Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Gadi Evron
Gadi Evron
Connect Directly

Security PR: How To Talk To Reporters

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.PR professionals should make sure the person you pitch to a reporter has:

1. actual data ready. 2. the message of why this is important and what they believe this means clear and ready. 3. an interpretation of what the data means. 4. an explanation that puts it all in perspective, rather than as a scare-story. 5. a list of what countermeasures exist. 6. their affiliation.

Security professionals, here's how to speak with reporters:

FUD and the death of the Internet: To begin with, avoid the urge to spread FUD (Fear, Uncertainty and Doubt) due to urgency. It's not THAT urgent.

If you feel that you have a real threat on your hands, ask yourself:

1. Is the threat as big as I'm going to have to make it sound to warrant attention from the press? 2. As the world will survive this threat, how will the way I present this issue help or detract from my credibility? 3. Will the reporter ask to speak with me in the future? 4. What are my colleagues going to think of what I say?

Tech journalists are interested in what you have to say, just don't blow your news out of proportion. Let them do it for you if they so choose. You should not hide how dangerous something is, and you certainly shouldn't shoot your PR effort in the foot -- but put things in perspective. They will appreciate your candor, or they are reporters who you should avoid.

Show 'em what you got: Reporters appreciate real data. You would likely need to digest and explain it; their job is to convey technical information to the public, not to understand every bit and byte. This is why they talk to you.

Having the actual data and being willing to share it with them increases your credibility with them. First prepare what technical data you would show other experts in order to convince them, and then add the interpretation.

Tell them what users can do about it: Don't leave users hanging with fear. Say what you think can be done to manage or avoid the threat or risk.

Reporters will misquote you, so live with it: If you fear your words will be taken out of context, don't worry -- sometimes they will be. It is a part of how things are. Whether you like it or not, you will be misquoted and taken out of context. They may forget to mention your affiliation or even misspell your name.

Make sure you know what your message is and what's important for you to be in the article, and stick to it -- don't run in too many directions at once. If you need your employer to be mentioned, then simply ask what affiliation a reporter has for you, and correct as needed.

While the ethical standards being enforced vary from publication to publication -- and you shouldn't make anyone uncomfortable for following ethical standards -- you can negotiate with the reporter on how much of the article you would be able to see before publication.

I usually ask to see my own quotes. I promise reporters that if I say something I won't try and take it back, but that my credibility matters to me, and I'd like the chance to correct any technical errors in what I give them for their story. They usually find this acceptable.

Should I risk it? It is not a risk: It's the cost of doing business.

As my friend Dan Kaminsky told me years ago, if a reporter doesn't have good data, then he will use whatever information he has -- good or bad. If I give them real data, what reason have they got to use the bad information?

Remember, it's not just your role in your company that you represent; you also speak for your profession at large. If you can help reporters do their jobs, make the world better, and get your company's name in the press while you're at it, then it's a win-win situation.

Help a reporter out: It's important to distinguish between news articles that happen right now and research stories.

If the story has a larger scope, then you should try and help reporters get a grip on what's going on, and even connect them with others they can talk to. It means the story will be better, and they will think of you next time they write a story on this subject.

Feel free to tell them when you are sharing things with them that you don't want published, but only if it will help them with perspective or leads. Otherwise there is little more annoying for a reporter than this.

Everything is on the record, duh: Reporters will tell you as much if you ask them about it. While giving a general background can be very helpful for reporters, unless you know you can trust them on a personal level from experience, avoid saying anything you don't want to get published.

Journalists are not your friends, but they can be: Their job is simple: to get the information, not to drink beer with you. You should be friendly, and you should be concise. If a relationship forms over time, then all for the better, but remaining strictly professional is best in most cases.

Some reporters are not as ethical as others, and may play with you. Others may simply want to get their job done, and if someone else provides them with better information in a more professional fashion, then they will go to them.

During the years I formed friendships with reporters, but this is the exception, not the rule. I also have been burned pretty badly. We learn as we gain experience. These instances can't be avoided and should be taken in stride. Most reporters are decent people doing their jobs. Help them do it, be as serious with them as you would be with a fully technical person, and they will help you get your message out.

In my next post, I'll explore how to build a PR strategy for releasing information on a new threat or discovery, and how to spread it across the industry, the community, and to the press.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...