Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

1/12/2010
02:05 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

We Have Nothing To Say -- Or Do We?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?

The first rule of appearing smart, they say, is to keep quiet, but keeping quiet doesn't help your PR. What are you to do?This is the third in my series of posts on security PR (see "How To Talk To Reporters" and "How To Disclose A Vulnerability," plus "The Secret Sauce For Security Blogging"),

In that third post, I discussed how writing from on the ground so that people feel more engaged with your writing, as well as sharing real data along with your analysis, assures people that you know what you are talking about, and allows readers to participate.

In these two notions lays the secret of having something smart to say to the press. Specifically, marketing is always frustrated with having nothing new to say, and R&D is always frustrated with marketing being stupid (as they see it) and not getting them coverage that matters.

The key is communication. Marketing is looking to publish information on new products and new sales. So R&D is pressured to meet deadlines. R&D is looking for the branding -- they are even more keyed to it than the marketing department. Only they call it winning the respect of their peers.

As Avi Freedman once put it to me on a long drive from Boston to Philadelphia while drinking gallons of cherry cola, "People constantly underestimate how much geeks want the approval and respect of other geeks."

The respect of others entails something interesting, and something real.

On the ground level, you have the security researchers and the R&D developers. Humans are social beings, and therefore they don't just look at code all day. They share news stories, talk about something they encountered, and discuss something cool they've just seen or done.

You won't always have a new vulnerability to share with the world.

Your job is to befriend and listen to the technologists:

    1. Have they found something interesting in how old vulnerabilities are being exploited? 2. Have they seen new attacks coming from somewhere in the world? 3. Is there a new trend in what types of targets are chosen? 4. Is there an interesting news item that you would like someone from your company to be heard on? 5. Or more specifically, are they excited about something while meeting in the kitchen to make coffee?

You won't always land gems, but you will establish the infrastructure for finding out when the gems are there.

Don't immediately pressure technologists to write, but show interest in what they say and try to understand why it's exciting.

While it's OK to ask directly -- people should know what you are interested in -- just try and be friendly and see if something pops up.

Once you find such an interesting topic, you can encourage the technologists to make something of it. For example, if they merely implemented something in an interesting fashion, encourage them to blog about it and promise to help with editing. Their experience in solving the problem would interest their peers. In a way, what you are doing is coaching them on how to get their name out there so that they choose to write in the future.

By establishing the relationship, and the blog, you will both find new interesting things to say, as well as establish the branding of the blog so that reporters visit it often.

R&D time is often protected, especially with the pressure you put on them to meet deadlines. Try and be open about how important PR is and how you think the R&D can help. Bring the Big Wig on board, ask that researchers and developers be encouraged to write in the blog, and make it something they want by ensuring the higher-ups show interest in new blogs, which will make sure everyone else is excited to get a good blog written.

Another option is to create a project to get people to center their excitement around. For example, in one company I worked for I hired a few comic strip artists and encouraged technologists to come up with ideas for new comic strips. Whenever someone got excited about something, they'd try and see how it fits in a strip. It was fun for everybody, and we often even met outside of work hours to brainstorm it.

Convincing management that such blogging matters may not be easy, and will be what decides if you will be able to be extremely successful with a blogging strategy, or just have access to what's really interesting, which on occasion you will be able to utilize. It's a win-win situation either way.

Establish communication. Get excited. Then write about it.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.