And the winners are …..

It is that time of year again! Starting today voting is open for the 3rd annual Social Security Blogger Awards.  You can vote at http://www.zoomerang.com/Survey/WEB22BQFS9A3BN/. Be warned that you must leave a verifiable email and blog address in order for your vote to count. Of course the winners will be announced at the Security Bloggers Meet up at the RSA Conference next month.Before I announce the finalists, I want to give a special thanks to our all star panel of celebrity judges:1. Bill Brenner of CSOOnline

2. Ellen Messmer of Network World

3. Kelly Jackson-Higgins of Dark Reading

4. Larry Walsh of Channelnomics

Without further delay I am very pleased to announce the finalists for the 3rd Annual Social Security Blogger Awards:

Best Corporate Security Blog

• Veracode ZeroDay Labs (http://www.veracode.com/blog/)
• Fortinet – http://blog.fortinet.com/
• Symantec Connect (http://www.symantec.com/connect/)
• Gunter Ollmann/Damballa Research http://blog.damballa.com/
• Arbor Networks http://asert.arbornetworks.com/

Best Security podcast

• Pauldotcom http://www.pauldotcom.com/
• Southern Fried Security http://www.southernfriedsecurity.com/
• CERTS Podcast Series http://www.cert.org/podcast/
• The Silver Bullet Security Podcast http://www.cigital.com/silverbullet/

Most educational security blog

• Jeremiah Grossman (http://jeremiahgrossman.blogspot.com/)
• Chris Hoff – Rational Survivability (http://www.rationalsurvivability.com/blog/)
• Jon Oltsik, Enterprise Strategy Group http://www.enterprisestrategygroup.com/category/our-team/analysts/jon-oltsik/
• Naked Security/Sophos http://nakedsecurity.sophos.com/
• Evil Bytes /John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

Most entertaining security blog

• Naked Security  http://nakedsecurity.sophos.com/
• View from the Bunker  http://viewfromthebunker.com/
• Uncommon Sense Security/Jack Daniels http://blog.uncommonsensesecurity.com/
• Securosis Blog/Insights/ Mike Rothman http://securosis.com/blog

Security Blog that best represents the industry

• Threat Post http://www.threatpost.com
• Krebs on Security http://www.krebsonsecurity.com
• CSO Online Blog http://blogs.csoonline.com/
• Threat Level (Wired) http://blogs.csoonline.com/
• Schneier On Security http://www.schneier.com/

The single best security blog post of the year

• The Death of Security as We Know It (http://techbuddha.wordpress.com/2010/11/16/2011-the-death-of-security-as-we-know-it-or-operationalizing-security/)
• CyberSecurity and National Policy by Dan Geer (http://www.harvardnsj.com/2010/04/cybersecurity-and-national-policy/)
• Ralph Langner, Langner Communications series on Stuxnet http://www.langner.com/en/2010/12/09/our-stuxnet-timeline/
• “SecurityBSides Turned Me into an Adult” by Michelle Klinger, from her Fear Not the Assessor blog http://topheavysecurity.com/2010/12/13/securitybsides-turned-me-into-an-adult/
• Brian Krebs (krebsonsecurity) Sept. 30, 2010 “U.S. charges 37 alleged money mules” http://krebsonsecurity.com/2010/09/u-s-charges-37-alleged-money-mules/
• “How to Become an Information Security Thought Leader by Chris Eng  http://www.xtranormal.com/watch/7897173)

Every single one of these blogs is already a winner having been selected by our blue ribbon panel of judges. Voting closes at the end of the month, so please don’t wait to vote!

2011 is here, and for those of us in the mix so is RSA Conference 2011. Many of us  have already been working with clients on their plans and pitches for the event and the veterans among us know that by now we should be focusing in on what our news will be and how to best present it within a crowded, competitive and aggressive field.

Last year I polled a number of journalists and analysts regarding what they look for in compelling news, most pointed out directly that they wanted to know two things, 1.) what’s new; and 2.) why is it important to the readers. To expand a little on both:

“What’s New.” This is not just the what’s new surrounding your company and product but also the what’s new to the industry. If you want to be successful with journalists, it is of utmost importance when telling your clients’ stories that you are able to pull out of the marketing exactly what’s new in terms of the technology and its application and why the latest version can do something in a way that has never been done prior.

“Why Important.” I can’t emphasize enough that trying to tell a journalist or analyst that something is important because a vendor says it is just doesn’t cut it. You need facts, data and feedback from the field that validates your position. Trainer Communications managed a recent launch by our client eEye Digital Security where we talked in-depth about the new product line, but to truly achieve recognition we anchored it to a neutral research report that included a survey of over 1,900 respondents — demonstrating the problems and needs within the vulnerability management market. This was just the news journalists needed to make a compelling story.

If you are headed to RSAC 2011 with clients this year, I can’t emphasize enough two things: What’s New and Why is it Important. And, remember to back both up with neutral facts. To read about what the journalists and analysts said last year, visit: Tell Me Something New, Please.

One other thought, this year RSAC is going to be especially productive for Trainer. In addition to representing clients on the show floor, we are also going to host an event in tandem that will focus on educating vendors on how to improve their market visibility through PR and marketing. The venue is being finalized, but the free lunch will play host to a number of enterprise buyers, vendors, press and media who will provide candid opinions on the topic. If you are interested shoot me an email at jfranscella at trainercomm dot com.

I always enjoy reading Jenn Leggio’s Social Business column at ZDNet and am thoroughly enjoying 100 Brains. Today she interviews Microsoft Security Guru Katie Moussouris, focusing on some social media security specifics that I found particularly interesting.

Before writing about what I found specifically intriguing, I want to digress slightly to headlines of the past couple days related to Facebook’s third-party app privacy flaws (or I guess you would call flaws “features” if you were on the third-party app side ). The headlines made it sound as if there was some profound revelation in that Facebook was — can you imagine — not protecting users’ privacy, gasp! When the headlines broke, the first thing I posted on my Facebook was that I could hardly believe by now that anyone using Facebook does not understand that virtually anything and everything they post is, in a word, accessible. Anyone who hasn’t figured out that Mark Zuckerberg is providing a place to “share” and not “hide” information really doesn’t get the whole point of the site.

Back to the Leggio column with Moussouris. The QA I found intriguing (because it backs my opinion) is this:

Q. There’s a lot written about security and social media and education. Do you think it is reaching the right people?

A. I think that it doesn’t matter who it reaches, as there will always be people who will flock to social media sites regardless of whether or not their info is secure.  I personally assume and accept the elevated security risk in using social media. There was a time I tried to resist using graphical web browsers (I used lynx), due to my inherent paranoia, but the draw of The Onion online with hilarious photos drew me in and I began using another browser.  Similarly, the convenience features, and lure of all your friends in social media will draw even some of the most paranoid security people to join in. I think the right education for everyone about current social media and security is to set the expectation that it bears security risk, and that’s that. Use at your own risk!

Facebook, and any online social community, “bears security risk, and that’s that.”

One final thought:

There are instances where security risks on Facebook and the like aren’t inherent in the purpose of the technology, which, again, is to share and not hide information. These instances include social engineers and other attackers who blatantly attempt to suck users in with malicious links and nefarious offers. Does Facebook have an obligation to keep the criminals out and its users protected? I don’t want to get into this philosophical argument but I will opine that we — users — are placing a rather unrealistic expectation on Zuckerberg if we thing that he alone can solve the problem of Internet crime and security.

Las Vegas, NV – After two days of Black hat I now see the relationship between that event and DefCon. Black hat seems to be the place where IT security vendors try to convince the world that they can protect the Internet, whereas DefCon attendees clearly — whether they say it or not — are well equipped to slash through everything being sold at Black hat. It seems like it would make more sense for DefCon to come first and Black hat to follow, that way media, analysts and enterprise buyers could first find out the latest looming threats on display at DefCon and then be well equipped to ask Black hat exhibitors if their products could withstand the attacks.

For those who could not attend this year, there has been a lot of great coverage emerging and a few interesting photos as well. My favorite, one I shot today of the Mohawk hair cutting station on the middle of the main pavilion:

Interesting thing about IT security, it really is a lot like what you see on TV. A lot of well-dressed suites and highly educated men and women on the sales, marketing and business side with crazed technophiles puttint it all together behind the scenes.

Anyway, lots of great stories and photos are coming out of the event. Check out all of the usual IT haunts for coverage. I plan to post a more comprehensive wrap up tomorrow. Hopefully with some video.

Posted by Joe Franscella, 6-7-2010:

My college days are long behind me, but through the years I have still managed to keep a few extra pounds on by caving to my late night Big Mac cravings, here and there. This seemingly harmless guilty-pleasure is probably something I will never shake (no pun intended). What can I say, I’m a product of the “two all-beef patties, special sauce, lettuce, cheese, pickles, onions, all on a sesame seed bun” generation.

MAC attack! It means something totally different now. A few years back when I went all MAC for my home and personal computing needs it was based on three things, 1.) Coolness (yes, this came first), 2.) Ease of personal media creation and distribution, 3.) I was in publishing, used it in my work environment and liked it.

When I went MAC security wasn’t an issue for me. I was more than comfortable with knowing that my MACs weren’t high-priority targets and felt secure installing the semi-regular security updates sent out by Steve Jobs’ crew. Having just gone through the hassle of fixing a PC attacked by malware though, which leveraged its way in due to a simple false move where I clicked a wrong link, I now have a different attitude. Which is why I took steps to improve my MACs’ security.

Last Friday, SC Magazine’s Dan Kaplan wrote a particularly telling piece related to the growing MAC security problem. Spyware that targets Mac applications still lingering, Kaplan reports:

A purported spyware application bundled with roughly 30 Mac third-party screensavers is back active after its maker temporarily stopped distributing it.

The software, dubbed OSX/OpinionSpy by Mac security firm Intego, is rated high-risk because it scans files, records user activity and sends that information back to remote servers via a backdoor. Officially known as PremierOpinion,  the software is not initially contained in the screensavers but downloaded during installation.

A great summary of what it is and what it does, what I found equally interesting was this paragraph:

“The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports,” an Intego blog post  said. “However, this program goes much further, performing a number of insidious actions, which have led Intego to classify it as spyware.”

Why did I find this interesting? It demonstrates clearly that Windows OS hackers are continuing to target MACs more frequently. Also, it shows that the millions — maybe billions? — of ultra-successful Windows exploits that have been prevalent for years are easily adapted to targeting MACs. To get at your MAC, cybercriminals don’t have to wait for a MAC-focused hacker community to mature to plan mass hits, they can rely on an abundance of tools already available.

Trainer Communications’ PR and marketing professionals were, again, all over the RSA Conference, myself included. This year was especially exciting as the amount of client’s we were representing there increased 300 percent over 2009 and this year we conducted two surveys for our clients PacketMotion and Brocade and helped our client Secure Passage out with social media activities management and execution. In general, I’d estimate that Trainer’s increased RSAC presence and that of its clients is a great indication that, despite the slow pace of the improving economy, the IT security industry remains strong and continues to grow.

Angela Griffo’s crew did a bang-up job with the Brocade survey, I found some of the results to be especially interesting, especially the one on whom within enterprises security pros are the most concerned about spying on behalf of. I thought for sure that IT security folks would have a major concern that foreign government spies were after technological advancements, after all, the Constitution of the People’s Republic of China is riddled with amendments that almost say “economic advancement at all costs.” But not so, the vast majority of infosec pros surveyed, 41 percent, stated that they were more concerned that there might be internal spies working for competitors. Check out the conclusion:

A result that I found to be equally intriguing was the one that asked whether or not security policies were being enforced. Seventy percent of respondents said “yes,” but this made me wonder exactly how effective or comprehensive the “enforced” policies really are, especially in light of the use of social networks in the workplace and personal devices being used to access networks. If you check out this video we put together for PacketMotion, you’ll notice that eBay’s Information Security Chief of Staff points out that mobile devices are something everyone has and uses for work these days.

Click here to view the embedded video.

Back to the enforcement question, here’s the total results of the question:

I know I am behind a week on my “What is the Cloud? Film at 11 Post,” but that’s coming soon, I promise. Things are really picking up at Trainer and I have little to no time to blog lately, but I am starting to carve out room.

]]> http://www.securityheavy.com/2010/03/rsac-2010-survey-says-competitors-biggest-spy-threat/feed/ 0 http://www.securityheavy.com/2010/03/rsac-2010-defining-the-cloud-film-at-11/ http://www.securityheavy.com/2010/03/rsac-2010-defining-the-cloud-film-at-11/#comments Fri, 05 Mar 2010 22:55:18 +0000 Blogger in Chief http://www.securityheavy.com/?p=679 Posted by Joe Franscella, 3-5-2010:

Again, I had an excellent, educational experience at the RSA Conference. I run into editors, bloggers and analysts I know from time to time at the show and always ask them the same question, anything new, exciting or cutting-edge? Invariably, I get yes and no responses but this year I think I heard more say they were excited about the fact that innovation is starting to creep back into the game. At around 11 Tuesday night, I ran into Richard Stiennon crossing Howard Street, he was with an MSP friend of his and during our brief conversation he mentioned a few of the more “interesting” vendors he had come across. I look forward to reading his complete thoughts on them when he publishes.

Again, I had the privilege or shooting video during the Executive Women’s Forum party at the W Wednesday night. This year I had the chance to interview three of some of the world’s most well known players in the Cloud and Cloud security game. On camera, each were asked what is the Cloud and can it be secured? The answers were stunning, I got back a technical, business and metaphoric description — I’m pleased to be able to say that my hours of research have paid off as the definitions weren’t far from my own conclusions I had made prior to talking with them. Next week, I will be posting the video.

Rake Narang of Info Security Product’s Guide visited two Trainer Communication’s clients’ booths at RSA, Secure Passage and PacketMotion. Each did an excellent job at quickly and comprehensively telling their company’s stories:

Click here to view the embedded video.

Click here to view the embedded video.

Posted by Joe Franscella, 2-25-2010:

RSA Conference 2010 is here, only a few days away at least. Many in the PR trenches are busy psycho-dialing in hopes of scheduling that one last, or in some cases first, meeting with a journalist or analyst so you can prove your worth to your clients. If you have a big name to throw around with some big news coming out at the show then you may be hitting the jackpot, however, if you have small clients that don’t command recognition just based on their name brand, you may be running into some high, high, I mean high, hurdles.

If you have a small client and you were smart about it, you set them up to do mostly prebriefings with news breaking this week, I see some of this going on and it is clearly paying off. If, however, your are chartered with booking the all-coveted show briefing and you are having bad luck, don’t despair, you may be able to interest at least a few writers or analysts — if you know what they’re after and you know how to approach them.

In an attempt to better understand what might secure (no pun intended) a briefing with a security writer or analyst at the world’s biggest security trade show, I reached out to a wide audience and asked them what their pet RSAC pitching peeves are and what might make for an interesting pitch and potentially secure a meeting. Responses were similar all around — “tell me something new, something I don’t already know and something that is effecting the industry on a wide scale; don’t bother me with follow-up calls, understand what I write and for God’s sake, understand the difference between news and marketing — I do.”

Judge for yourself by some of these responses, are you following the rules?

Seth Rosenblatt, CNET Download.com, http://download.cnet.com/download-blog/?tag=rb_content;overviewHead:

The best thing any PR rep can do is research. Far too few actually spend the 30 seconds of Googling required to learn who covers which beats, and this is incredibly important in the complex field of security. Do all political reporters cover the White House?

Kelly Jackson Higgins, Dark Reading, www.darkreading.com:

Peeve: When they bundle all of their security clients together into one email/pitch.

What works: Tell me something I don’t already know, or have something truly innovative to share.

Ira Victor, The CyberJungle Live 10a-noon Pacific, Saturdays at www.kkoh.com, Podcast anytime: www.TheCyberJungle.com:

Peeve: PR people pitching products rather than true hard news stories

What works: Learn about our program, and pitch us stories that would be newsworthy for our audience

Martin McKeay, Network Security Blog and Podcast, http://www.mckeay.net, http://netsecpodcast.com:

Peeve: PR hacks who call and call and call and never leave a message or sending an email.  If you want to talk to me, leave me a message and I’ll get back to you if I’m interested.

What works: Take the time to do your research and make sure it’s something to I’m going to be at least related to what I do.

Dr. Anton Chuvakin, http://www.chuvakin.org, http://www.securitywarrior.org:

Peeve: Blind and uneducated pitches like “Need PCI-DSS compliancy? We can help!” They are my #1 pet peeve since they are both dumb and mistargeted.

What works: New, hot technology that falls under the category of things that I care about worked the best.

Deb Radcliff, Freelancer (SC Magazine/Network World, Online Crime Bites), http://derad.typepad.com/:

Peeve: A pr person I really like just sent the stupidist note.  “I have a lot of clients at RSA. So tell me your schedule and I’ll book them into your schedule.”

What works: Have some relevant market information, be in the pulse, and don’t just try to tell me a 4.0 is better than the 3.5. The other best thing, really try to align the client with the interests you know about the writer. Some try to shove these folks down the throat just for facetime no matter there’s a match or not there.

Jennifer Leggio, ZDNet | Social Business, Quick’n'Dirty Podcast, http://blogs.zdnet.com/feeds/?tag=trunk;content:

Peeve: Based on the pitches I am receiving it is clear that many PR people are not reading my bio or my blog. I’m getting pitches for data center hardware when what I cover is security relative to social networking. Not to mention, I work for a security vendor in my day job and I’ve had my company’s competitors send me pitches assuming that I would honor an embargo, even though I have no past relationship with the PR person. It’s both shocking and disappointing how many companies are sending proprietary news like that.

What works: Simple – make it relative to what I cover.

Sharon J. Watson, Senior Producer, Security Squared, http://www.experteditorial.net/securitysquared/:

Peeve: Agency reps—and they are always from agencies—who clearly didn’t bother to look at Security Squared in any depth to find out what info we cover or for whom we cover it, so they pitch products/companies that clearly don’t fit our profile (and the pitches are always generic).

What works: Tell me how your announcement fits our coverage profile and then tell me you have a consultant, analyst or user/beta tester I can talk with to vet your whiz-bang statements.

Mike Rothman, Analyst & President, Securosis, www.securosis.com:

#1 peeve is PR folks sending me bulk e-mail merge notes trying to get time with me. Oh, kind of like this message.

More seriously:

1) #1 peeve is someone that doesn’t take the time to understand what I cover and just sends me a blast email. No I don’t care about line encryptors and I’m not going to take a briefing at RSA about it.

2) #2 peeve is PR flacks trying to get me interested in their client/company 3 weeks before a show. Last time I checked, the year was 365 weeks and this is a relationship business. If I haven’t heard of you, the likelihood that I’ll take a briefing at a show like RSA (where I have maybe 20 meetings slots the entire week) is nil. So start building the relationship in the other 362 weeks of the year and then maybe we’ll get some time at RSA.

3) To be clear, there is nothing a PR hack can do to get me interested and to take a meeting. I make my own list of companies I’d be willing to meet with about 6 weeks ahead of the show. Then I tier it. I reach out to the folks I feel I need to see there (top tier). Then if someone else on the list approaches me, I’ll probably take the meeting. If you aren’t on the list, you’ve got no chance to get on my calendar.

To wrap up, the personal touch is always best received. Read my blog, follow my research and then make your pitch TO ME. Not some blast email. That ends up in the circular bin immediately.

Ellen Messmer, Sr. Editor, Network World, www.networkworld.com:

Peeve: Assuming there’s a lot of time to meet

What works: Make it clear why the news is important

Mirko Zorz, Editor in Chief, Help Net Security – www.net-security.org (IN)SECURE Magazine  – www.insecuremag.com:

Peeve: What annoys me the most is a *long* pitch consisting of several paragraphs informing me of news I’m very well aware of, as every member of the press should be. Such essays usually contain hideously exaggerated terms such as “leading, unprecedented, best-of-breed, industry defining” to describe the generally very obscure company I should be running to talk with because they someone named Pam told me there are a lot of breaches and that’s a problem. Wow, really?

What works: They should actually read the publications they’re pitching to, find how they do cover events such as RSA and what topics they focus on. These kind of pitches are always short, informative and make my decision easy.

PRs that have in the business for a while should learn how to develop a relationship with the people they’re pitching to. Some of the great ones have been sending me material for years and when it’s coming from them I know it’s worth publishing. They know what I’m looking for because they took the time to find out. It makes both our lives much easier as less time is wasted on unnecessary e-mails.

Rake Narang, editor-in-chief for Info Security Products Guide, http://www.infosecurityproductsguide.com/:

Peeve: I travel a lot and therefore prefer emails to voicemails. As we approach nearer to any major shows every year, I find that tons of voice messages are left for me. That’s the time I do not have time to listen to voicemails as my pre-event meetings and interviews have already begun and therefore I am probably not even available in my office. There’s no way that I will actually have time to listen to all those mostly 10+ minute voice messages.

What works: I am always open to new product announcements. Three things that I love most are products, products, products. If your initial message can summarize some recent attacks or security threats and how your new product can help, then I am already listening. I read all emails sent to me and anyone can approach me directly.

Nick Selby, Managing Director, Trident Risk Management, http://tridentrm.com:

Peeve: RSA is the busiest time of an analyst’s year; there are literally dozens of companies trying to get face time, and we’re looking forward to finding out lots of new information. The problem is, all companies think that RSA is, like, the best time ever to announce a new whatsit. So in addition to trying to meet up and see what’s happening in general, the flacks are all trying to get us juiced about some dumb-ass gimmick they’ve come up with to cut through the noise of RSA. Hello? The NOISE of RSA is why we go to RSA. All these announcements are distracting. What, you’re  so desperate for validation that you think that putting “RSA Conference 2010” in the lede of your press release will make customers say, ‘Oh boy! That product must be really good – they announced it at a conference they paid to be in!’ I don’t think so.

What works: If you truly want me to get excited, give me an embargoed release before the show so I can see whether I care. Don’t flatter yourself that you’re letting the cat out of the bag – no one cares about your drama unless you do more than $250m in business each year and even then it’s not like, you know, national security stuff (no matter how you try to play up that your CTO used to work for the CIA or went to MIT *yawn). Speak ENGLISH in your press releases (Nick Patience at The 451 Group famously said, “I know you have an end-to-end solution…But is it tightly integrated?”).

That is all.

Scott Crawford, Enterprise Management Associates, http://www.enterprisemanagement.com/:

Actually, this seems to have improved quite a bit in the last few years.  There seems to be greater understanding that we simply cannot respond to every request to meet (so don’t take it personally if we don’t). PR pros should also recognize that analysts aren’t journalists. Attention-getting is a non-starter. Our job is to highlight actual value, and we recognize we have to be thorough in covering a broad market, so we will take note. But give us the facts and make them digestible because if you don’t, we will do it for you. If I see that and I have an interest in your area, I will get back to you. We are interested more in the impact of a vendor offering on the market, on customers, and – most importantly – on real issues. Does a “solution” actually solve something? If not, that’s one of my “round file” words.

Again, it’s a question of bandwidth and interest. We simply can’t respond to all requests, nor will we react to every item of “news.” The PR biz in general should recognize that the signal-to-noise ratio is quite high around and before conferences, so they should weigh the risk that an announcement will actually get lost in that noise.  It would be best if 1) they know what we’re currently focused on & likely to respond to, and 2) if it’s actually news. You will help yourself by checking out what we’ve said recently: Twitter, firm websites and blogs should be checked. News really should be news. Product re-branding or incremental version releases aren’t. Innovation is, of course, but that’s a rare thing. Capitalizing on hype will likely get you tuned out, unless the client had already established credibility in the topic or area of concern and has a realistic take on an issue. Saying that a client is now all about <insert hypy topic here>, regardless what they may have claimed to have been all about before, will get you ignored.

Overall: Recognize that you’re doing your client a truly valuable service. Innovators aren’t necessarily communicators. Help your clients understand trends and how they really can address actual problems. Attention-getting gimmicks and manufacturing “news” just to get a client noticed mean you aren’t really invested in doing your homework for your clients. Have some self esteem. Don’t be a “hack, be a professional and do the legwork to know what the real issues are in your industry, so you can help your clients be better perceived for offering real value, and to help them perform better in fact. That’s a real service.

RSA Conference 2010 is here, that’s especially true if you’re in PR and you have an information security client that’s contracted with you to raise awareness for them at the show among media and bloggers. If you’re representing McAfee, Symantec, Cisco, RSA (EMC’s security division) or another mega IT security powerhouse, stop reading — you should be able to attract big ink and electrons based on their size alone. These companies have so many thousands of international customers and so many people dependent on their latest versions that journalists and bloggers owe it their loyal readers to keep them informed on their latest moves.

If, however, like most of us, you have a smaller client with news that is worthy of coverage but not necessarily able to compete with the biggies, don’t despair, there’s ample opportunity to get your clients the coverage they deserve and need.

If you are representing one of the smaller players in the market, there are a few steps you can take to secure them coverage, when pitching for a briefing remember to:

• Develop a story around your clients’ news that relates to common trends that will rise out of the conference. Does your clients’ news fit in with the cloud, social networking, Web 2.0, application vulnerabilities, the next wave of viruses, Obama’s plans for cybersecurity, protection of digital healthcare records?
• Start reaching out for briefings now, you may not be able to get what you’d otherwise like to during the actual show, but you may be able to do a fair amount of phone briefings leading up to it, thus ensuring that your client is part of roundups and other show-related features that publish.
• Consider making your announcements a week before the show. Breaking news leading up to the conference provides press and bloggers with an opportunity to write about developments outside of those they need to cover at the show itself. Enabling them to provide a wider variety of news and information to their readers while at the same time alleviating pressure on them to have to try and cover everything the week of the show may be of help to them.
• “Cyberthreats,” “Cybersecurity,” “Cyber-this and Cyber-that.” Remember, telling a writer that you clients’ new version and its features responds to cyberthreats, is a little ambiguous at best. When talking to the media and bloggers, specify the threat it defends against, “My client’s new feature was used by company Such-and-Such to thwart Conflicker, here’s how …,” is valid information that the information security community can actually use to improve the security environment — news a blogger or journalist could actually attract readers with.
• Consider responding to the RSA blogs. Chances are journalists and bloggers covering the show will, at some point, review at least some of these and possibly formulate ideas — if you’re client is on the ball with being part of these then you just might earn them a little play.
• Know what the journalist or blogger you are reaching out to covers; understand their beats. I know, I know — this little bit of direction can be as ambiguous as my thoughts on the use of the term “Cyberthreats.” What I mean by this, is that you should know a few basics prior to your approach: 1.) do they cover product announcements? 2.) do the vast majority of their articles include customer interviews? 3.) are they primarily focused on keeping up with the latest threats? 4.) are they channel-focused or vendor-focused? 5.) do you see any direct or inferred theme or pattern in their last five to six published articles? 6.) Do they rely on hard facts and information that comes out of surveys and other studies? If you have answers to these questions, then you’ll know what to bring them.

Hopefully, these tidbits of information will help you secure some of the coverage you’re on the hook for. They’re by no means full proof but they are based on what I’ve learned through experience over the past few conferences. Watch for my soon-to-publish survey results of journalists’ and bloggers’ top peeves when it comes to pitching them for RSA briefings.

Posted by Joe Franscella – 12-28-09 –

The appointment of Howard Schmidt to the position of White House Cybersecurity Coordinator is further indication that President Obama’s administration acknowledges that effective cybersecurity can mean the difference between life and death. The administration should look at cybersecurity in this way, after all, cyberspace provides criminals and terrorists with a platform to launch attacks against the US that could have fatal results.

Appointment of an official to a new position is only a first step though, the question remains, “what will Schmidt do?”

It makes sense for Schmidt to engage with private business to address cybersecurity problems and to close security gaps — the White House may be responsible for defending the nation but private enterprise produces the technology that fuels and defends cyberspace.

Schmidt will undoubtedly seek counsel from established IT security vendors, vendors that will use these counsel opportunities to sell him on the importance of influencing congress to pass legislation calling for regulations that their solutions can provide compliance for. But, will these traditional vendors’ solutions be enough to close security gaps that could lead to fatal outcomes?

Any strategy that relies on technologies supplied by established, major enterprises as the sole means of ensuring security in cyberspace will fail. Evidence to this is clear, in the last year there have been dozens of reports and news headlines that have revealed cyberattacks that have resulted in compromises to top-secret defense initiatives, power grids and other critical systems. It’s safe to assume that most of those breaches took place on networks founded on established technologies.

To reduce risk, Schmidt is going to have to move beyond traditional Washington politics that drive public-private efforts. He is going to have to open Washington’s collective mind to listen to more than just the major enterprises that have lobby dollars available to shape thought on Capitol Hill, and he is going to have to reach out to innovative small companies and startups that have developed game-changing security technologies.

So, how should Schmidt engage startups and other small and innovative technology vendors that typically don’t have budgets for lobby efforts?

Some steps Washington could take to reach startups and small IT security vendors in the quest to reduce risk are:

1.    Establishment of federal grants for small vendors and startups to fund lobbying efforts
2.    Sponsoring a federal “Demo Day (or Week)” that provides small vendors and startups with funding to cover the costs associated with demoing their solutions on a DC stage
3.    Establishment of federal grants for small vendors and startups that could be used to fund marketing efforts focused on the federal government
4.    The formation of a federal VC banking system that provides taxpayers with equity stakes in IT security startups and small enterprises

When it comes to protecting the nation against cyberattack, foresight needs to be 20/20. It would benefit the nation to identify security technologies that reduce risk prior to a tragedy as opposed to after one. The only way to do this is to take steps that facilitate connections between the federal government and innovators that have the potential to change the game.