May 01, 2012

Sympathy for the Devil: Public Relations Re-Examined

Sympathy for the Devil:  Public Relations Re-examined

AKA Carnival Barkers meet Infosec LARPers

Mood music...

Pleased to meet you
Hope you guess my name!
But what's puzzling you
Is the nature of my game...

I stuck around San Francisco
When I saw it was a time for a change
Bombed RSA with buzz words
Liquid Matrix screamed in vain

I paid the analysts
gave awards to finalists
When the FUD it raged
And my pitches main-staged

Pleased to meet you
Hope you guess my name, oh yeah
Ah, what's puzzling you
Is the nature of my game, oh yeah
(woo woo, woo woo)

I watched with horror
While your antivirus corps
Fought for three decades
For the gods they made
(woo woo, woo woo)

Just as every cop is a criminal
And all the sinners saints
As heads is tails
Just call me Lucifer
'Cause I'm in need of some restraint
(who who, who who)

So if you meet me
Have some courtesy
Have some sympathy and some taste
Use all your well-learned politesse
Or I'll lay your soul to waste...

Public relations types, they're not LITERALLY the devil, right? PR/Marketing/Sales is so maligned, hated, despised, ridiculed and loathed by many security professionals that the mere thought of those words brings to mind FUD, willful technical ignorance (if not maligned neglect) and just general ridiculosity of the third kind.

That said, I wanted to shed some light on these dark arts (...) in a series of blog posts, in order to understand how the sausage is made and find points in the security marketing/pr/sales kill chain where we can make any improvements.

We all use security products and services but can’t stand the whole song-and-dance, so let’s look behind the curtains and delve into the way this works from soup to nuts. (Does that sentence have three analogies or whatever-you-call-those-things?)

Rather than my usual, oh-so-satisfying approach of lambasting PR from my comfy chair, devoid of any context and meaning, this time I reached out to Jennifer Leggio, aka @mediaphyter, who has been involved in ‘the community’ for years. Jennifer also happens to be Vice President of Corporate Communications for Sourcefire (, @Sourcefire), so she has experience working with a 'legit' vendor that's been around for a while and isn't known for relying on FUD for 99% of its revenue stream. Sourcefire, as you may know, is a purveyor of fine squishy pink Snorty pigs and, of course, some cool network security products!

"ASTERISK": I've never had a business relationship with Sourcefire so no is the answer to your questions regarding pay-for-play on my blog).

Basically, PR is more than writing crappy press releases before RSA... PR is part of a larger process that involves product marketing, business development, reporting to Wall Street, signaling to the M&A market and other hidden forces.

Here’s what I learned in a bit of informal QnA:

Q. What’s a typical “day in the life” of a PR professional supporting a company like Sourcefire?

A. It depends on the day. As a PR professional, you need to be ready at a moment’s notice to flip between proactive and reactive modes. Some days we’re knee deep in content development for strategic campaigns, which could or could not include bugging reporters and analysts, and other days we’re mapping along to competitive or market movement. Flexibility is paramount.

Q. What are the top three misconceptions of PR in the practitioner community?

A.  Hmm, only three? OK, here goes...

1. All we care about is FUD (fear, uncertainty, doubt), or we create the FUD, or generally, we are only harbingers of FUD. That is lazy PR. The good ones are more proactive than reactive. The great ones help shape what the market is thinking about.
2. Not *every* PR person wants to put a researcher in an ironed button-down shirt and tie and give them a corporate pitch to deliver. Sometimes you don’t mold clay, you figure out how the clay unmolded (aka a gritty, brilliant researcher) is already a beautiful piece of art and work with it. Let us.
3. That one of us represents all of us. Some are more social. Some flit from conference to conference. Some you don’t even know, but they could be most talented because they are working rather than self-marketing. At the core of it, remember we are not identical creatures. It’s a wonderful thing.

Q. How can vendors make better use of l33t PR skillz?

A. I cannot say this enough. I’d type it in all caps if it wasn’t an Internet faux pas. Bottom line? PR needs to be part of your overall business strategy. Beyond PR, corporate communications from PR to social to analyst relations and, even in some cases, investor relations, can have a direct impact on your bottom line and financial perception. So stop treating PR as an afterthought, a noise creator, a buzz generator. Think smarter. If your PR agency or internal PR team is not helping sales sell, creating stories that field marketing can use to push deals into the pipe or sales can use to push deals through the pipe, then your PR team is not doing its job. Sometimes it’s because the right chips aren’t in place. Sometimes, it’s because they aren’t enabled to do so. Sometimes, the internal folks get it but they just have a bad network of agencies who think that the “cold calling buzz machine” and handshakes at conferences is all you need to drive business. However, if you let PR “in” and you have the right team in place, it’s pay dirt. I’m lucky that Sourcefire really gets this. Now, the pressure is on me and my team to perform. And I wouldn’t have it any other way.

Q. Let’s reverse-engineer a PR end-product, like a pre-RSA announcement of a product or service.  How does that work?  Starting with the announcement, walk it back to the source for us. Who’s involved, etc. 

A. Oh, this is a long one. Announcement planning generally starts months and months ahead of the news cycle. And, if you’re smart, you’re engaging with industry analysts according to roadmap schedules versus announcement schedules (because, of course, they are your allies for selling, strategy awareness, though a lot of people forget that). It’s complex. For fun, let’s say Company A is announcing Widget B at Security Conference Extraordinaire on January 1.

The internal PR team should have weeks ahead, if possible, notified all external agencies of the coming dates so that local plans driven by sales priorities could be developed. Internal PR then needs to conspire cross-functionally with product marketing, and together they must skip in lock-step with other teams for message and story development, content development, many other things that would bore the people reading this, and then they break off to focus on external communications, web development, collateral, field communications, channel communications, and so on.

Stuff (press releases, blog posts, pitches, social media plans of attack, etc.) is developed. Outreach to press usually begins 2-3 weeks ahead of launch, but for huge overcrowded or more bloated events, longer might be necessary (Note: there is a small but distinct window of opportunity between “too early” and “too late” on most influencer event calendars. If you know them, as you should, you know in your gut when this is). You book meetings. WIN! No? Yes, now you have to properly prepare all spokespeople, which for an event, is many. Briefing docs and research is conducted. Sometimes, regional spokesperson training. Preso development (though I do not believe in PPT for press meetings, but that’s another conversation...). For journos not attending the event, embargoed pre-briefings the week before. For the event folks, on-site “hell fire” coordination to ensure everyone is in the same place at the same time. After the event, you relax. No? No! Then you’re chasing them for coverage, trying to make them remember your story amid a bevy of crap (because, of course, *our* stuff is *never* crap).

Complete this sentence:  

PR is... an artform. Really. Stop laughing, technical folks. (Editor's note: I'm not laughing. I would be, except that I've consulted to a couple of niche security vendors and one of the hardest things I've ever done in 11 years of infosec consulting is write a not-horrible pre-RSA press release, announcing a partnership between my tiny client's startup security company and a major multi-billion dollar infosec gorilla... That's despite six years as a co-editor on the SANS Newsbites between 2002 and 2008. Doing this well is not easy...)

PR is not... merely cold calling influencers. More than ever, PR professionals must be business strategists who see the bigger picture, understand the map from air cover to the bottom line, and know how to build sustainable relationships beyond the low-hanging coverage fruit.  

PR does this right... So many variables. However, if you find the perfect mix of strong leadership, good spokespeople, great products, good external and internal PR teams, your achievement of desired results is endless.

PR needs to do this better... This is not a “what can you do for me?” field. Maybe it was, and quite honestly, maybe it is outside of enterprise tech. But, in computer security, if your only reason for reaching out to influencers to help your agenda and you never give back, prepare for failure.


I learned something new about PR today, how about you? 

I'd like to thank @mediaphyter and the Academy of Self-Promotion Pictures for the opportunity to give the true PR professionals a break and to help them help us... We can learn a lot from PR pros so I'll be bringing more PR, Marketing and Sales professionals to my tiny little soapbox on this corner of the internet, to rationalize away their horrible behavior better understand their role in the security ecosystem ;-)

We now return to our regularly scheduled infosec snark programming.