Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

12/11/2009
11:00 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security PR: How To Talk To Reporters

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.

Here are some tips for security professionals and security public relations representatives on how to pitch reporters when you have something new and exciting to share.PR professionals should make sure the person you pitch to a reporter has:

1. actual data ready. 2. the message of why this is important and what they believe this means clear and ready. 3. an interpretation of what the data means. 4. an explanation that puts it all in perspective, rather than as a scare-story. 5. a list of what countermeasures exist. 6. their affiliation.

Security professionals, here's how to speak with reporters:

FUD and the death of the Internet: To begin with, avoid the urge to spread FUD (Fear, Uncertainty and Doubt) due to urgency. It's not THAT urgent.

If you feel that you have a real threat on your hands, ask yourself:

1. Is the threat as big as I'm going to have to make it sound to warrant attention from the press? 2. As the world will survive this threat, how will the way I present this issue help or detract from my credibility? 3. Will the reporter ask to speak with me in the future? 4. What are my colleagues going to think of what I say?

Tech journalists are interested in what you have to say, just don't blow your news out of proportion. Let them do it for you if they so choose. You should not hide how dangerous something is, and you certainly shouldn't shoot your PR effort in the foot -- but put things in perspective. They will appreciate your candor, or they are reporters who you should avoid.

Show 'em what you got: Reporters appreciate real data. You would likely need to digest and explain it; their job is to convey technical information to the public, not to understand every bit and byte. This is why they talk to you.

Having the actual data and being willing to share it with them increases your credibility with them. First prepare what technical data you would show other experts in order to convince them, and then add the interpretation.

Tell them what users can do about it: Don't leave users hanging with fear. Say what you think can be done to manage or avoid the threat or risk.

Reporters will misquote you, so live with it: If you fear your words will be taken out of context, don't worry -- sometimes they will be. It is a part of how things are. Whether you like it or not, you will be misquoted and taken out of context. They may forget to mention your affiliation or even misspell your name.

Make sure you know what your message is and what's important for you to be in the article, and stick to it -- don't run in too many directions at once. If you need your employer to be mentioned, then simply ask what affiliation a reporter has for you, and correct as needed.

While the ethical standards being enforced vary from publication to publication -- and you shouldn't make anyone uncomfortable for following ethical standards -- you can negotiate with the reporter on how much of the article you would be able to see before publication.

I usually ask to see my own quotes. I promise reporters that if I say something I won't try and take it back, but that my credibility matters to me, and I'd like the chance to correct any technical errors in what I give them for their story. They usually find this acceptable.

Should I risk it? It is not a risk: It's the cost of doing business.

As my friend Dan Kaminsky told me years ago, if a reporter doesn't have good data, then he will use whatever information he has -- good or bad. If I give them real data, what reason have they got to use the bad information?

Remember, it's not just your role in your company that you represent; you also speak for your profession at large. If you can help reporters do their jobs, make the world better, and get your company's name in the press while you're at it, then it's a win-win situation.

Help a reporter out: It's important to distinguish between news articles that happen right now and research stories.

If the story has a larger scope, then you should try and help reporters get a grip on what's going on, and even connect them with others they can talk to. It means the story will be better, and they will think of you next time they write a story on this subject.

Feel free to tell them when you are sharing things with them that you don't want published, but only if it will help them with perspective or leads. Otherwise there is little more annoying for a reporter than this.

Everything is on the record, duh: Reporters will tell you as much if you ask them about it. While giving a general background can be very helpful for reporters, unless you know you can trust them on a personal level from experience, avoid saying anything you don't want to get published.

Journalists are not your friends, but they can be: Their job is simple: to get the information, not to drink beer with you. You should be friendly, and you should be concise. If a relationship forms over time, then all for the better, but remaining strictly professional is best in most cases.

Some reporters are not as ethical as others, and may play with you. Others may simply want to get their job done, and if someone else provides them with better information in a more professional fashion, then they will go to them.

During the years I formed friendships with reporters, but this is the exception, not the rule. I also have been burned pretty badly. We learn as we gain experience. These instances can't be avoided and should be taken in stride. Most reporters are decent people doing their jobs. Help them do it, be as serious with them as you would be with a fully technical person, and they will help you get your message out.

In my next post, I'll explore how to build a PR strategy for releasing information on a new threat or discovery, and how to spread it across the industry, the community, and to the press.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...