Lost in the Inbox: The Cybersecurity PR Epidemic Part 1

kevin kosh

In this two-part series of Cybersecurity (Marketing) Unplugged, Kevin discusses:

  • The role of PR and Communications in the cybersecurity industry amidst various marketing strategies;
  • Challenges in establishing meaningful connections with media outlets and the effectiveness of personalized approaches;
  • Strategies for ensuring PR outreach stands out, including staying up-to-date with current trends;
  • And much more!

Joining us today is Kevin Kosh, Senior Director of Communications at Bishop Fox. Kevin is a longtime veteran of the PR and Communications space with nearly 30 years of experience with expertise encompassing telecommunications networking hardware, software and services, enterprise software; application and network security, e-business and e-security consulting; storage and enterprise network hardware and systems. Kevin has represented clients ranging from early-stage, venture-backed start-ups entering highly competitive markets and/or defining pioneering technologies within existing markets, to large, multinational, publicly traded organizations.

This two-part series dives into the issues within cybersecurity PR and Communications, focusing on the widespread use of ineffective mass email strategies by PR professionals. Throughout this discussion, we explore more effective approaches to PR, underscoring the importance of personalized outreach and a deep understanding of the cybersecurity landscape to make communications stand out.

Additionally, the conversation shifts to the tactics employed by PR and Communications professionals in the cybersecurity industry, questioning the efficacy of ‘ambulance chasing’ or mass outreach following incidents.

From a communication standpoint, you don't want to be one of those people that either spikes high and then disappears for months on end...because it's just a crowded and confusing marketplace. So I think at the highest level, investing in communications is important for consistency and impact of messaging.

Full Transcript

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Mike D’Agostino: [00:13] 

Welcome everyone to another episode of Cybersecurity Marketing Unplugged. I’m Mike D’Agostino, general manager with CyberTheory, and your host for today’s program. Thank you for joining us. Full disclosure: as the general manager for both CyberTheory and our parent company ISMG, and having been with the company for 18 years, I get a lot of emails, I mean a lot, not just to my own personal account, but I have the luxury of being copied on most of our generic email addresses, as well as many of our former employees. We manage 36 online media properties covering all aspects of cybersecurity and IT, and every one of those media properties has an editor at email address attached. So take those 36 generic editor email addresses combined with numerous accounts from former editors, and you start to get the idea of just how many emails I receive on a daily basis. And those are just the ones associated with our editors. As you can imagine those email accounts are inundated, perhaps ambushed is a better term, day in and out, with email after email after email from PR and communications firms and professionals pitching story ideas. I thought of doing a screen share and showing you my inbox full of these messages. But I don’t want to go down the path of exposing any particular company or person. So just trust me when I say that the current state of cybersecurity PR and communications practices is extremely poor and extremely ineffective. So what gives? Why do PR and communications professionals believe that mass non-personalized blanket outreach is an effective way to pitch story ideas? Is there a more effective way to pitch to publishers and media outlets? To help us unpack all of this, we have our esteemed guest joining us today, Kevin Kosh. Kevin is a longtime veteran of the PR and communication space having spent over 30 years in the industry with over 25 years covering cybersecurity. He’s currently the senior director of communications with Bishop Fox. Kevin, thank you for joining us, and welcome to the program.

Kevin Kosh: [02:43]

Thank you, Mike, I could feel the target right on my forehead.

Mike D’Agostino: [02:47]

Not you. I should have said a caveat. Not Kevin. That’s why he’s here, to help us get on the right path.

Kevin Kosh: [02:55]

I was young once, too.

Mike D’Agostino: [02:56]

Yeah, I’m sure. To kick things off, please fill in some of the details on yourself, your background, Bishop Fox and what you’re responsible for at the organization.

Kevin Kosh: [03:06]

As you said, 30 years in the agency business, a little bit over that if you count the Bishop Fox time and 25 in cybersecurity, so I am officially old, or as PR spin from a PR person I respect who’s much younger than me, she wants to introduce me as an elder statesman. If that’s not spin, I don’t know what is. To further carbon date myself, when I started PR, we had one CompuServe account for the agency, we faxed press releases, and most publications still had detailed editorial calendars, including covering products. So it’s been a while. I joined Bishop Fox about a year and a half ago. Like I said, after about 30 years of agency, they were a client when we were winding down our agency after 26 years. And they asked me to jump on board to manage internal and external communications. That is now what I do.

Mike D’Agostino: [04:04]

Perfect. Appreciate the background, I’m sure your expertise is going to come out in this conversation. I got a little note here for our listeners, it seems like we may have a potential special guest joining us in a few minutes. Anybody that’s listening, I encourage you to hang around. I think you’re going to enjoy our guests coming on. But first and foremost, let’s get to some questions for Kevin. First and foremost, this sounds like such a basic question, but in today’s marketing landscape of seemingly countless lead and demand generation tactics, events, social media, and myriad other exposure channels, where does PR and communications fit in and why should cybersecurity vendors invest in it?

Kevin Kosh: [04:59]

First and foremost, cybersecurity, probably more than many other technology industries, is so fast paced and so overloaded and oversaturated. From a communication standpoint, you don’t want to be one of those people that either spikes high or then disappears for months on end, or people don’t understand what you do, because it’s just a clouded and confusing marketplace. I think at the highest level, investing in comms is important for consistency and impact of messaging – make sure people see you frequently and understand what you do, because no one no one trusts advertising or some of the other marketing channels. I had a salesperson say to me recently, the salesperson doesn’t come in till the end now. Because you can search everything online, there’s so many resources you can use, and they don’t trust the ones that are paid in a lot of cases, or at least don’t put as much stock in them. From the standpoint of investing in an individual who does communications, that’s where you can get some confidence and focus in your communications, and some discipline in how you bring it out. They are also our relationship builder, and a facilitator with the media so that you can have a good relationship and ongoing relationship. I think media can be intimidating and unpredictable for people. I’ve had a lot of researchers who are just terrified because they’ll be misquoted or whatever. When I do media training, I like to tell people like kind of use a scuba diving comparison – you breathe every day, you don’t think about it, you just do it. But when you get underwater, and you learn about it, you have to think about your breathing and in certain contexts. But when you get certified, you learn the stuff that they explained to you about breathing is pretty easily understandable and it seems like common sense. I think this is one of those things, which is an internal comms person can help you think about your breathing, because you’re the expert. They’re coming to you for your expertise, and you want to be able to communicate effectively, clearly and quickly. I’ve even done it, as recently here, as we were doing some internal evaluation at Bishop Fox. The three top-level things that I tell people are, in terms of expectation setting, are media prospective conversations need to be earned. They are not purchased or pushed. Coverages are never guaranteed. And relationships matter but more than the relationship matter, respecting that relationship, and its boundaries matter most. I think that’s important for comms people and people investing in comps understand.

Mike D’Agostino: [07:36]

That’s fantastic. You sound like a marketer. Don’t be surprised if we asked you to join one of our lead generation marketing and sales interplay discussions. That was a great background. I once heard marketing described as it’s not a pain pill, it’s it’s a vitamin that you want to take every day that’s supposed to help you in the long term, not just when you have a problem. I heard some synergies there with your description of PR and communications. I understood that it’s something that organizations need to be practicing on an ongoing basis. But back to how I started the discussion which was around some of the more mass outreach, that sort of approach. Why do you think so many PR professionals resort to that kind of like mass email, inundate the inbox? Why do you think they think that that’s going to get publishers and media outlets to respond?

Kevin Kosh: [08:32]

When you and I started talking about this idea before, one of your questions you put forth me to think about was, what do you recommend? Before we get to the kind of what do you recommend or why it is, I think, at its core, there’s a couple of things. There is inexperience and a lack of confidence mixed with unrealistic expectations. You have a lot of young PR people that aren’t necessarily getting the guidance they need, and you’ve got a client that is so misaligned in their expectations of what they deserve, and are going to get that it’s a bit … toxic, maybe too strong a word. But I think what ends up happening is, teams don’t set the expectations with clients and clients have these lofty expectations of volume and visibility. Sometimes it’s such a young team that’s put on a client based on how much budget they’re paying. The team also isn’t confident enough to push back and say, this is why you’re not getting what you’re getting. So then what it also becomes is just this constant need to answer questions in terms of volume instead of quality, both in terms of content and coverage.

Mike D’Agostino: [09:49]

I’m smiling over here because it mirrors so many of the conversations we have with our marketing contacts when it comes to lead generation, that constant quantity versus quality, top of the funnel versus bottom of the funnel, sounds like the same interplay happens in the PR space. And you’re absolutely right. Sometimes it’s difficult when you have a client that has certain expectations, or maybe I should say the expectations have not been set in advance. Dealing with that can be an issue over time.

Kevin Kosh: [10:21]

I think you see a lot of firms also that are they’re chasing stories, not placing stories. They’re taking a short term junk food approach of canned commentary versus strategic longer term conversations and story building. It becomes quantification desperation.

Mike D’Agostino: [10:40]

That’s right on, and the next talking point that we had mapped out here, I think you kind of mentioned it is the concept of forming connections and relationships. What are you seeing when it comes to weather now or throughout your career, some of the challenges that you faced in establishing those meaningful connections with media outlets, specifically in the cybersecurity domain?

Kevin Kosh: [11:10]

The common challenges that that you face and I think a lot of PR people look at it from why am I not getting this or what does the client deserve versus I think, a little more introspection. The first and foremost, one of the biggest challenges of not getting coverages, I don’t have what they need. Journalists now have much a greater array of good sources and they know exactly what they need. The ability to just do the kind of general commentary, it’s table stakes, and it’s not what you go after. I don’t have what they need is first and foremost, another one goes back to what you said, first, it’s pitch burnout. They’re getting pitched by so many people all the time, at a certain point, they just give up the ghost on even responding to things. It is that journalist-expertise level, the fact that they’re locked in on some good long term sources, because when I go all the way back to when cybersecurity was covered by anybody from national security media, to general media, and there weren’t a lot of good sources. There’s such a wealth of sources out there that have specific, in-depth knowledge of actors and attacks that it’s much harder to break through if you don’t have someone that’s unnecessarily got that full level. I think the other thing is I’ve heard a lot of people compare sometimes PR to sales, in terms of trying to go through the process to land a story. But I think that’s a little dangerous, because this is not sales, because while everybody will tell you in sales, don’t take no for an answer, no, is a very acceptable answer. One you should be willing to take frequently. Like I said, it’s about respecting the boundaries. Sometimes you have to not pitch. If you know, it’s not going to work, or it’s not the right timing, that doesn’t mean you can’t find ways to interact and provide value, whether it’s heads up on stories, whether it’s connections to sources, whether it’s just helping people or setting up a lunch, those things work. But I think it’s one of those things where if you’re constantly on the pitch treadmill, you’re going to exhaust everyone out.

Mike D’Agostino: [13:19]

No doubt. We’re not asking for any trade secrets, or anything along those lines. But you have a wealth of experience. I’m sure you have tons of examples. But can you talk about like, how do you ensure that your outreach stands out and resonates with publishers just given the influx of PR pitches that they receive every day?

Kevin Kosh: [13:47]

I can give you some specific examples of things we’ve used that some of your journalists you work with, will be able to remember and relate to. I think it’s so funny, because I’ve been in the industry so long that when social media came out, and there were some New York Times best sellers and I’m making air quotes now about how suddenly relationships were all the rage in social media. That’s untrue. PR was always about relationships, and building those relationships. And I think there was a timeframe, though, that automation and tools, overwhelmed and people started getting lazy. Ultimately, even in the most broadest outreach I’ve ever done, personalization is key. Sometimes also, that means not jumping in with the crowd. I’ve had plenty of journalists who were like, I just got inundated about these pitches about this newest attack. I noticed I never got an email from you, Kevin. My answer is yeah, because I didn’t have what you needed. I keep going back to that is it sometimes don’t pitch but I think some of the things that I’ve done like, for example, around RSA in Black Hat, we were a 10 person agency, we had sometimes as many as 10 security clients. But instead of like 10, five to 10 different people pitching the same journalists, I used to pull everybody in a conference room and say, we’re all one team right now, we’re all the team for all the clients, and we’d sit in a room and go through a list of about 200 reporters we wanted to contact, and we’d say, here’s the list of our clients, here’s the this specific person would be interested in, here’s the ones I don’t. So then it would be one person, one reporter, and you’d given the menu of clients that we thought they’d be interested in the justification for why we thought they’d be interested in and you’d go that and manage that through their entire scheduling process. So whether we were pitching them all 10, or we’re pitching them two, there was a lot of journalists that respected the fact that we weren’t having eight people from the agency all sending them different emails that they had to respond to. That’s one way where it’s personalizing it. The other way I’ve done it a lot is don’t always go in and set the expectation that you can offer value. Very early on, there was a lot of journalists that I’d give them the heads up on breaches that were coming, but I’d never go in with a hard pitch because I didn’t know if my folks were available or if they had what they needed. But the journalists still needed to know about it because that’s core to what they’re doing. Just helping in that way as a way to reach out. If they said, hey, can you help me with it? I’d say, sure. Let me see what I got. I’ll get back to you as quickly as I can on that front.

Mike D’Agostino: [16:32]

Yeah, and I think the one thing that’s definitely resonating with me is the one to one outreach. It’s not done in a mass manner. You mentioned some of the tools that I suppose can be useful if you’re doing a mass, blast outreach, and covering as many media outlets as possible, but definitely going to lead to more fruitful conversations and engagements when you have when someone can put a face to a name, so to speak, and they know personally, that it’s a real person on the other end reaching out to them as opposed to some marketing automation program. You kind of touched on it. I have a question here about staying up to date with the trends and topics in cybersecurity, to ensure your communications are timely. But I think ultimately, what we’re trying to get at is that interplay, because cybersecurity is somewhat unique in that much of the news is driven by bad news, bad news, being breaches or some other type of security incident. That’s when all the experts come out and all the vendors jump in, because they have solutions that can help with all of these issues. How do you deal with that interplay of like, current events and breaches and sort of staying at the forefront when media outlets are looking for that that insight?

Kevin Kosh: [17:57]

There’s a couple of questions in there. First off, understanding of ecosystem is huge. And I’ve spent 30 years representing clients in every aspect of the ecosystem, from endpoint to services to networks. Understanding the ecosystem, the context, and the history is massive, and PR people need to be a little bit of a student of the industry. It should be reading, asking questions and understanding more than they need to so that they can justify why they’re making a pitch and adjust on the fly. Because the one thing that reporters hate is, so can you answer these questions for me? And oh, I’ve now got to go back, and now there’s a couple hours lag until I can answer those questions. In terms of kind of staying timely and relevant on it, just read. I get up at four o’clock in the morning, and I read a range of business press publications, trade press publications, and others. I have far too many Google Alerts and RSS feeds that I am constantly checking, I may only skim them. But I’ve gotten myself conditioned to the point where things can jump out, like news to co-opt, external data in context to integrate hot buttons to press, land mines to avoid. This includes social media, where there may be a journal, that journalist that’s presenting about PR people at the moment, you should probably lay off them at that point. I think those are kind of some of the things and I think what you try to do is when hen we approach publishers or journalists, I do. I take great care and explaining why I’m reaching out, why I think it’s interesting, and even if I need to acknowledge aspects of what I have that may not normally make the grade, but I’ve got a reason why I’m reaching out, and then also being able to anticipate what questions are going to come back from a reporter and either answering them as part of the initial pitch or having them at the ready, because honestly, my rule of thumb is you kind of need to expect to land a pitch in one or two emails maximum, maximum or bail.

Mike D’Agostino: [19:59]

Yeah, that’s right on the mark. We have done a study, looking at content consumption across the websites of our parent company, ISMG mentioned, we have about 36 websites that we maintain. And we looked at the spike in traffic around stories that related to current happenings, data breaches, and basically current events. The spike can be quite severe in terms of how little time people keep engaging with content around those incidents. So our recommendation, it behooves you to have things on the ready. Don’t be in such a reactive manner, be in a proactive manner. You know these breaches are going to occur, if you can, in advance, align – if you’re a vendor – your solution or product with whether it’s an endpoint breach or a cloud reach, whatever it might be, you’re going to be in a much better position to get your messaging out in a timely manner.

Kevin Kosh: [21:06]

I think there’s kind of the 80-20 rule, you have 80% of what you could talk about ready, and then 20%, that gets specific to the situation at hand. But I think pick your spots, pitch, and then take time to rest, give the reporter a break, because you could pitch every story in common but at a certain point, you’re going to become white noise. If you think you can comment on one, but you don’t have all the pieces, maybe don’t go to that one, because there’s going to be one where you’re going to have everything you need for it. Sometimes you have to have that intestinal fortitude to say, no, we shouldn’t be chasing this one because it’s not on the mark, because the mark will come up.

Mike D’Agostino: [21:50]

Absolutely. You had mentioned earlier about some of the tools that were used, perhaps, ineffectively or overused. But that being said, are there any tools or platforms that you find particularly useful?

Kevin Kosh: [22:16]

I have always been a believer that while there are a lot of rote skills and things that can be taught in PR, PR is a personality trait, not a necessarily a learned or taught skill. The primary tool that I think the tools that people should lean on are your brain, your eyes and your instincts. Because the other thing we talked about in personalization is your creativity and trying to find different angles and wrinkles, and even your personality and making it a little bit fun and sarcastic or whatever. This is a relationship business, not a transactional one. Over dependence on tools can be deadly. That’s where it becomes an issue in pitches becoming to commoditized, values minimized and ultimately annoying press contacts. Tools are for support, to help you find things. But the other thing and I’ve looked at a lot of tools, so few tools are industry specific, that at best there a filter for you. If you start leaning on them with now the new AI functionality, or the mass emailing functionality, which I will not touch. That’s where I think you start to get into a danger zone when you become dependent on those versus dependent on who you are as a person and what you’ve read and what you know, and who you know.

Mike D’Agostino: [23:42]

I couldn’t agree more. I’m a champion of especially when it comes to sales outreach, not using lots of mass communication tools. I’m a big believer in one-to-one Outlook to email outreach or LinkedIn outreach. That is the most effective way to personalize and sort of make that one-to-one connection with someone. There’s no replacement for it.

Kevin Kosh: [24:07]

If I can offer just one more thing. It’s interesting, like PR firms used to do these roundtables with reporters, so the PR people could hear direct from them. Most of the time, it was a venting session of reporters saying, I get so much junk that isn’t related to what I work on and pitch me, and read what I write. But there was one reporter, old-school reporter from the Wall Street Journal who I loved very much, he was a great, great guy. He said something so insightful to me, and this was very early in my career. He said, neither of us make anything, we write about and talk about what other people make. So the more that we can do to help each other get it right, it benefits us both.

Mike D’Agostino: [24:58]

Great comment there. We have a very special guest coming on, very poignant, and this person would be Mat Schwartz.