Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/12/2010
02:05 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

We Have Nothing To Say -- Or Do We?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?This is the third in my series of posts on security PR (see "How To Talk To Reporters" and "How To Disclose A Vulnerability," plus "The Secret Sauce For Security Blogging"),

In that third post, I discussed how writing from on the ground so that people feel more engaged with your writing, as well as sharing real data along with your analysis, assures people that you know what you are talking about, and allows readers to participate.

In these two notions lays the secret of having something smart to say to the press. Specifically, marketing is always frustrated with having nothing new to say, and R&D is always frustrated with marketing being stupid (as they see it) and not getting them coverage that matters.

The key is communication. Marketing is looking to publish information on new products and new sales. So R&D is pressured to meet deadlines. R&D is looking for the branding -- they are even more keyed to it than the marketing department. Only they call it winning the respect of their peers.

As Avi Freedman once put it to me on a long drive from Boston to Philadelphia while drinking gallons of cherry cola, "People constantly underestimate how much geeks want the approval and respect of other geeks."

The respect of others entails something interesting, and something real.

On the ground level, you have the security researchers and the R&D developers. Humans are social beings, and therefore they don't just look at code all day. They share news stories, talk about something they encountered, and discuss something cool they've just seen or done.

You won't always have a new vulnerability to share with the world.

Your job is to befriend and listen to the technologists:

    1. Have they found something interesting in how old vulnerabilities are being exploited? 2. Have they seen new attacks coming from somewhere in the world? 3. Is there a new trend in what types of targets are chosen? 4. Is there an interesting news item that you would like someone from your company to be heard on? 5. Or more specifically, are they excited about something while meeting in the kitchen to make coffee?

You won't always land gems, but you will establish the infrastructure for finding out when the gems are there.

Don't immediately pressure technologists to write, but show interest in what they say and try to understand why it's exciting.

While it's OK to ask directly -- people should know what you are interested in -- just try and be friendly and see if something pops up.

Once you find such an interesting topic, you can encourage the technologists to make something of it. For example, if they merely implemented something in an interesting fashion, encourage them to blog about it and promise to help with editing. Their experience in solving the problem would interest their peers. In a way, what you are doing is coaching them on how to get their name out there so that they choose to write in the future.

By establishing the relationship, and the blog, you will both find new interesting things to say, as well as establish the branding of the blog so that reporters visit it often.

R&D time is often protected, especially with the pressure you put on them to meet deadlines. Try and be open about how important PR is and how you think the R&D can help. Bring the Big Wig on board, ask that researchers and developers be encouraged to write in the blog, and make it something they want by ensuring the higher-ups show interest in new blogs, which will make sure everyone else is excited to get a good blog written.

Another option is to create a project to get people to center their excitement around. For example, in one company I worked for I hired a few comic strip artists and encouraged technologists to come up with ideas for new comic strips. Whenever someone got excited about something, they'd try and see how it fits in a strip. It was fun for everybody, and we often even met outside of work hours to brainstorm it.

Convincing management that such blogging matters may not be easy, and will be what decides if you will be able to be extremely successful with a blogging strategy, or just have access to what's really interesting, which on occasion you will be able to utilize. It's a win-win situation either way.

Establish communication. Get excited. Then write about it.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...