PR folks: Read this before making RSA pitches
Before I launch into my lecture to the security PR machine, I should clarify that there are many PR practitioners who have helped me in the past. I respect your profession.
Some of my favorite PR folks include Michelle Schafer, Tim Whitman, Kevin Kosh, Jen Leggio, MaryCatherine Bassett Petermann and Tony Welz.
But the cold fact is that I get hundreds of pitches a day that go straight into the trash. It's nothing personal. But I have a responsibility to write about the things that are important to our readers. If you don't strike a chord in that regard, I move on to something else.
It's not that the pitch is bogus or without value (well, OK, a lot of them are). It's just that in a lot of cases, the PR practitioner isn't taking the time to really understand the writers they pitch to. Instead of getting the right feel for that writer's audience and which pitches would be helpful in that regard, they just launch into a reading of the latest press release the second you pick up the phone. It's like those telemarketers who like to call during dinner. They have their prepared text and in they go.
If you do this sort of thing, try not to take offense. I know you have a job to do. You make a lot of pitches you don't believe in, but your bosses have told you to do it, and you have to pay the rent, right?
I don't fault the security vendors, either. It's a competitive market and vendors have to scream loud to be heard. They rely on PR agencies to do it for them, and they are not always served very well by those they hire.
I bring all this up because the RSA security conference is next month and the RSA pitches have already started. I want to focus on the things my readers care about and I don't want to waste anyone's time, so I thought the following tips might be useful to the folks with the press releases and the long call sheet:
--When pitching by e-mail, don't come at me with self-evident statements.
Two examples of this recently landed in my inbox:
"[Security Vendor A] believes that the most popular services and platforms - such as Twitter, foursquare and Google TV—will be the platform of choice for cybercriminals in 2011."
And...
"Newly released PCI DSS 2.0 requirements underscore the importance of securing networks for every organization that takes a credit card – and in today’s day and age, that is just about every company or organization, no matter how small, no matter how big, in every industry."
Most security journalists already know social networking is a big threat vector and we've been writing about what PCI DSS means to merchants for several years now.
Give us something new. Maybe it's fresh research from the vendor's lab showing specific shifts in how mobile attacks are being carried out. Maybe you have a client whose assessors are pinpointing specific, troubling trends in how companies continue to get the spirit of PCI DSS wrong.
Launch right in with WHAT'S NEW and you'll stand a better chance at getting my attention.
--Don't ask me to do vendor briefings for simple product releases.
There is certainly a purpose for product briefings. But if you're like me and you don't do product reviews, there's no real value in doing it. If someone wants to brief me on a new report like what I described above, that's of interest. If someone just released version 217.5 of their main product, you're knocking on the wrong door. We want case studies where a security practitioner can share their experiences from the trenches so others might learn from them. We want attack trend data readers can use to mount an effective defense.
--Keep your FUD to yourself.
Some PR types love to use big security conferences to promote their clients by scaring the pants off people. I see it every time there's a new data breach or malware outbreak. I see it every Patch Tuesday. Someone tells me the sky is falling because of a new flaw or piece of malware. Then I call a few security practitioners who tell me the sky looks perfectly normal out their window. If you call me to warn me of an emergency, you better have the facts handy to prove it's real. otherwise, I'll have to politely hang up.
--No, I'm not really interested in what Vedor A, B or C thinks of a particular keynote at RSA.
It's not that I disrespect those opinions. It's just that their comments are a lot more valuable when it's about stuff their customers are telling them; not something a keynoter is telling the rest of us.
When I go to RSA I won't be there for the keynotes or the product releases. I'll be there to learn about the latest challenges security practitioners are dealing with and who is finding a way to meet those challenges. True, someone's products will be part of an IT shop's solution, but I want the IT shop to tell me about which technologies work and which ones don't.
I hope this helps. Have a safe trip to RSA this year.
--Bill Brenner
Print
Some of my favorite PR folks include Michelle Schafer, Tim Whitman, Kevin Kosh, Jen Leggio, MaryCatherine Bassett Petermann and Tony Welz.
But the cold fact is that I get hundreds of pitches a day that go straight into the trash. It's nothing personal. But I have a responsibility to write about the things that are important to our readers. If you don't strike a chord in that regard, I move on to something else.
It's not that the pitch is bogus or without value (well, OK, a lot of them are). It's just that in a lot of cases, the PR practitioner isn't taking the time to really understand the writers they pitch to. Instead of getting the right feel for that writer's audience and which pitches would be helpful in that regard, they just launch into a reading of the latest press release the second you pick up the phone. It's like those telemarketers who like to call during dinner. They have their prepared text and in they go.
If you do this sort of thing, try not to take offense. I know you have a job to do. You make a lot of pitches you don't believe in, but your bosses have told you to do it, and you have to pay the rent, right?
I don't fault the security vendors, either. It's a competitive market and vendors have to scream loud to be heard. They rely on PR agencies to do it for them, and they are not always served very well by those they hire.
I bring all this up because the RSA security conference is next month and the RSA pitches have already started. I want to focus on the things my readers care about and I don't want to waste anyone's time, so I thought the following tips might be useful to the folks with the press releases and the long call sheet:
--When pitching by e-mail, don't come at me with self-evident statements.
Two examples of this recently landed in my inbox:
"[Security Vendor A] believes that the most popular services and platforms - such as Twitter, foursquare and Google TV—will be the platform of choice for cybercriminals in 2011."
And...
"Newly released PCI DSS 2.0 requirements underscore the importance of securing networks for every organization that takes a credit card – and in today’s day and age, that is just about every company or organization, no matter how small, no matter how big, in every industry."
Most security journalists already know social networking is a big threat vector and we've been writing about what PCI DSS means to merchants for several years now.
Give us something new. Maybe it's fresh research from the vendor's lab showing specific shifts in how mobile attacks are being carried out. Maybe you have a client whose assessors are pinpointing specific, troubling trends in how companies continue to get the spirit of PCI DSS wrong.
Launch right in with WHAT'S NEW and you'll stand a better chance at getting my attention.
--Don't ask me to do vendor briefings for simple product releases.
There is certainly a purpose for product briefings. But if you're like me and you don't do product reviews, there's no real value in doing it. If someone wants to brief me on a new report like what I described above, that's of interest. If someone just released version 217.5 of their main product, you're knocking on the wrong door. We want case studies where a security practitioner can share their experiences from the trenches so others might learn from them. We want attack trend data readers can use to mount an effective defense.
--Keep your FUD to yourself.
Some PR types love to use big security conferences to promote their clients by scaring the pants off people. I see it every time there's a new data breach or malware outbreak. I see it every Patch Tuesday. Someone tells me the sky is falling because of a new flaw or piece of malware. Then I call a few security practitioners who tell me the sky looks perfectly normal out their window. If you call me to warn me of an emergency, you better have the facts handy to prove it's real. otherwise, I'll have to politely hang up.
--No, I'm not really interested in what Vedor A, B or C thinks of a particular keynote at RSA.
It's not that I disrespect those opinions. It's just that their comments are a lot more valuable when it's about stuff their customers are telling them; not something a keynoter is telling the rest of us.
When I go to RSA I won't be there for the keynotes or the product releases. I'll be there to learn about the latest challenges security practitioners are dealing with and who is finding a way to meet those challenges. True, someone's products will be part of an IT shop's solution, but I want the IT shop to tell me about which technologies work and which ones don't.
I hope this helps. Have a safe trip to RSA this year.
--Bill Brenner
Previous Post: One hundred browser holes uncovered by cross_fuzzNext Post: Hannaford Supermarkets, a glass house and a couple stones
What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
WHITE PAPER
Reduce Email Archives up to 60%
Are you considering implementing a proactive archiving and eDiscovery solutions? This paper summarizes 15 separate soft cost savings when implementing Symantec Enterprise Vault and the Clearwell eDiscovery Platform.
WHITE PAPER
Aberdeen Report: To Patch, or Not to Patch? (Not If, But How)
The report explores the correlation between the current use of patch management and the level of endpoint-related risk that companies are effectively accepting.
Recent Comments
Webcasts
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- FireEye Advanced Threat Protection KnowledgeVault
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- Comprehensive Server Protection
White Papers
