Lost in the Inbox: The Cybersecurity PR Epidemic Part 2

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Mike D’Agostino: [00:13] 

We have a very special guest coming up; very poignant. This person would be Mathew Schwartz. Welcome to the interview, Mat, how are you doing?

Mathew Schwartz: [00:38]

Thank you.

Mike D’Agostino: [00:42]

You do understand you are the man of the hour here. I think every PR and communications person in the cybersecurity industry is hanging by a thread to hear you and understand how they can get their pitch in front of you. There is a decent amount of truth to what I said. We are aiming to educate cybersecurity PR and communications professionals on best practices for approaching publishers such as yourself and media outlets to do just that – pitch their stories effectively. I know you’ve been working with Kevin for a number of years now, he obviously must have done something right. If you could please just give us a quick background on yourself, what you do at ISMG, and a bit about what led to the relationship between you and Kevin.

Mathew Schwartz: [01:39]

Sure. I’ve been in cybersecurity not quite as long as Kevin. I defer to his senior statesman expertise, and especially when it comes to PR stuff, because I’ve got no real direct understanding, maybe a second order understanding, but we can get into that in a minute. I’ve been a cybersecurity reporter since the year 2000, give or take, in a lot of different outlets. It used to be print. Now it’s pretty much online. Been with ISMG here for about 10 years, I tend to write one to two stories a week. Occasionally, I’m doing video interviews, sometimes audio interviews. Like Kevin, I wake up very early in the morning, and scan everything that has happened overnight, which is one of the reasons I love being a reporter covering cybersecurity because it is changing so quickly. Getting insight into how and why it’s changing is one of the best parts of the jobs, I think. That was a great example, you shared, Kevin, about the Wall Street Journal reporter saying: we help each other, we’re not making things. I forget the exact words; we’re writing about things, we’re analyzing things, anything we can do to help each other, that relationship building is not only helpful from a job standpoint, but just from like a good for the soul type standpoint, people who have an interest in these similar sorts of topics, and analyzing them in new and insightful ways. That is fun. That energizes me every day. So that’s definitely something that I would laud for anybody who’s attempting to work with me on a story.

Mike D’Agostino: [02:13]

That’s great. We’ve got a few poignant questions for you along those lines. Kevin, please jump in here for commentary. We want you guys to play off each other here. Mat, you’ve heard some of the conversation thus far. I’m sure your inbox and potentially your LinkedIn is inundated with PR pitches every day, if you do respond to any of them, what gets you to react?

Mathew Schwartz: [03:56]

That’s a good question. I’m not sure that it’s always conscious. I think there might be some subconscious reaction. Maybe people like having a programmed me, and I don’t even realize it. But I do think what Kevin was saying about building relationships, having people coming out me who understand the ecosystem, the context, the history is useful. One of the big questions I’ve always had, and maybe Kevin can answer this is the extent to which there are resources at the organizations that you’re working with – experts or people with a real analytical bent, they are worth gold, as far as I’m concerned. I have developed a network of people, some of them through you, Kevin, or through your previous employees, who are standout analytical experts in the field. When I have somebody coming at me, where there is a new or breaking story, or where there’s a new or interesting trend, who has somebody who can, I don’t wouldn’t say not wasting my time, but who if I sit down with them for 15 or 20 or 30 minutes, it’s one of those interviews where you’re not just getting answers to these questions about our breaking news story or if it’s more of an analytical trend piece, interesting insights into what that trend might be. But probably you’re coming away with ideas for another two or three stories. That’s a real secret sauce. I don’t know if that is a personality thing, like Kevin was saying, where sometimes you end up working with security firms, or whoever, who have these researchers, or who have these titans of analytical ability, if you will, that you can bring together with journalists like myself? That’s an open question. I’ve always had that.

Kevin Kosh: [05:44]

Yeah, there’s kind of two sides to that one. There’s the people that are analytical inside your clients or inside the company that are smart people. I’ve had many of the VP of sales who thought they were able to comment to the press, and I politely told them that I needed somebody else. But finding those people, whether they’re in your clients, or your company, or just friends to the industry that can make those connections, I think is important. And you’re right, Mat, I think if you can set it up as a meeting where two or three stories can come out of it, I think if there isn’t somebody that at least has that mindset, and does those things of being a student of the industry, even if you’re not an expert at an agency, then I think the agency and the leadership isn’t doing their job. I think you need to be bringing the PR people because they need to be somewhat self-sufficient. They’re not going to go rogue. But at the same time, they need to be able to talk to you at a level to tell to explain why it’s interesting, and what they can bring to the table, and then bring the people to the table and answer questions upfront to make it as efficient as possible. So I think you need those clients and those consiglieri that can then you can connect with you. But then you also need the right leadership. If you’re in an agency or others where you’re an advisor to your up and comers and Mat, you’ve had many a PR contact. They can change like, very frequently. So it’s one of those things where I think you need an analytical mindset, both as a PR person and you need to find the experts with that mindset, and that expertise that you can augment.

Mathew Schwartz: [07:32]

Some of the best material I think comes from organizations that have those people internally, even if they’re more junior, giving them the time and the space to produce research, or to do something that gets their thoughts and insights out. I love going to the website of a company, and they have a blog. It has something interesting. If I’m looking for analysis, maybe I can mind that for future stories. If I’m chasing a breaking news story, and they have someone very articulate on this subject, I can say I want to speak with him or her because they’ve already demonstrated their capabilities. Linking me up with that through PR pitches is also great when they can do it. I feel like there is this talent development that organizations must be doing. Some of the big cybersecurity firms, you see this, if you’re going to Black Hat you go to RSA, their internal people are presenting interesting cutting-edge research. Someone’s giving them the time, the funding, the whatever, to do that as part of their, I presume, day job. So that I think is a wonderful link because they are – not to use the cliché – but they’re pushing the envelope. They are at the forefront of what’s happening. Even if it isn’t a breaking news story, they are may be looking at cybercrime in this region, or that region, this kind of malware, this evolution in ransomware, all of which can produce lots of interesting, creative ideas for potential stories to follow.

Kevin Kosh: [09:01]

I think it’s something you and I, Mat, who worked on multiple times is again, it is that relationship, which means if I’m an agency person, or even an internal person, the person that you need to talk to may not be a person that is paying my check, or whatever. The amount of times I’ve connected you to former clients, other clients. My circle of older agency friends, we used to help reporters out collectively and pass business back and forth. So it’s even relationships among sources and PR people and others that make that kind of community approach much more effective and make everybody better.

Mike D’Agostino: [09:48]

Absolutely. There’s probably a handful, at least of cybersecurity companies we could rattle off that have those sort of intelligence and analyst, almost like sub firms built into their companies. They just offer a variety and wealth of interesting insights that can be used at any time. If I’m reading between the lines here, I think you guys are saying that the blanket, quote from the CEO is not necessarily the most effective way to pitch notice. I think it’s worth stating, especially we’re talking about relationships, and I think the cat might be out of the bag here, when I first broach this topic, I went to Mat first, being one of our in-house editors and told him about the agenda for this particular interview. He’s the one that came back and recommended Kevin. I’m glad that he did. So there’s some kind of relationship there. Maybe, Kevin, from your point of view, how did you first initiate that relationship with Mat, what led to all of this, if you remember?

Kevin Kosh: [10:55]

I don’t remember much these days, I think my father refers to it as the full bookshelf syndrome, which is as you start putting new books, the old ones are falling off the shelf on the other side. I think, my relationship with Mat, I think started like my relationship with a lot of reporters, which is meeting him at events, giving him the heads up on things, talking to him on stories. It helped for me to have multiple clients and from an agency standpoint, because I got to kind of mix and match and have that level of expertise. But it was just this long, slow, breaking him down to the point where he just acknowledged me on a regular basis. I provided enough value that I haven’t been banished yet.

Mike D’Agostino: [11:48]

I think it just emphasizes the need for that one-to-one outreach, and the fact that the mass email approach is just not effective at creating that emotional connection. Mat, all jokes on the side, you’re the executive editor of a very prestigious publication brand. You get these emails day in and day out. We understand that forming a relationship is the best path to an effective communication strategy. But can you think of any emails that you’ve gotten, like, when an incident occurs, a breach happens, and everybody wants to get their quotes out there, etc., when email or LinkedIn is one of the main channels of communication? Is there anything that stands out to you when you get these emails or pitches that makes you want to react?

Mathew Schwartz: [13:00]

That’s a great question. I guess there’s not a single answer. What Kevin was talking about, what we’ve been talking about – the building relationship aspect of it, there are people who know what I like, who have taking the time to keep an eye on my stories. It’s very interesting. I think it’s very easy to understand what I’m interested in. There’s a lot of, like Kevin was saying, table stakes type stuff where you don’t necessarily need this general commentary. I’ve been covering the field for so long that I think my journalism has probably got more analysis than it used to, just because they don’t need some talking had to say, oh, data breaches are bad; they’re increasing this year, or we’re seeing lots of threats emanating from Russia. We’ve been saying that for 10 or 15, or whatever years. I don’t want to repeat all that. I want something that’s going to give readers a new perspective on something. It’s tricky. What is that secret sauce? Again, with the research, if there is interesting research or thinkers, I had a great pitch recently on the White House’s new DARPA strategy for finding ways that AI can be used for defense. This firm said, we have a consultant who’s written a blog on this. I said, that blog looks great. I see you have a chief scientist who’s written an entire research report on this. I said, yeah, we have him too. There’s that little bit of back and forth, again, with organizations that seem to have this kind of talent in house, they can maybe bring that to bear in pitches. I do throw back a lot of pitches. I don’t necessarily delete everything, but I have to delete a lot more without responding these days, or at certain times of the year, because there’s just so much of it. But when possible, I do have a little – not auto response – but thing that I can cut and paste that said, look, I’m not interested, here are the reasons but here are some other things I would be interested in general. If you have this, please come back to me, I’m always willing to hear good ideas, I’m not going to dismiss that or react negatively, or, I used to have an editor who would slam the phone down to the desk, when he got a bad PR call before he hung up. I don’t do any of that stuff. But like we’ve been talking about, if you can work with me a little bit to understand what I’m looking for, I guess, to feed that back to your client as well and say, look, can you give this to me? I am always receptive.

Kevin Kosh: [15:30]

I think you are exactly the type of person we love working with Mat, I think there’s two sides of this. There’s one respecting to Mat’s point – what he’s going to be interested in and the time crunch he is under. For me, a pitch, you score on the old barber shops and they have all the different haircuts you can get. There’s only one in the media barbershop – it is high and tight, which is your email has a clear, justified, defensible call to action, why it’s a need to have not a nice to have, what are the deal closing details, have them in there. And then understanding and respect for what is needed and what isn’t, don’t pontificate and go on for paragraphs upon paragraphs to show him how smart you are. Give him what he wants, in the timeframe he wants it. I think the other side of that, to Mat’s point is, he’s even with the bruises and bumps he takes in his inbox, he’s still open to it. I think that’s one thing that I kind of slammed on agencies for not doing enough to bring their people along. But I think on the other side, as much as it’s not an excuse for the behavior, I think you’d ask some media people to be kind, because I think there’s a lot of PR people, especially younger PR people that are doing it, even if it’s against their best instincts, because of like I talked about those weird misaligned expectations from clients, or lack of support in their agency. If Mat has that cut and paste that can help people say, okay, I can tell my client, this is why it didn’t work, now I have something to go back to them with. I think that’s helpful, too. I think it’s respect on both sides of that equation, ultimately.

Mike D’Agostino: [17:14]

Absolutely. Great advice. We’ve kind of covered it to a certain degree, but we’re talking specifically about – I hate to use the term ambulance chasing – but that’s kind of what it is when an incident occurs. Then all of a sudden, I see it. I know, before the incident is even announced because I’ll get 35 emails from different PR firms about it, offering quotes, but, maybe talk about that, because that’s a big part of PR and communications, especially in the cybersecurity space is being reactive to some of these incidents and trying to get their analysts or CEOs or whatever it might be injected into write ups. I know, we’ve covered it to a certain degree, but maybe wrap it up and talk about when that happens, when there is a security incident, timing is of the essence. What’s effective in getting your attention from you, Mat, and then from you, Kevin, where you had success in pitching stories when incidents occur?

Mathew Schwartz: [18:28]

I think for me, one of the big things to remember is I might file a breaking news story on something, before I’ve even gotten a PR pitch, especially being based in the U.K., and a lot of PR people being based in the states and me moving quickly. It’s important for me to get something up as fast as possible. But I will often do a fast follow or a more analytical second day, which might even be just an afternoon, but in the trade, a second day follow, where I look to experts and try to dig in a bit more. There have been some stories such as the Bangladesh Bank attack, or the North Korean attack on Sony over the little film that Kim Jong Un didn’t like, or more recently, SolarWinds. Stories like that, where I might be doing 5-10-20-30 stories on it, so if you can come in with expertise or analysis, that isn’t just some talking head, talking about how bad things are, but you’ve got an angle, there’s something interesting, you bring in something new or different. Truly, then that is, I think, a great time to say, look, there’s been this event, I have this person who knows about this thing. They could probably tell you about this, this and this. Are you interested? Like Kevin said, you get in, you get out and I can say yes, maybe or no thank you, or can he talk to me or she talk to me in the next half hour? You don’t know if it’s going to be a hit or not. But I like to think that as I develop relationships and vice versa with PR people, they get a better sense for when I’m going to say yes.

Kevin Kosh: [20:16]

Absolutely, I think from a PR perspective, as I talked about a long time ago, general commentary was all you could get because scenario-based commentary, there weren’t enough people out there with evidence and data that could do it. That’s long gone. So I think the first step is having the strength to say no, if I took your statement, and I took the breach of the day words out of there, could that statement be applied to any breach or any story? If that’s the case, no, don’t do it. Because here’s the other thing that I think that people can go back to is, that’s not just angering a reporter, that’s damaging your brand. That’s damaging your credibility. Not only that reporter but others, even if you get quoted and you’ve say something so bland and pabulum, people are going to look at that and go, I don’t want that guy in my story. But if you can react fast, and I used to do it and still do it, sometimes where I’ve given Mat the heads up on stuff that he hadn’t seen yet, without creating an expectation, but then I’ve already gotten Mat say, do you have anybody can comment, then I can figure it out that buys you a little time. The other thing is, and this plays into earlier statements I made. Number one, if you understand the marketplace, and you’re following it, and you’re reading it, and you understand the history, can you connect the dots. This is like X, this is like Y, we had previous research or previous blogs on this, or you can connect it to another case like that. That’s one way that you can do it, where if you’ve got to your point that kind of 80% ready of I’ve seen this before, here’s where it typically goes – we do that. Or the other thing is, if you know you’ve got someone who can speak on it specifically. The one thing that we say and thankfully our organization looks at it the same this way is we don’t want to go in and just echo what other people are saying, can we advance the narrative? Or can we add insight and add value, if you can’t do those things, you shouldn’t be going after it. But if you have someone whose insights could be helpful, sometimes if you don’t have the exact stuff, you can say, hey, so and so this lead researcher is available. He’s had expertise in this area of malware or in this areas of attack. I’ll put them out there and just make it a quick statement that says if you need somebody give us a call.

Mike D’Agostino: [22:49]

Kevin, and Mat, this has been a great conversation. I’ve enjoyed it. Hopefully our listeners have enjoyed it as well. I think we’ve sort of scratched the surface on what we set out to do, which is to educate cybersecurity PR and communications professionals on efficient ways to properly pitch their stories. I know for me, I’ve been educated. My main takeaway from all of this is that everything is so much more efficient and easier when you already have that relationship in place. You know each other, you’re able to sort of pick up the phone or send a quick email, and you’re already on talking basis. That’s the best position you can be both from a communications professional who’s looking to pitch their stories and get into certain publications, and also as an editor who’s looking for potential support when crafting those stories. I think relationship building is one of the key takeaways for me. Once again, I’m Mike D’Agostino, your host for Cybersecurity Marketing Unplugged. Thanks for listening and happy pitching.