2011 is here, and for those of us in the mix so is RSA Conference 2011. Many of us  have already been working with clients on their plans and pitches for the event and the veterans among us know that by now we should be focusing in on what our news will be and how to best present it within a crowded, competitive and aggressive field.

Last year I polled a number of journalists and analysts regarding what they look for in compelling news, most pointed out directly that they wanted to know two things, 1.) what’s new; and 2.) why is it important to the readers. To expand a little on both:

“What’s New.” This is not just the what’s new surrounding your company and product but also the what’s new to the industry. If you want to be successful with journalists, it is of utmost importance when telling your clients’ stories that you are able to pull out of the marketing exactly what’s new in terms of the technology and its application and why the latest version can do something in a way that has never been done prior.

“Why Important.” I can’t emphasize enough that trying to tell a journalist or analyst that something is important because a vendor says it is just doesn’t cut it. You need facts, data and feedback from the field that validates your position. Trainer Communications managed a recent launch by our client eEye Digital Security where we talked in-depth about the new product line, but to truly achieve recognition we anchored it to a neutral research report that included a survey of over 1,900 respondents — demonstrating the problems and needs within the vulnerability management market. This was just the news journalists needed to make a compelling story.

If you are headed to RSAC 2011 with clients this year, I can’t emphasize enough two things: What’s New and Why is it Important. And, remember to back both up with neutral facts. To read about what the journalists and analysts said last year, visit: Tell Me Something New, Please.

One other thought, this year RSAC is going to be especially productive for Trainer. In addition to representing clients on the show floor, we are also going to host an event in tandem that will focus on educating vendors on how to improve their market visibility through PR and marketing. The venue is being finalized, but the free lunch will play host to a number of enterprise buyers, vendors, press and media who will provide candid opinions on the topic. If you are interested shoot me an email at jfranscella at trainercomm dot com.

Las Vegas, NV – After two days of Black hat I now see the relationship between that event and DefCon. Black hat seems to be the place where IT security vendors try to convince the world that they can protect the Internet, whereas DefCon attendees clearly — whether they say it or not — are well equipped to slash through everything being sold at Black hat. It seems like it would make more sense for DefCon to come first and Black hat to follow, that way media, analysts and enterprise buyers could first find out the latest looming threats on display at DefCon and then be well equipped to ask Black hat exhibitors if their products could withstand the attacks.

For those who could not attend this year, there has been a lot of great coverage emerging and a few interesting photos as well. My favorite, one I shot today of the Mohawk hair cutting station on the middle of the main pavilion:

Interesting thing about IT security, it really is a lot like what you see on TV. A lot of well-dressed suites and highly educated men and women on the sales, marketing and business side with crazed technophiles puttint it all together behind the scenes.

Anyway, lots of great stories and photos are coming out of the event. Check out all of the usual IT haunts for coverage. I plan to post a more comprehensive wrap up tomorrow. Hopefully with some video.

Trainer Communications’ PR and marketing professionals were, again, all over the RSA Conference, myself included. This year was especially exciting as the amount of client’s we were representing there increased 300 percent over 2009 and this year we conducted two surveys for our clients PacketMotion and Brocade and helped our client Secure Passage out with social media activities management and execution. In general, I’d estimate that Trainer’s increased RSAC presence and that of its clients is a great indication that, despite the slow pace of the improving economy, the IT security industry remains strong and continues to grow.

Angela Griffo’s crew did a bang-up job with the Brocade survey, I found some of the results to be especially interesting, especially the one on whom within enterprises security pros are the most concerned about spying on behalf of. I thought for sure that IT security folks would have a major concern that foreign government spies were after technological advancements, after all, the Constitution of the People’s Republic of China is riddled with amendments that almost say “economic advancement at all costs.” But not so, the vast majority of infosec pros surveyed, 41 percent, stated that they were more concerned that there might be internal spies working for competitors. Check out the conclusion:

A result that I found to be equally intriguing was the one that asked whether or not security policies were being enforced. Seventy percent of respondents said “yes,” but this made me wonder exactly how effective or comprehensive the “enforced” policies really are, especially in light of the use of social networks in the workplace and personal devices being used to access networks. If you check out this video we put together for PacketMotion, you’ll notice that eBay’s Information Security Chief of Staff points out that mobile devices are something everyone has and uses for work these days.

Click here to view the embedded video.

Back to the enforcement question, here’s the total results of the question:

I know I am behind a week on my “What is the Cloud? Film at 11 Post,” but that’s coming soon, I promise. Things are really picking up at Trainer and I have little to no time to blog lately, but I am starting to carve out room.

]]> http://www.securityheavy.com/2010/03/rsac-2010-survey-says-competitors-biggest-spy-threat/feed/ 0 http://www.securityheavy.com/2010/01/rsa-conference-2010-how-to-secure-news-coverage-for-your-it-security-clients/ http://www.securityheavy.com/2010/01/rsa-conference-2010-how-to-secure-news-coverage-for-your-it-security-clients/#comments Wed, 27 Jan 2010 23:51:32 +0000 Blogger in Chief http://www.securityheavy.com/?p=647 Posted by Joe Franscella — 1-27-2010:

RSA Conference 2010 is here, that’s especially true if you’re in PR and you have an information security client that’s contracted with you to raise awareness for them at the show among media and bloggers. If you’re representing McAfee, Symantec, Cisco, RSA (EMC’s security division) or another mega IT security powerhouse, stop reading — you should be able to attract big ink and electrons based on their size alone. These companies have so many thousands of international customers and so many people dependent on their latest versions that journalists and bloggers owe it their loyal readers to keep them informed on their latest moves.

If, however, like most of us, you have a smaller client with news that is worthy of coverage but not necessarily able to compete with the biggies, don’t despair, there’s ample opportunity to get your clients the coverage they deserve and need.

If you are representing one of the smaller players in the market, there are a few steps you can take to secure them coverage, when pitching for a briefing remember to:

• Develop a story around your clients’ news that relates to common trends that will rise out of the conference. Does your clients’ news fit in with the cloud, social networking, Web 2.0, application vulnerabilities, the next wave of viruses, Obama’s plans for cybersecurity, protection of digital healthcare records?
• Start reaching out for briefings now, you may not be able to get what you’d otherwise like to during the actual show, but you may be able to do a fair amount of phone briefings leading up to it, thus ensuring that your client is part of roundups and other show-related features that publish.
• Consider making your announcements a week before the show. Breaking news leading up to the conference provides press and bloggers with an opportunity to write about developments outside of those they need to cover at the show itself. Enabling them to provide a wider variety of news and information to their readers while at the same time alleviating pressure on them to have to try and cover everything the week of the show may be of help to them.
• “Cyberthreats,” “Cybersecurity,” “Cyber-this and Cyber-that.” Remember, telling a writer that you clients’ new version and its features responds to cyberthreats, is a little ambiguous at best. When talking to the media and bloggers, specify the threat it defends against, “My client’s new feature was used by company Such-and-Such to thwart Conflicker, here’s how …,” is valid information that the information security community can actually use to improve the security environment — news a blogger or journalist could actually attract readers with.
• Consider responding to the RSA blogs. Chances are journalists and bloggers covering the show will, at some point, review at least some of these and possibly formulate ideas — if you’re client is on the ball with being part of these then you just might earn them a little play.
• Know what the journalist or blogger you are reaching out to covers; understand their beats. I know, I know — this little bit of direction can be as ambiguous as my thoughts on the use of the term “Cyberthreats.” What I mean by this, is that you should know a few basics prior to your approach: 1.) do they cover product announcements? 2.) do the vast majority of their articles include customer interviews? 3.) are they primarily focused on keeping up with the latest threats? 4.) are they channel-focused or vendor-focused? 5.) do you see any direct or inferred theme or pattern in their last five to six published articles? 6.) Do they rely on hard facts and information that comes out of surveys and other studies? If you have answers to these questions, then you’ll know what to bring them.

Hopefully, these tidbits of information will help you secure some of the coverage you’re on the hook for. They’re by no means full proof but they are based on what I’ve learned through experience over the past few conferences. Watch for my soon-to-publish survey results of journalists’ and bloggers’ top peeves when it comes to pitching them for RSA briefings.

Posted by Joe Franscella – 12-28-09 –

The appointment of Howard Schmidt to the position of White House Cybersecurity Coordinator is further indication that President Obama’s administration acknowledges that effective cybersecurity can mean the difference between life and death. The administration should look at cybersecurity in this way, after all, cyberspace provides criminals and terrorists with a platform to launch attacks against the US that could have fatal results.

Appointment of an official to a new position is only a first step though, the question remains, “what will Schmidt do?”

It makes sense for Schmidt to engage with private business to address cybersecurity problems and to close security gaps — the White House may be responsible for defending the nation but private enterprise produces the technology that fuels and defends cyberspace.

Schmidt will undoubtedly seek counsel from established IT security vendors, vendors that will use these counsel opportunities to sell him on the importance of influencing congress to pass legislation calling for regulations that their solutions can provide compliance for. But, will these traditional vendors’ solutions be enough to close security gaps that could lead to fatal outcomes?

Any strategy that relies on technologies supplied by established, major enterprises as the sole means of ensuring security in cyberspace will fail. Evidence to this is clear, in the last year there have been dozens of reports and news headlines that have revealed cyberattacks that have resulted in compromises to top-secret defense initiatives, power grids and other critical systems. It’s safe to assume that most of those breaches took place on networks founded on established technologies.

To reduce risk, Schmidt is going to have to move beyond traditional Washington politics that drive public-private efforts. He is going to have to open Washington’s collective mind to listen to more than just the major enterprises that have lobby dollars available to shape thought on Capitol Hill, and he is going to have to reach out to innovative small companies and startups that have developed game-changing security technologies.

So, how should Schmidt engage startups and other small and innovative technology vendors that typically don’t have budgets for lobby efforts?

Some steps Washington could take to reach startups and small IT security vendors in the quest to reduce risk are:

1.    Establishment of federal grants for small vendors and startups to fund lobbying efforts
2.    Sponsoring a federal “Demo Day (or Week)” that provides small vendors and startups with funding to cover the costs associated with demoing their solutions on a DC stage
3.    Establishment of federal grants for small vendors and startups that could be used to fund marketing efforts focused on the federal government
4.    The formation of a federal VC banking system that provides taxpayers with equity stakes in IT security startups and small enterprises

When it comes to protecting the nation against cyberattack, foresight needs to be 20/20. It would benefit the nation to identify security technologies that reduce risk prior to a tragedy as opposed to after one. The only way to do this is to take steps that facilitate connections between the federal government and innovators that have the potential to change the game.

2010 is around the corner and it’s every account coordinators favorite time of year — Editorial Calendar time! For those of you out there in IT security PR, here is a QA with SC Magazine’s Editor-in-Chief Illena Armstrong that sheds some light on the SC Magazine ed cal process as what assets you need to bring to the table to get your clients considered for inclusion.

Q — How does SC Magazine decide which It security issues to focus on for the coming year?

A — Our editorial advisory board is absolutely crucial here. They’re quick to provide me with their insight on what they view as major trends, issues or worries that information security pros are facing in coming months. Also, of course, we have a long list of industry contacts with whom we speak regularly and there’s a wealth of information at our fingertips as we report for various news and features, hit industry events (or organize our own) and meet frequently with vendors or chief security officers.

Q — When you write a feature story driven off of an ed cal, are the resources typically supplied via PR reps or do you usually reach out on your own, is there a percentage breakdown, 2:1 for example?

A — Both. And, really, it just depends on the feature. Again, we have our own industry contacts to whom we turn. Also,  if a PR rep emails me in advance of my assigning stories to staff – providing compelling, timely information without too much vendor hype,  I’ll often encourage reporters to make contact. Especially helpful in such instances is the offering up of customers: I always want to see end-user perspectives in our content, so if vendors or service providers have thought leading information security professionals they can introduce us to then it’s a win-win.

Q — What’s the best thing PR reps can do to get their clients to be made part of stories?

A — Product/service proselytizing  gets you nowhere. Yes, we like to here about mergers and acquisitions, product releases, new hires and promotions, and other company news, but if you’re pitching us for a story or news item there has to be something substantitive there. We can see a plea for a veiled product pitch to make it into one of our stories a mile away. SC Magazine is all about objective, timely and thoroughly researched information. From our news and features to our product reviews and online/live events, we look to arm our readers — information security business leaders — with information they can use right after they leave our website, close the pages of the magazine or step away from one of our events.

Q — What’s the worst thing a PR rep can do to annoy you; ensure their clients won’t get included (Hopefully not ask for an interview for their blog J)?

A — If we feel you’re not a fit for a particular story or you’ve pitched us too late or we just have more information for a story than we can use, please don’t fret. We cover a huge, quickly changing market. Just because you play in one segment of it, doesn’t mean you automatically will be included in a piece covering it.  We covet helpful, knowledgeable industry contacts. There’s always another day, another story on which we can work together.

Q — It seems like a lot of security pubs and bloggers focus on security issues around social networks and Web 2.0 social apps, I don’t see an ed cal focused on this subject (am I missing it?). Is there a reason why SC isn’t devoting scheduled coverage to this phenomenon?

A — Nope. We’ll hit it, but probably in a cover story, which we do not cite in our annual ed cal in order to be as up to the minute as possible with these pieces. Too, we do allow for one-off features on hot topics that we may not have thought of six or even a two months in advance (that’s not the case with the topic you note in this instance, however, as we’ve covered this ad nauseam on our site and in our hardcopy). Too, as a quick reminder, the ed cal is subject to change – a disclaimer always worth pointing out.

Q — Typically, SC US doesn’t cover product announcements as “news,” are there ever any times when an announcement is news though, why?

A — It has to be big, industry-changing stuff. A few years ago when Vista hit, we not only covered it, we made it the subject of a cover story, speaking to one of the security gurus at Microsoft about it. There are occasions when product announcements also might reveal something about a market segment’s evolution. In those instances, you’ll see some news analysis about it or maybe read a commentary or opinion on the subject. And you shouldn’t forget our product reviews. These are the most comprehensive in the industry. Chances are that if the timing’s right, a review on a new product or new version of a product will be put through the paces for a spot in a Group Test.

Q — Is there any other question you would have liked for me to ask that I did not, if so what is it and what’s the response?

A — Maybe something about our events… We’ve got a lot (and I mean a lot) going on here. Our SC World Congress conference and expo had a stellar second year in NY this October, followed up by the launch of SC World Congress 24/7 – an always-on online environment that not only includes video, presentations and more information from the live event, but also sees the occurrence of a monthly online event and more insight than can be cited from exhibitors and other experts who are participating. Folks should check this out and, really, take a gander at all the stuff we’re doing by hitting www.scmagazineus.com.

Q — Anything you’d like to ad?

A — We’re always open to ideas. If they won’t work for us, we’ll tell you – trust me. Keep in mind that beyond features, news and product reviews, we do have space for contributors in the magazine and on our site. So, don’t hesitate to contact us and we will get back with you… might be after deadline, but we’ll get back to you.

Check back soon for some exclusive video footage of San Jose Mercury News’ Chris O’Brien and USA Today’s Byron Acohido on trends to watch for 2010.

Nobody loves to get angry at Microsoft Windows more than I. At least a few time a day, I am annoyed over bells and whistles that pop up unannounced and uninvited, ticked over apps that just decide to stop responding or swearing while trying to find emails I know I sent and received.

Every now and then, here and there, I see something of interest that catches my attention that I think is worth commenting on (Bill Gates, are you not honored that you’ve got my attention?). This morning, I was scanning eWeek and Don Reisinger’s slide show: 10 Windows Security 7 Features You Should Know About caught my attention, specifically the slides related to BitLocker. Having PR’d for encryption clients, I was intrigued by the fact that the BitLocker functionality seemed to render some of the solutions I’ve hawked mute. The only thing the show left me wondering was whether or not BitLocker and the other security features responded specifically to specific compliance regulations — PCI and HIPAA included. I emailed Don to see if he had any further information on the subject. Hopefully he’ll respond.

Other news items that caught me attention today:

M86 Buys Finjan in Web Security Play
By Brian Prince at eWeek: Fresh off the acquisition of Avinti, M86 Security announces the acquisition of Finjan. The deal, made for an undisclosed sum, brings Finjan’s enterprise-class solutions to the company.

LinkedIN With ‘Bill Gates’
Kelly Jackson Higgins at Dark Reading: Bill Gates invited me to join his LinkedIN network. OK, so it wasn’t really Bill Gates, but as far as my email system, spam filter, and email client were concerned, it’s perfectly normal for Gates to send me a LinkedIn invitation.

ArcSight adds unstructured log analysis with Logger 4
By Robert McMillan of IDG News Service: Logger now offers integrated structured and unstructured data analysis; designed to mine unstructured computer logfiles for signs of hacking or illegal activity.

Manhattan DA Announces Major ID Theft Indictment
By George Hulme of InformationWeek: What is particularly disturbing in this case is the length of time, from November 1, 2001 to April 30, 2009, that the crimes were allegedly underway — almost 8 years.

The other day I received an interesting email:

B a n k of America Notification [ ref id: 837644 ] Dear B a n k of America member , You have (1) new security message from B a n k of America SiteKey: – Please click on the link below and update your profile.

It was easy for me not to click on it, my every-day immersion in cyber security has taught me better, I’m not a BofA customer and even if I were I know they’d never send me this type of email.

The email got me thinking about a Vietnam War veteran I once knew. One day while listening to his stories of good and bad times he had in Southeast Asia, he shared one of his infantry training notebooks with me. Several pages were intriguing, especially those that diagrammed how to set booby traps using explosives. Based on what I read in his notebook, in Vietnam soldiers were taught to set chain-reaction style traps where each explosion forced the enemy into another explosion until finally everyone was drawn into an inescapable position and was either killed or severely injured. I’ve never clicked on a phishing email but from what I understand the intent is similar – the aggressor tries to draw the victim in deeper and deeper, to a point where there is no escape.

I never thought about how “criminals” aren’t the only ones that use cyber crime to set inescapable traps though, until I read Danny Sullivan’s rant about how a credit card company left him no other choice but to call it and how its agent then trapped him into an inescapable position where he had to hear a sales pitch.

Danny, it seems, had his credit card revoked due to a data breach at some merchant where he had used his card. When he called in to get the scoop, he was “offered” credit monitoring protection for a low, low price. I can understand his disdain -  no one wants to be lured into a trap. It’s especially un-palatable when you consider that the card company baited the trap with a data breach.

Posted by Joe Franscella

I’m not big on press releases or announcements that start off by stating “… is pleased to announce …” But, I gotta say that in this particular case I really am pleased to announce (on Security Heavy) Trainer TV, my firm’s video contribution to the IT, marketing and public relations spaces.

Trainer TV is Trainer VP Ross Perich’s long-developing idea in action. Ross has brought his experience and talent as a former TV reporter and AP award winner to the regular show that not only showcases what’s happening in IT, marketing and communications, but also Trainer’s prowess at producing video. I am proud to say that I am Ross’ right hand man in the endeavor, have the opportunity to do much of the shooting and editing and I get to apply my skill at chroma keying and inserting digital backgrounds (unlike agencies that outsource this level of technical production, Trainer does it all in-house).

The first two segments we’ve released feature insight from security executives  interviewed during the Executive Women’s Forum (EWF) party held during RSA Conference 2009. The one above is about what keeps security executives up at night and the one below is about threats execs are on the look out for. Both  include comments from the heads of security at enterprises including McCormick Spices and Braclays Bank. We have more IT security segments coming out over the next coupld of months.

Click here to view the embedded video.

Posted by Joe Franscella

A while back, I tweeted:

The more someone claims to be a social media expert the less of one they become.

The message’s implication was clear: so many people are claiming to be “social media experts” that deciding whom to engage to help you position your company and products on social media platforms is becoming increasingly difficult. The task can become so confusing that many people simply want to bury their heads in the sand and hope that the use of social media in business is just a passing fad.

One of the problems adding to the confusion is how “social media experts” are differentiating themselves. Often it’s done through blogs that espouse lists on the “Top 10 Do’s and Don’ts of Twitter.” Unfortunately, publishing such a list doesn’t make someone an expert. Too often those lists fail when Twitter founder @Jack and other participants with cult-level follower numbers continually defy them.

With that said, there are two questions for this discussion that I want you to consider. 1.) Is it important for IT security vendors to engage the market through social media platforms?  2.) If yes, how should vendors approach and manage activities on these new platforms?

To question 1, the answer is a resounding YES! But, I want to qualify the answer with why it is so important.  The age-old marketing practices of branding, messaging and positioning are among the most powerful reasons why vendors should. Branding, messaging and positioning are the cornerstones of any business (remember what Geoffrey Moore wrote in Crossing the Chasm: …the best technology doesn’t always win). There are millions of buyers, analysts and pundits gathering information via social media platforms and if you’re not monitoring and managing what’s being said about your company, then chances are someone else is.

Click on this link: http://search.twitter.com/, type in the name of your company, product or category and see what’s being discussed on this five million-user community. Any surprises? Is your company even represented, if so how? Is your company’s category waiting to be claimed or are competitors already dominating it? Remember, Twitter is only five million strong, just think of how many people might be discussing your company on Facebook, LinkedIn and other social media platforms.

Bottom line — regardless of venue, if you’re not thinking about this platform to extend the branding, messaging and positioning  of your company then someone else is. Do you need to participate? I think so.

With a YES to participation established, let’s move on to the next question: How should vendors approach and manage activities on these new venues?

Again, there are a lot of blog entries and strategy dos and don’ts being published and proselytized. However, the way for you a vendor to approach these venues is in the same way that it would approach any other communications channel: It only makes sense if your company is:

• Confident about what it is and the persona it portrays
• Clear about its products’ unique features and benefits provided
• Aware of which category it fits within
• Clear on how to communicate its value

So, how does a company get to the point of being ready? This type of preparedness within the IT security market develops only through the age-old marketing practices of branding, messaging and positioning, and only under the direction of a seasoned expert.

After your company knows what it is, what it offers and where it resides, then it is time to integrate the exciting world of social media into your overall marketing strategy, which should include both digital and traditional communications. Your company wouldn’t go after the New York Time’s twomillion subscribers without a strategy in place — don’t go after the millions using social media platforms without one either.

By now, you might be saying, “That’s all well said, Joe, but how do we choose a qualified marketing expert to help us put a strategy together?” Do your homework. Engage a firm that has a history of providing successful marketing programs for clients and review those successes against what your vision of success is.

If after all of this, you’re still not convinced that your company needs to engage a marketing strategist to be successful at social media, the only thing I can leave you with is a quote from world renowned oil well firefighter Red Adair:

If you think it’s expensive to hire a professional to do the job, wait until you hire an amateur.