Ever wonder why some cyber security firms are constantly in the news? Do they offer a better solution? Know more than their competition? Do the heavy-lifting research that differentiates and substantiates their spokespeople in the minds of the media? Could be.

Or it could be that your spokespeople simply aren’t savvy enough to win media interest. In cyber security, expertise means a lot. But so does the ability to deliver powerful and memorable sound bites on breaking or trending news while empathizing with the interviewer to give the media what it wants (without a sales pitch!).

The process begins with carefully selecting your spokesperson and then educating and grooming them to deliver a message that simultaneously entices coverage while still reflecting favorably on the reputation and expertise of your company.

Start with the audience. Are you shooting for general business media or the technical, vertical media? If you’re looking for coverage in the New York Times or on CNN, then you want a spokesperson who can speak at a 30,000-foot level about how an attack or topic impacts a business, family, or person.

The trades? Well, they want someone who can get into the weeds and explain the precise technical shortcomings or trap doors that a hacker or fraudster is exploiting.

Who in your organization could speak to one or both sides of the coin? Make the call and then train them to understand: 

1. Media coverage is not about sales or lead gen. Rather, it’s about leveraging third-party credibility to establish thought leadership. Great spokespeople know how to quickly size up the direction of an interview and give the reporter new insights or understandings, information they can’t get elsewhere to propel their stories forward and get them filed and into print.

2. Reporters and producers want interviewees who understand the media rules of engagement. A great interview is a bit like jujitsu. A reporter comes at you from a position or angle. You need to be ready to take the barrage or use the momentum to deflect and disarm. It’s a learned skill, and one that will never be mastered without preparation and training.

3. Media interviews don’t waste time, they leverage it. Thought leaders lead by sharing and engaging with a community. There’s no more powerful way to share and engage than in leveraging the reach and credibility of the media. Building a media presence doesn’t take away from a thought leader’s job. Rather it advances it, along with the goals and objectives of their employer.

4. Charisma counts and it can be learned. Not by our spokespeople, you say? They are too nerdy, too techie. Ironically, there’s nothing wrong with getting your tech on if you’re speaking to the right audience and understand some of the rules of engagement espoused here. A 23-year old nerdy ex-hacker often conveys more authenticity than some slick, paid corporate spokesperson. The key is to harness that nerd-dom and put it work educating and engaging with the media in a real and compelling manner.

5. Sound bites matter. It’s not spin. It’s not hyperbole. The media love short, pitchy sound bites that they can use to convey meaning in a few words instead of paragraphs. “It’s ridiculous that 140 million Americans had their data stolen because a single person failed to install a patch.” You get the point. Develop those sound bites for your spokespeople before each interview and you will dramatically increase the impact of your media coverage.

Some people are naturals at speaking to the media. Most aren’t. But it is a skill your spokespeople can learn and practice before they ever talk to a reporter. The PRCoach website has a bunch of clips illustrating common interview mistakes, and has other helpful resources too. And this document lists the mistakes spokespersons make with consumer media, such as not staying on topic or losing control over the interview, or taking too long to make your point and not speaking in sound bites.

Use these five points as the backbone of their training as you shape them into go-to media sources. And maybe you can develop your own version of such security rockstars as Troy Hunt, Tavis Ormandy (who is from Google), Cris Neckar of Divergent Security and Chris Vickery that are often breaking news and being quoted by the security trade press.

This is a piece that I co-authored with Greg Matusky and Mike Lizun of Gregory FCA. 

Imagine you’re on the precipice of greatness, some victory that will define you or your enterprise for eternity. Something important, game-changing, like going public, executing a merger, or something even bigger, like winning your first ever Super Bowl after 50 years of frustration.

And then it’s all lost. Stolen in the dark of night by someone who hacks your system and steals the secret sauce. Maybe it’s your IP or some market advantage. Or maybe it was simply the plays you plan to call that now will be used against your organization. ​

A lot of football fans, players, and coaches believe that is exactly what happened in 2005 when the New England Patriots beat the Philadelphia Eagles in Super Bowl XXXIX.

Even during that game, Philadelphia coaches knew something was amiss and tried to change set play calls. Every time the Eagles’ defensive coach blitzed, Tom Brady knew it and made a quick outlet pass. Two years later, the Patriots were fined $250,000 and draft picks for getting caught videotaping and the stealing the play calls from the New York Jets. A U.S. senator opened an investigation and found New England had been wrongly videotaping and stealing opponent play calls since 2000.

This year, after the Eagles beat New England, there’s been a lot of scuttlebutt about secret security measures the Eagles deployed to thwart any and all intrusions. One story holds that Philadelphia ran a fake practice the Saturday before the game, running plays and using a play call system they had no intention of using. Whether it happened or not, you gotta believe the Eagles weren’t going to be robbed again. Something did work. New England didn’t have a clue as to what the Eagles were doing on offense. They didn’t know about their calls and the result was Philadelphia putting up 538 total yards of offense.

Not every business gets to have a do-over like the Eagles. And in most cases, when it comes to cyber security and data breaches, hindsight is always 20-20. As an example, look at this recent Ponemon survey of 1,200 IT professionals. It found that the majority of them aren’t satisfied with cyber threat sharing tools in terms of timeliness, accuracy, and the poor quality of actionable information. Some of this has to do with a johnny-come-lately realization that threat intel could have been used to prevent a previous attack. Even UK-based telecom provider BT is now sharing its threat intel with its competitors, to try to stem attackers. So maybe the tide is changing.

There are lots of other cybersec lessons that could be learned from the latest Super Bowl matchup and what organizations can do when they get a second chance at defending their networks. They involve the role that revenge can play in motivating ex-employees, deliberate attempts to confuse attackers, and using specific traps to flush out intruders and confuse adversaries.

First, let’s look at revenge attacks.

These happen when insiders or former insiders get motivated by something that they experienced, and want to take out their frustration on their former employer.

The classic insider revenge scenario dates back to 1999, when Vitek Boden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.

Ofer Amitai, the CEO of Portnox, has a more modern revenge tale. One of his customers is a big food company that didn’t pay attention to who was connected to its WiFi network. It had one employee who was fired, and came back to the vicinity of the plant with his own laptop. He changed temperatures on the refrigerators and destroyed hundreds of thousands of dollars of merchandize in revenge.

From these two examples, you can see it pays to be careful, even if a former employee never steps foot on your property or even if you never hired your potential attacker. Certainly, you should better screen insiders to prevent data leaks or willful destruction. And businesses should always monitor their wireless networks, especially as it is simple for an intruder to connect a rogue access point to your network and access data through it.

What about ways to obfuscate attackers?

Like in the Super Bowl, teams are now more careful about how they call plays during the game and practice times. Teams now use an array of sideline ruses to confuse prying eyes, everything from placards with pictures of Homer Simpson to using as many as three decoy sideline play callers.

That’s not too dissimilar to planting special “honeynets” on networks. Typically, they consist of a web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. These servers don’t contain any actual data, but appear to be a target to a potential attacker and can trap them into revealing their location, sources, or methods that can help network defenders strengthen their security. Honeynets have been around for more than a decade and have an active development community to make them more life-like to confound attackers.

“There will always be timely weaknesses during such events that hackers can exploit,” says Dudu Mimran, the CTO of Telekom Innovation Laboratories in Israel. “Public events such as the Super Bowl present an opportunity because many people will be using digital devices and posting pictures and opening emails around the event. Defenders need to understand the expected sequence of actions around these events and create pinpoint defenses and guidelines to reduce the expected risks. There needs to be a series of layered defenses coupled with user education and better awareness too.”

Good luck with your own do-overs.

This week, Paul Gillin and I examine the results of the 2018 Edelman Trust Barometer, which shows a remarkable drop in the overall trust from the public. Some alarming results from the annual survey:

• Sixty-three percent of respondents say they do not know how to tell good journalism from rumor or falsehoods or if a piece of news was produced by a respected media organization.
• Chinese citizens trust their government more than U.S. citizens trust theirs. 
• Technology remains the most trusted industry sector of them all, with a trust rating of 75% (whew).
• CEOs are becoming more trusted sources and are increasingly being asked to address public policy issues.
• One-quarter of respondents said they read no media at all because it is too upsetting. 

In the second part of our discussion, we look at some examples of annual trends/reports in the security field that I have been studying for this post. For example, Kaspersky’s “story of the year” was about the rise of ransomware, and this set of predictions from ServiceNow are short and sweet, which is a nice break from the norm. Watchguard has been posting a series of predictions to its blog using short videos. All are noteworthy. We suggest B2B marketers review these tactics and see if they can apply to their own media relations efforts.

You can listen to our 17 min. podcast here: