Hey Security, It’s Time We Had “The Talk” About PR

People like to dump on PR for what is seen as “pushy” behavior: issuing unnecessary press releases, cold calling journalists, or following up weekly to see if you got the email that was sent. Oftentimes, it’s not PR’s fault. It’s their clients who are doing the pushing.

InfoSec vendors need a reality check of what it’s like to do PR in a security marketplace. A PR firm should not just be hired to carry out publicity tasks, but also to advise their clients as to the best course of action given the current landscape.

I reached out to PR professionals to ask them what are the most misguided and inappropriate requests they get from security vendors. Here are eight rules that should be followed.

Join the conversation on LinkedIn

1: “Fighting up” works well in most marketplaces, except InfoSec

The marketing tactic of “fighting up” is when a small, often unknown company picks a fight with the industry’s 500 lb. gorilla. By constantly challenging the incumbent’s value in the marketplace, an unknown can quickly be recognized as being on par with the 500 lb. gorilla. In most cases, the one “fighting up” has nothing to lose.

Not true in InfoSec.

“Directing PR to promote a narrative that effectively picks a fight with another vendor is a death sentence,” said Bill Bourdon  (@bbourdon), president, Bateman Group. “If acted on, it can be very damaging to their brand and trustworthiness among CISOs.”

Outside of security, “fighting up” is a powerful weapon.

As a newcomer to the nutrition bar space, one of Clif Bar’s first ads in Bicycle Magazine pitted themselves against the incumbent PowerBar. The ad’s headline read, “It’s Your Body. You Decide” and then showed pictures of ingredients in both bars. This move generated a lot of buzz and put them on par with the industry leader.

“The same principles don’t apply in our war against cybercrime,” added Bourdon. “While cybersecurity companies are in the business of making money, the most trusted and successful vendors are guided by a shared purpose to make our digital and physical worlds more secure. Values and ethics are central to gaining a CISO’s trust.”

2: You’re part of a bigger solution. Act like it.

“The biggest challenge that I see is that security vendors are ‘enterprise narcissists’ in that they only focus on their own solutions without regard to anything else,” said Rob Adler (@RobAdler), partner, Claritize Consulting. “They ignore that they need to be part of an overall enterprise network that is already installed.”

The CISO is bombarded with information on various solutions. It’s their job to make sense of it all, determine what can and can’t work with their products, and whether there’s overlap.

“The CISO gets pitched on multiple solutions, and ends up paralyzed. Everyone loses,” said Adler.

If the security vendor is more open to being part of a larger security ecosystem, like most organizations are, then they’re more sympathetic to the plight of the CISO.

3: Security vendors often fight against the PR process

“The PR process is often counter-intuitive to security vendors. They are wired to keep information out of the public eye,” said Adler. “There’s inevitably a long and highly-debated process to decide what the vendor can and can’t put out to the public.”

Reporters don’t care. They want detail, access, context, and they have deadlines. If you make them wait for twelve levels of internal approval they’ll just move on and go elsewhere. Opportunity lost.

4: If a journalist makes a request, and you ignore them, don’t expect them to call you again

All journalists have a stable of sources they go to again and again. Take a look at the people quoted in this CISO/security vendor relationship series. You’ll often see some of the same names. The reason you see those names again and again is that they’re very responsive. I ask them a question and they deliver a great answer by my deadline.

If you make a journalist’s life difficult, or you decide you don’t want to help them this time because the media outlet they’re working for now is not as prestigious as the last one, don’t expect them to call you again in the future.

5: The “ask for forgiveness later” tactic doesn’t work in enterprise sales

Publicly mentioning customers or suppliers without their permission will not be received as welcome and endearing.

“Many companies, especially high flying tech companies and long-established signature brands, like to control where and with whom their name appears alongside. Saying ‘we’re working with Coca-Cola/Tesla’ is like getting permission to visit the Vatican or Buckingham Palace,” said Andy Abramson (@andyabramson), CEO, Comunicano. “While some may like to take the approach ‘better to ask forgiveness than to ask for permission’ that doesn’t really work.”

6: Don’t put your customers’ security at risk for your benefit

“Oftentimes you’ll get business development, salespeople, or marketing people asking for customer references. It’s obviously gold for the security vendor, but it’s simply not possible,” said communications professional, John Sommerfield.

While some security vendors can successfully get customer testimonials, it’s not something you ask for casually. If you are fortunate to get a testimonial, you definitely don’t uncover specifics of that relationship.

“Any detail is revealing too much. There’s a real wall and security vendors have to understand that,” added Sommerfield.

7: Just “getting buzz” is not a PR strategy

“Sometimes clients ask for deliverables that aren’t in alignment with their brand,” said Renee Blodgett (@magicsaucemedia) founder Magic Sauce Media and We Blog the World. “It could be ink for the sake of ink without really thinking through their strategy and what it will accomplish or a speaking slot on a stage because it’s a prestigious venue, even though their voice won’t reach their audience.”

I was just talking with one security company that wanted to do a stunt at an upcoming trade show. They were looking for buzz, but it wasn’t appropriate for their brand. They had never done anything like that before and it didn’t appear they were planning on doing it again. Outrageous publicity stunts work for companies that make the behavior intrinsic to their brand. Think RedBull, GoldenPalace.com, and Burger King. For most security companies, it’s just not appropriate.

8: PR firms often have to tell their clients to ‘cool it’

“Security is the one market where sometimes the agency has to be less aggressive than the client. It is easy to delve into scare tactics and spreading FUD (fear, uncertainty and doubt) which good reporters see through and it damages the brand,” said Tiffany Darmetko, vice president, InkHouse

Given the ludicrously crowded marketplace for B2B security products, security vendors are often very eager to always want to do more, and to push. But security vendors aren’t selling impulse purchase cheeseburgers; although many think they can pull off that tactic whenever there’s a horrific breach.

CONCLUSION: If your PR client knows security, listen to them

“One of toughest things to do is to tell a client ‘you’re wrong’ and to tell them that ‘if you do that, in the long run, it will come back to bite you,’” said Abramson.

InfoSec is a very complicated marketplace, especially for CISOs, and it gets more confusing, challenging, and competitive every year. Everyone involved in the process is trying to make sense of it. I’ve been covering the security space for almost a decade, and I’m always amazed how much the industry changes every year.

“It’s really critical for security PR programs to be strategic,” said Darmetko. “The PR agency team can’t be order takers hired to generate press coverage for press coverage’s sake. It doesn’t move the needle. The most successful engagements are ones where the security vendor understands the need to build an authentic brand and the importance of great storytelling.”

Join the conversation on LinkedIn

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.