Security PR: How To Talk To Reporters

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.PR professionals should make sure the person you pitch to a reporter has:

1. actual data ready. 2. the message of why this is important and what they believe this means clear and ready. 3. an interpretation of what the data means. 4. an explanation that puts it all in perspective, rather than as a scare-story. 5. a list of what countermeasures exist. 6. their affiliation.

Security professionals, here's how to speak with reporters:

FUD and the death of the Internet: To begin with, avoid the urge to spread FUD (Fear, Uncertainty and Doubt) due to urgency. It's not THAT urgent.

If you feel that you have a real threat on your hands, ask yourself:

1. Is the threat as big as I'm going to have to make it sound to warrant attention from the press? 2. As the world will survive this threat, how will the way I present this issue help or detract from my credibility? 3. Will the reporter ask to speak with me in the future? 4. What are my colleagues going to think of what I say?

Tech journalists are interested in what you have to say, just don't blow your news out of proportion. Let them do it for you if they so choose. You should not hide how dangerous something is, and you certainly shouldn't shoot your PR effort in the foot -- but put things in perspective. They will appreciate your candor, or they are reporters who you should avoid.

Show 'em what you got: Reporters appreciate real data. You would likely need to digest and explain it; their job is to convey technical information to the public, not to understand every bit and byte. This is why they talk to you.

Having the actual data and being willing to share it with them increases your credibility with them. First prepare what technical data you would show other experts in order to convince them, and then add the interpretation.

Tell them what users can do about it: Don't leave users hanging with fear. Say what you think can be done to manage or avoid the threat or risk.

Reporters will misquote you, so live with it: If you fear your words will be taken out of context, don't worry -- sometimes they will be. It is a part of how things are. Whether you like it or not, you will be misquoted and taken out of context. They may forget to mention your affiliation or even misspell your name.

Make sure you know what your message is and what's important for you to be in the article, and stick to it -- don't run in too many directions at once. If you need your employer to be mentioned, then simply ask what affiliation a reporter has for you, and correct as needed.

While the ethical standards being enforced vary from publication to publication -- and you shouldn't make anyone uncomfortable for following ethical standards -- you can negotiate with the reporter on how much of the article you would be able to see before publication.

I usually ask to see my own quotes. I promise reporters that if I say something I won't try and take it back, but that my credibility matters to me, and I'd like the chance to correct any technical errors in what I give them for their story. They usually find this acceptable.

Should I risk it? It is not a risk: It's the cost of doing business.

As my friend Dan Kaminsky told me years ago, if a reporter doesn't have good data, then he will use whatever information he has -- good or bad. If I give them real data, what reason have they got to use the bad information?

Remember, it's not just your role in your company that you represent; you also speak for your profession at large. If you can help reporters do their jobs, make the world better, and get your company's name in the press while you're at it, then it's a win-win situation.

Help a reporter out: It's important to distinguish between news articles that happen right now and research stories.

If the story has a larger scope, then you should try and help reporters get a grip on what's going on, and even connect them with others they can talk to. It means the story will be better, and they will think of you next time they write a story on this subject.

Feel free to tell them when you are sharing things with them that you don't want published, but only if it will help them with perspective or leads. Otherwise there is little more annoying for a reporter than this.

Everything is on the record, duh: Reporters will tell you as much if you ask them about it. While giving a general background can be very helpful for reporters, unless you know you can trust them on a personal level from experience, avoid saying anything you don't want to get published.

Journalists are not your friends, but they can be: Their job is simple: to get the information, not to drink beer with you. You should be friendly, and you should be concise. If a relationship forms over time, then all for the better, but remaining strictly professional is best in most cases.

Some reporters are not as ethical as others, and may play with you. Others may simply want to get their job done, and if someone else provides them with better information in a more professional fashion, then they will go to them.

During the years I formed friendships with reporters, but this is the exception, not the rule. I also have been burned pretty badly. We learn as we gain experience. These instances can't be avoided and should be taken in stride. Most reporters are decent people doing their jobs. Help them do it, be as serious with them as you would be with a fully technical person, and they will help you get your message out.

In my next post, I'll explore how to build a PR strategy for releasing information on a new threat or discovery, and how to spread it across the industry, the community, and to the press.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.