverage that matters.

The key is communication. Marketing is looking to publish information on new products and new sales. So R&D is pressured to meet deadlines. R&D is looking for the branding -- they are even more keyed to it than the marketing department. Only they call it winning the respect of their peers.

As Avi Freedman once put it to me on a long drive from Boston to Philadelphia while drinking gallons of cherry cola, "People constantly underestimate how much geeks want the approval and respect of other geeks."

The respect of others entails something interesting, and something real.

On the ground level, you have the security researchers and the R&D developers. Humans are social beings, and therefore they don't just look at code all day. They share news stories, talk about something they encountered, and discuss something cool they've just seen or done.

You won't always have a new vulnerability to share with the world.

Your job is to befriend and listen to the technologists:

    1. Have they found something interesting in how old vulnerabilities are being exploited? 2. Have they seen new attacks coming from somewhere in the world? 3. Is there a new trend in what types of targets are chosen? 4. Is there an interesting news item that you would like someone from your company to be heard on? 5. Or more specifically, are they excited about something while meeting in the kitchen to make coffee?

You won't always land gems, but you will establish the infrastructure for finding out when the gems are there.

Don't immediately pressure technologists to write, but show interest in what they say and try to understand why it's exciting.

While it's OK to ask directly -- people should know what you are interested in -- just try and be friendly and see if something pops up.

Once you find such an interesting topic, you can encourage the technologists to make something of it. For example, if they merely implemented something in an interesting fashion, encourage them to blog about it and promise to help with editing. Their experience in solving the problem would interest their peers. In a way, what you are doing is coaching them on how to get their name out there so that they choose to write in the future.

By establishing the relationship, and the blog, you will both find new interesting things to say, as well as establish the branding of the blog so that reporters visit it often.

R&D time is often protected, especially with the pressure you put on them to meet deadlines. Try and be open about how important PR is and how you think the R&D can help. Bring the Big Wig on board, ask that researchers and developers be encouraged to write in the blog, and make it something they want by ensuring the higher-ups show interest in new blogs, which will make sure everyone else is excited to get a good blog written.

Another option is to create a project to get people to center their excitement around. For example, in one company I worked for I hired a few comic strip artists and encouraged technologists to come up with ideas for new comic strips. Whenever someone got excited about something, they'd try and see how it fits in a strip. It was fun for everybody, and we often even met outside of work hours to brainstorm it.

Convincing management that such blogging matters may not be easy, and will be what decides if you will be able to be extremely successful with a blogging strategy, or just have access to what's really interesting, which on occasion you will be able to utilize. It's a win-win situation either way.

Establish communication. Get excited. Then write about it.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...