How Headlines Make Heads Roll: The Media's Impact On Security

um my name is tim wilson i'm the editor of dark reading i'm here with michelle schaefer she's the vice president for the security practice at merit group and we're going to talk a little bit today about how the news gets made in security and how that impacts your priorities how it maps to your priorities as security professionals and how and basically to give you a real good solid grain of salt to take the news with uh and to use when you talk to you know ceos and everybody who goes crazy when they see a story appear and they think that you should be doing something about it um let me let me start by i'll tell you a

little bit about my background and let michelle tell you a little bit about what she does i'm the one of the founding editors of dark reading which hopefully you guys know we are a news organization part of the information information week network so i work with a lot of other publications like network computing and i've been in i've been a consultant but i've been mostly a journalist for for most of my career doing i.t journalism michelle you want to talk a little bit about just so they know who we are yes so why are we here and why are we qualified to talk about this um so i'm michelle shafer i'm the vp of the

security practice at merit group we're a boutique sized pr firm down the street in tyson's corner um i've been doing cyber security pr now for coming up on 11 years and i run a team of about six people and every day we are working with cyber security clients to figure out what news is going to be big every day what news our clients need to comment on what stories they need to be part of and what stories they don't need to be part of and so the perspective that i bring today is just that i'm working with folks like tim every day i work with his staff on news stories that break and the climate that we've seen um just over the

past i don't know two three years is immense we can't even figure out every day given all the breaches all the malware everything that's in the news what's important and so that's our job as pr and media folks to figure out what are the big stories and what need to be covered so we're going to talk a bit today about how that all comes together and how what you read is important to your day-to-day jobs um and that's the big problem isn't it right now i mean you talk about um we are dealing with uh when we started dark reading i don't know we we might have had one really big breach story a week something like that

now it's more like two or three a day i mean it's jp morgan it's target it's it's you know dairy queen it's you know whatever the breach is of the day and then of course you know some of you guys are security researchers so you're in you know sending me emails saying you know discover this or i'm getting a release from from a company saying they've discovered you know something new a new ssl vulnerability a new and so my guess is that you're wrestling with a lot of the same problems i am which is that we're being inundated now with news with information about vulnerabilities breaches things that are happening and it's and the hard part is figuring out what are

you going to do about it and should do you even need to do anything about it as in your organization and i'm going to talk a little bit about that today up here i'm giving an example of it's very interesting as as a reporter to look at these things and see how they evolve sort of across the media now target we talk about it all the time every presentation you see has target in it there's it's it's held up as an example of things that can go wrong it's a breach that everybody talks about now what's interesting is if you look at the ebay breach numbers wise the ebay breach was bigger adobe was was bigger

why why aren't we talking about those things some of it has to do with the way they were attacked some of it has to do with the how they're critical it was interpreted as being and some of it just has to do flat with the fact that some companies have better pr than others and that's the part that i want to talk to you a little bit about give you a little sort of back room view of how the media works so that when people start bringing up to you that the new york times covered this and you need to do something about it you'll have some ammunition to say well you know maybe the new york times

doesn't know as much as we do or maybe the new york times audience is a little bit different than our than our business and so you know give you a sense for how to talk to your folks about you know all of this all of these news stories but interesting again to see that you know some stories get a lot of coverage and some stories don't get nearly as much so let's talk about a little bit a little bit about who cyber security journalists are um a lot of us are reporters we're we grew up in journalism space i don't have a computer science background i'm not i'm not a hacker i've been at this for

i don't know 20 years now so i'm not stupid about it but i'm not anywhere near what you guys are you know in terms of understanding the the details the technical details but i do have access to a lot of people i get i get pitched from all over the place i get a conversation from security researchers i get vendors i get you know even the hackers themselves sometimes will come will come to us because we're a big vehicle we're we're a place with that a lot of security professionals read and they want to reach that audience so i get a lot of stuff so most of these reporters are wrestling with you know how to how to make how to

decide what they're going to write that day we can't write everything so how do they make the decision on what they're going to write about why is it that that target gets in the new york times and you know some of these other breaches don't you know the fact is media is a business right it's driven by advertising there's there's there's vendors behind it there are analysts behind it there are people who have a dog in the fight there are uh and there's a basic need for media to drive traffic so the more times you click on my stories the more the better my i look to my bosses and so a lot of reporters will sensationalize the news

they'll make more out of it than that really is they'll make a headline that that's a lot sexier and you read and you realize when you read it it's not that big a deal so we're on the one hand we're a filter we help a little bit you know with figuring out what's important and what isn't and what you might need to know more about and what you don't but we're not entirely reliable for you and your organization you have you have special needs you have you have particular set of things you need to worry about so there's the disconnect you know you have um michelle and i were talking about uh ebola on the way over here you know

and then there's the big discussion you know every ebola is in the news we're all worried about ebola and it's a story that everybody's telling because everybody wants to read about it is ebola the biggest threat to us probably not you know for at least at this point we're much more likely to be hit by the flu or something like that but that's boring right if i write a story about the flu nobody's going to read it so same thing happens in security fear sells you're going to get stories that are people stirring up stuff and quite honestly a lot of us journalists not smart enough to to filter it the way we should um i

think at dark reading we do a little better than some but you know it happens to all of us we get led down the garden path so be careful with what you're hearing um you know and and there's a difference in the way organizations approach this stuff some folks um i i see folks here in the audience that if they said there's a vulnerability i would say yes okay that's a story if you if you're telling me that because i know those folks are reliable um if on the other on the other hand i may get um a researcher i've never heard of before and he says this is critical you know to you know i have to vet that

with people i i can rely on i need to talk to people i need to ask questions um and some folks are really good at pr and they're good at saying not very much you look at the the that first slide that i've threw up between target ebay and adobe ebay and adobe they're technical companies they they get it they understand maybe we shouldn't say too much let's not say too much and maybe nobody will cover it too much target they don't know that much about technology they don't know about security researchers and security media and that kind of stuff they let a lot of stuff go that they probably shouldn't have so that's one of the reasons we end up

talking about it so as a result you end up with sort of a skewed view when when you're looking at publications of what you know what's important and what isn't particularly as you map it to your own priorities so let's talk about why things get into the news and why they don't give you a little bit of a backroom view of you know how reporters and media are affected by security news and michelle's probably in as good a position as anybody to do that because that's her job is to influence us at least i try to um so yeah so it's important i think again putting in perspective of the climate that we're dealing with today

with you know tons of malware tons of breaches to figure out you know kind of what's real and what's not and what's worth talking to journalists about as a pr professional you know every single time i write a pitch every time i pick up the phone and talk to a reporter i'm not only putting my name on the line i'm putting merit group my company their name on the line and the clients that i represent so what i'm coming to them with has to be good it has to be accurate it has to be correct and it has to be big enough that they're going to care about what i'm saying because i understand reporters and i

understand what they're dealing with i mean the folks like tim that i'm talking to every day they're inundated they get 300 pitches a day from pr professionals like myself and other folks telling them you know this is the big news you got to cover it today tim today's your day write the story but he doesn't have time and his staff don't have time they've got to figure out what's big what's not what's accurate what's inaccurate and they just don't have a lot of time on their hands to even think through i think some of the pitches that they're getting it's just it's i mean i feel bad honestly for a lot of the journalists i'm working for right now that um are

working with that are kind of struggling to figure it out in fact i had a reporter call me two weekends ago i'm outside with my kiddo he's making me take pictures of his new fancy shoes and a reporter from reuters calls me and he's like michelle i need help i've got to vet something another story related to the jp morgan breaches out and i'm just not sure you know the new york times wrote about it yesterday and i'm looking at it and i'm hearing from my sources michelle i don't think this is a real legit story can you call a few folks and help me vet the story so what do i do stop taking pictures of the shoes

tell my son sorry mommy's gonna work for 10 minutes make a few phone calls and i call him back i'm like today is not the day to write the story hold off on that and he listened to me and i think it's because i've worked with this guy for a number of years that he trusts what i said and i said let's watch this play out watch the news watch how it trickles out the next few days and then if you want to go and write the story call me back and i'll help you get connected so there's an instance of a top reporter top of the field unsure because he's getting you know everybody chirping in

his ear about you know how big this new story could come out and how big it'll be but you know what's most important to that journalist accurate reporting and i think that is something that i feel some reporters media journalists whoever it is they might be sacrificing accurate reporting right now for the clicks the hits the you know top story of the day and it's it's definitely disconcerting being um i think in our fields right now kind of knowing what's real what's not but yeah so reporters are on deadline i get them all the time contacting my team hey michelle i need three or four comments for a story i got a file before noon get me the comments and i'll get

your clients in the story so i call it people like rick gordon sitting over there um and bob stratton who they're my client right now i work with mach37 and i'm like hey do you guys have anything to say about this breach or this news and sure as day they usually send me something back and i send to the reporter and there it is there's the story and then they're on to the next story so you know it's my job is to help them get connected with sources with people that are trusted that they know that they're going to get accurate information from and what reporters love well they love news that's compromises you know big um

stories that are going to affect their readership that their readers are going to want to see they love talking about breaches as we all know and then fear fear mongering and i think that's one of the biggest challenges um you know i have every day is i see these stories and i don't want to be an ambulance chaser i don't want to put my clients out there commenting every day on every breach because you know what at some point these journalists are going to say michelle no no no more they're going to put me in their spam filter and i won't get my emails through to them so that's why it's so important i think to really

vet the stories to vet it through sources and really come to the journalists with accuracies um what journalists don't love is breaches with very little impact um they're obviously looking for the big story and then deep technical breach stories and companies that no one knows so it's tough if you're representing a brand new startup to go out and say all right we found this great vulnerability this you know we've got this new research to get through it takes a lot to get through all the other news cycles that the reporters are dealing with so that's important i think the key takeaway is what you see in the news um often is what's easiest to write i

think the journalists are trying to crank the stories get their three or four stories done file before the deadline and move on to the next thing and again they're oftentimes not taking enough time to really vet that the stories as much as they should

who influences the news um obviously vendors i represent quite a bit of security vendors um you know companies that have anti-malware solutions um firewalls and the like all kinds of technology solutions um and then you know the pr folks that represent the vendors so we definitely play a part in influencing what these reporters are going to write but i think one of the key things that journalists know when they contact a pr person like myself is that they can get a hold of trusted sources people that have been around in the industry a long time people that have built a brand for themselves that they know are going to give them you know a good quote for a story or

give them a good interview and give them some backdrop of information reporters are also influenced by twitter and social networks as you guys know anything that hits twitter it's you know this trickle-down effect so brian krebs writes a story you know he posted on his facebook his twitter he gets it on krebs on security and literally it's this massive you know wave effect everybody's got to write about whatever krebs broke and in the case of target we saw you know many many waves and still today of news cycles there buzz is often what starts the story wave so you know if krebs tweets it it gets a thousand retweets a million retweets so again that helps influence it and then

influential tweeters carry more weight so somebody like jack daniel he tweets something people listen he carries a lot of weight in the security industry and people respect him um so yeah other media so new york times has broken a lot of news as you can see and other journalists other trade publications other business press other broadcast the new york times writes it it's almost like their arms are twisted they have to write it too and we've definitely seen that in the case of you know a lot of the big news that's hit over the past year to two years in fact it was nicole pearl roth at the new york times that broke the apt-1 story for

mandiant and um i worked with something similar uh with that particular journalist for crowdstrike this year when we did the putter panda report because we knew if nicole wrote it everybody else might follow instead so that's a case of what we call an exclusive in the pr world where you give a story to a reporter that you trust and they hold it and then it all breaks at one time search engines they definitely play a role influencing the news as well google and google news huge drivers traffic and then obviously publications are using seo for every story that's up there they are search engine optimized to hit the top of the charts so reporters are influenced by the same

stuff that you are what's on twitter what's on the web and what people are talking about

so yeah why are some stories so big and so out of control and in each and every headline that you're reading well big numbers anytime a breach like target or home depot or jp morgan's out there that affects 50 million people you're going to see it all over because that's huge that's a consumer-ish story especially you know all of these places that we deal with i shop at home depot i shop at target as a consumer i can't go into either of those stores right now and feel good about swiping my credit card no you can't either so big numbers play a big role big names breaches at well-known companies and then of course breaches that are flagged by respected

authorities you know when apple microsoft the fbi comes out with a story of course it gets huge readership and then big claims so there's a lot of stories that i see you know about first of its kind malware you know first mobile malware to hit your android device all of that again it's how you spin the story it's how you pitch it um the pr people behind the scene know what kind of subject lines to put in emails to grab a reporter's attention you know if you play it up they'll pay attention they won't throw that email into the trash folder and then unusual threat actors so obviously there's a ton in the news about corporate espionage

you know china russia everybody's pointing fingers about you know where a lot of the information is being stolen from u.s companies so those seem to be carrying a lot of weight lately and i think again it was kind of a trickle down from apt-1 to today politically motivated attacks of course the syrian electronic army was in the news you know quite a bit a while back and then anonymous of course and then highly sophisticated attacks so stuxnet and stories like that definitely get big and they get a ton of coverage and then the key takeaway here is that reporters build on stories that lots of readers can relate to and stories that have already gotten a lot of attention

so you know again new york times breaks the story from the washington post writes about it then dark reading writes about it and e-week and it's you know 200 stories within three or four hours on the same exact piece of news

okay can you jump in here with me so why is target you know you know why does it why does it keep coming up over and over again you know that you know a lot of it has to do with the way we we converse we don't have a really good security community for the good guys right now the bad guys have irc they have you know lots of lots of good conversation we're we're kind of stuck with linkedin we've got you know things we've got twitter we've got ways of of communicating that we're sort of faulty um we're working on some stuff at dark reading we hope that will help with with some of that but i mean the the bottom

line is we're sort of an echo chamber sometimes right you know we're talking to each other we're saying you know this is important and and and we end up repeating the same things over and over again rather than sort of moving on so you know you you get the these um conversations that make things seem bigger than they are because everybody's talking about it or somebody came in late and they you know it's sort of like when you're in a business meeting and you know people come in late and and you end up talking about what you started talking about at the beginning of the meeting all over again and it rather than moving on we're not we're

not always seeing what's important and we're affected by the the numbers you know it's like well um you know somehow target's more important because the numbers are bigger you know some you know the the the the name of the company was big the the number of people who were affected was big but you know if you're in an organization and you're a victim of a targeted attack you know there may have been only a few instances of that particular attack that may not be news to me but it sure as hell is important to you and so the the the you begin to separate you know what's important to you versus what's important to the media and i

think that's you know one of the things that we're trying to get up at here um you know reporters are affected by um a lot of things the the people that they trust you know they have they talk to the same people over and over again because they're accessible and they're smart and so you end up getting again you know sort of an echo chamber because you're having the same conversation with the same person maybe too frequently reporters are looking for clicks they're looking for you know a lot of people to click on the stories so they're easily drawn to a story that they know did well for them the last time so it's sort of like movies and sequels you know

it's like well it did well the last time i'll do another story on that rather than moving on so um there sometimes they're missing you know things that are again targeted attacks sophisticated attacks that maybe only a few people have seen the the vulnerabilities that a security researcher may have uncovered but doesn't really know how to get it out there you know some security researchers are better at that than others so you what you find is that you've left some stories behind my you know i have a staff of you know three four writers and we publish i don't know you know four or five stories news stories a day and i'd guess that we're probably one of

the most prolific cyber security publications that there is and yet i'm leaving news on the table every day every day there's a story that i should have i feel like i should have written about that didn't make it for one reason or another and these are things that you know that we try to do our best with links and and blogs and whatever we can do to let you know about this stuff but you may not be seeing all of the stuff that you need to know about you know in your particular environment so let's talk um briefly about how you get your information you know um you know you you have lots of of

stuff available to you you have twitter you have what you see in social media co-workers and colleagues you know i mean what we've what i've what research i've done and tell me if you if i'm wrong but a lot of folks uh tell us that they get their best information from people that they know people that they trust that are colleagues maybe in other organizations uh maybe if you're in a big company maybe you have lot several security people in your organization and you're sharing information that's where a lot of folks get their most reliable information now you've got a lot you've got a lot of of sources of information that are not so good like top executives you know who

have read something in the new york times you know new york times you know not you know has a lot of influence not the best reporters not the most security savvy reporters all the time sometimes because they don't eat sleep and breathe this stuff they're writing business stuff they're writing a lot of other stuff they're they don't kind of they're not in the as deep into it as some of the others so um they're that's that's an issue sometimes you get warnings from vendors or you know you get patch warnings you get service providers saying you know hey watch out for that so that's another thing that i might not see that but you you're seeing on a regular basis

um you've got the you've got cert you've got the uh the various cvs you know reporting methods there are for vulnerabilities um you're you've got you know data coming that may just pop up on facebook or google or or that kind of thing um you may follow bloggers you may follow so you know particular security researchers or or brian krebs or whoever you like um and then you've got you know the kind of the general trade the general press and then you got trade press like like us so you got a lot of influences that you're dealing with and you're that you're trying to filter now how do you prioritize your response to all this information that's the trick

right it's okay now i know about as much as i can know about today as far as what the what the threats are now how do i prioritize my response this is where i feel for you guys because you've got so many influences that may change your priorities not necessarily in a good way i mean if you have if the ceo says this is important and you need to do something about it you may have to drop stuff that you know is more important but you have to respond in some way because you've been asked to you you have vendors who will tell you that something is critical you know it may not be for

your environment but they'll tell you it's critical you feel like i'm better to get that patch in you know because i'm being told that that's you um you've got compliance compliance is is a huge issue for a lot of you um and if you're if you're in a threat in threat of being out of compliance you may have to respond to that very quickly even though security wise it's not the most important thing for you you have industry mandates you've got certain and other folks who prioritize the the criticality of the vulnerability on a scale that's meant for everybody but it doesn't necessarily work for your organization you may not have those particular systems or those

particular you may not have important data on those particular systems their view of what's critical may not be your view so you've got um system mandates you've got um you know just automated responses saying it's time to patch this and then you've got news like you know the stuff that we've been talking about so you've got a lot of different uh ways that you're being asked to prioritize you what you're going to do that day and which fires you're going to fight first and it's it's it's really really hard on on you i know i i feel feel for you a lot of times so you know at the top level i mean i think

and and weigh in if you you know the the media by and large is is not a great beltway for you know what what your priorities should be that day you you it's part of a bigger picture but you need to filter it in a way that that suits your environment the same same you would for threat intelligence you get threat intelligence data you get a feed of data from all over the place some of that stuff just doesn't matter to you so you know treat the media that same way and your top executives don't know the media either they don't understand some of the things that we're telling you right here they don't understand that

some of these media are being affected by vendors they're being affected by the people that they know they're being affected by um just the desire to get lots and lots of clicks on their stories that's you know these are things that you should push back with when your ceo says we need to do something about this give them six reasons why maybe not maybe this is not you know maybe it's somewhere in the priority list but it's not at the top um you need to you need to be able to filter the news you know based on what your particular requirements are and you know i mean i think for you with the with you see this in

working with clients you know some of some of them care about some stuff and some of them don't yeah i mean i would say don't believe the hype all the time i know that's a silly phrase but you know things do get over hyped a lot and if you think about when certain news breaks and the timing of it um you know it's my job to talk to clients all the time about if they've got big news when to release it when is it going to make those headlines and you know think about the timing of apt one it was a couple weeks before rsa and you they walked into rsa and kevin mandia god love him had like a trail of

people following him all over um you know it was smart it was a way to build up the hype about mandate going into a major security trade show a lot of that happens before black hat so you see you know research starting to trickle out um from the you know folks that are gonna be presenting at the shows there's like big stories i mean dark reading writes 40 stories on all the great research that's going to come out of a show like that um you know you just have to think about kind of what's surrounding news and what maybe the ulterior motives are for the vendors or whoever's releasing it again people want to get big headlines they

want to be you know on the cover of the new york times they want to be in the wall street journal and they want to be in dark reading so timing is everything i think in the world of news and a lot of these companies work with pr folks like myself that you know can counsel them on that but it is important you know again a lot of what you see in the news may not even be applicable to what you're dealing with every day when you're sitting there dealing with threats coming in from a sock or what have you so again i guess just you know not take it with a grain of salt i'm

sure some of the news that you do read is important certainly patches vulnerabilities things that you've got to deal with but keep in mind i think that vendors do have their own agenda when it comes to news i think the timing of things too is is it's ironic but we know a lot more about breaches that happened say a year ago than we know about the one that happened last week if you look at the the stories that we're writing on any given breach so many of them are so similar you know it's like the vendor says or the uh the victim says i have um you know we're reporting a breach we it may have affected you know all of the

credit card customers we have we don't think any data has been stolen we don't really know how it's how the breach took place or we're not telling you because it's under investigation if you read these stories they're very similar you know the day that they come out what we know more about are the stories that have been out for a while because sometimes you know we can get access to people who will actually tell us you know this is what happened this is what the breach you know this is what the breach looked like we have uh sources like who actually did investigations like mandiant or verizon business or you know these folks who actually spend some time

you know doing the investigation and can tell us what happened and you can learn more about something about an old breach then a lot of times you can learn about that breach you know i you get to that point where you have to know certain things in order to sit at the water cooler you know you you have to know that jp morgan was attacked this week or that kind of thing and i get that but you know in terms of understanding uh how it can help you how you can learn a lesson from it you know go back and look at some of the older breaches and some of the in-depth coverage and and

you'll learn a lot more yeah i think it's funny that just this past week the whole um ssl vulnerability you know everybody thought the web was going to come crashing to a halt um i had a reporter tell me on wednesday that he couldn't cover my news that i had for one of my clients because he was waiting for that big ssl story to break i'm like okay i get it yeah that news might be bigger but when it broke yeah what did they say heartbleed was bigger bash was bigger it wasn't that big of a deal but whoever was feeding him in the background all this information about this ssl vulnerability made him believe that was the story to

cover nothing else really mattered and he was waiting around for that to break to put his big news piece out so again it's it's an interesting time i think to be in pr and media because you know it's like fighting fires right now like what's real what's not what's overhyped um yeah so so um some thoughts and michelle's going to tell you a little bit in in a slide about what to do when you're if it's you that's breached um but you know i think at this top level i think we've kind of beaten this one you know don't let the media set your agenda use it as a tool just like you would a threat intelligence service

or whatever but you know don't don't you know be sure and push back if you see you know something in the news that you feel like doesn't affect you you're probably right there are waves of of news just like product announcements you know you kind of see every see it hit its peak and then nobody talks about it you know those are the times when you may have the reverse problem where you're you have trouble getting budget to stop a threat but it hasn't been in the news in a while so nobody's thinking about it so they think well why do you need money for that um that's that's the sort of the opposite problem where where

because it's not in the news anymore but you're still trying to fix it um you you have to you know you need to go back and and look at at the the the evaluations of the criticality the the the issues that are involved and how to fix it um and those kinds of things and bring those you may have to bring up a story that was written a year ago in order to get the budget that you need to fix the problem that you you've known has been there and as you read it you know um you know look look at yourself i you know i say read the news like a financial analyst you know a financial analyst

doesn't necessarily make investments on on headlines they they have a certain strategy that they've been following all along they know when certain things hit them that that's big to them it may not be big news but you know so that page four story suddenly becomes the one that they use to to make that big to trigger that big investment that may be your case as well um it may be it may be a lesser announcement it may be something that you found somewhere buried um that may be the one thing that your particular organization needs to worry about and and you know recognize that you know your decisions aren't going to be the same as some of your colleagues

particularly if they're in other industries you know you you may have a different set of priorities then it depends on where your data lies what what are your key applications and that sort of thing so you know it how the news affects you depends you know largely on who you are so let's talk a little bit about you know what if it's you what if you're the one who's in the meet in the news and what do you do about that so i presented about i guess a year and a half ago at a northern virginia technology council panel on you know data breaches and having a data breach response plan in place and i venture to say that a lot of companies

now probably have something in the works two three years ago definitely not unless you're a major corporation a huge enterprise i think target if there's one thing that maybe is good that's come out of these major breaches with home depot and target is that crisis communications teams corporate communications teams have sat down with legal they've sat down with the executives and they figured out okay what if it happens to me what are we gonna actually do and part of it is understanding how the media is going to respond you know if it's your company and you know your breach makes the news and it's covered all over you need to know that it's going to

happen quick once one story leaks many many others come quickly right after you need to know what you have to disclose and what you don't in terms of authorities you know maybe you don't need to disclose every single detail if a reporter calls you in fact you know in the presentation i gave i so the first step really is to come up with a statement because when you've been breached in those critical moments you don't have all the details to give you have to figure out with your i.t security staff you know and many forensics folks and it may take months and months to figure out how it happened how they got in so coming up with a

quick short statement that's going to at least be a response for the media to let them know hey we're not ignoring you we understand you want to know details but we don't have them right now is okay so maybe even keeping it less detailed because you don't have that to give is okay and then be accurate very accurate that is one of the most critical things because if you are dishonest whether it's your pr folks that make the statement your executive that's the worst thing you could possibly do if you've been breached you know honesty is everything um and then when it is possible turn it into a lesson learned put a positive spin on it what did we take away from

all of this and how can other organizations learn from our mistakes so you'll see that target and other companies that have been breached over the years eventually not immediately but six eight months a year down the line some of their executives will be comfortable with talking about those lessons learned and what the key takeaways are so coming up with a way to put a positive spin on something pretty negative is uh is good but it takes time it definitely does um and then recognizing all the aspects of the impact so you have to think about all your folks that are going to be affected by a data breach so first and foremost you know your customers you have to think

about getting a message to customers um making sure that you know your brand is already going to be fairly damaged but you want to minimize that but making sure your customers don't lose trust and i would say one company that did a particularly good job and tim you probably remember this a security company actually that got breached about two years ago was bit nine and it was i can't remember all the details of why they got breached but i remember specifically them using their blog as a great communications tool so as more details were uncovered about how they were breached they were posting i think at least one blog every other day because it was their way to say you know what we

made a mistake we have been breached but we want to communicate we don't want to leave our customers you know our investors our board our you know all these folks that trust this company in the gray we want to give them information as we have it and so thinking about how to communicate that message and how to work with you know your pr folks your legal folks how to convey that message and what venue you're going to do it is really important but yeah you have to think about all of the trickle-down effects you know the impact the brand damage the loss of trust and then loss of credibility and you really do have to do you know

crisis response um you know exercises so i recommend this all the time to companies do you know fake scenarios do mock scenarios and sit down in a board room with all of your executives and play out this real life you know breach incident and how you're each going to respond i mean it's very important to do that kind of an exercise with your company to figure out how you're going to handle it when the time does come i saw you raise your hand back there

i think it was a combination of things i i think that quite honestly they gave fewer details um and you know and this is working against my my best interests but you know what you're better off not giving out a whole lot of details as soon as we found out that target got breached through an hvac company you know it brought up a whole new set of discussions and that kind of thing i also think that there's a little bit of um sort of wearing down of the public you know if you think about consumers um that you know they had already seen target and even marcus and dairy queen and you know i mean

just retailer after retailer so i think by the time home depot hit you know they were sort of you know endured to it a little bit sorry uh

and the fact that they lost their cio and their ceo as a result um i think that kind of thing you know tells you you know this is bad news and and when your ceo steps down because of the breach you know then all of a sudden you know that becomes a lot bigger deal you know um you know you could have argued that maybe that shouldn't have happened um they obviously felt like because of the shareholders that they needed to do that a lot of companies have been through worse breaches and didn't lose people as a result

that's what one of the things i was thinking about as she was talking about that is that is the difference in the audience right if you're bit nine you better sure as hell tell security professionals what they need to know because that's the audience that you have to answer to now if your target you don't have to worry about that as much right because it's not it's not gonna your security is not your business right so you're better off you're dealing with mainstream media and you know nothing about this stuff and so you're better off kind of fudging and you know maybe you know it's it's only publications like like us or reporters like krebs you know really

know their stuff they can really ask the right questions that really dig up the stuff so you know sometimes that's it depends on who your audience is good one more question we got reached because we weren't running our product

so i think it was admitting fault i mean and it's hard for a security company to do that that's you know product is being used by how many different companies that's a hard thing to mask and honestly you know i know the girl that worked did the pr when that breach happened and i mean it was a difficult couple weeks to figure all that out but you know it's almost like okay you got to come clean or cleaner as a security company when you're going out and telling the world use my product i will secure you so you know rsa bit9 barracuda you know security companies do get breached and honestly admitting faults is a hard thing to do

but you know again being honest is critical now when you are a target or a home depot it's probably easier to shield some of those details so i think you guys alluded to you know all these breaches or to some extent causing some fatigue in the public do you think businesses are going to start getting fatigued in investing in security personnel or response and whatnot because you know i i went to the presentation on a similar topic at besides vegas and you know in the long term there doesn't really seem to be any brand damage or any stock hits or things like that and ironically if the financials are technically healthy it's a good buy to buy stock in a bridge

company the day gets preached for the day after because you know in the long term it's going to bounce back and you're going to make money off it so our business is going to kind of say you know what it's not worth investing in a lot of these security or pr things because we'll just hand out some security monitoring you know we'll give we'll pay whatever we need to pay kind of you know you know insurance but people are going to still go to target because it might be the shop that's down the road from home or walmart do you think they're going to start getting fatigued and kind of maybe you know the message that we're sending

they're going to start getting tuned out to it i'll tell you one better i think there's a lot of companies that don't disclose their breaches at all law or renewal if there's a lot of companies that make a business decision that the cost of being found out and the fines that they might pay are less than if they actually disclosed it and i think i think that's i think there's i think yes i think there's definitely a question of you know do i disclose the breach and how do i disclose it and you know whether or not it's going to have an impact on my on my job as a cso or my job as the cio

or or that kind of thing you know you know it hasn't in a lot of cases now target is is probably an exception but you know in that case it certainly did it would cause brand damage it caused stock damage it caused cios and ceos to use their jobs and i think that's the worst case scenario but there's lots of folks who it's it's risk right you just you're making a value judgment based on what you think the risk is and i think a lot of companies are actually deciding you know even though every state has disclosure mandates and and there's so there are serious penalties if you're found out later that you didn't disclose it you were supposed

to i but i do think that there are companies that that make those decisions based on on what they think the business risk is

so a um questions one so the latest the trend majority breaches how long do you think that's going to last before that actually i think you can just get tired recording if all regions get shuffled to page 10 unless it's you know multi-million you know you know unless you get like a billion and a half you know reach um you know i mean most of the time most of i know for myself it's like reach i didn't reach the news and go whatever i don't even pay attention i assume on market and so you know my friends are part of it who cares um i'll wait uh six months when the lessons learned come out

and maybe read that but don't worry about the public himself think um no i'll i'll answer it in two ways you know one one is there's there's there are more breaches now than we can cover right i got i mean i'm one of the better one of the larger staffs of all the security public cases i can't cover them so we're in the process of building out a section of the site that's just going to be sort of an analogy to databreaches.org you know where you know you'll get information about breaches but if we don't have real good data then you know for me it's been for me to send a reporter to write about it all

day you know this is not a good use of the resources i've got so you know newswise i think we've reached a point at already where there's there's more news than we can cover and there's less interest in reading it than there was now having said that i i think the lessons learned piece for you guys is essential you know we have to we as reporters that's that's our job we have to find out what happened and how it matters to you um and so um if what i'm going to have to start doing is saying no matter how big the breach is if we don't have information on what the how it happened and what you could

potentially learn from it if it doesn't have any value for you as security professionals then i'm not going to devote a reporter to that story but if you know um if if we continually i mean you guys deal with this every day right you can't push fear as a means to get the budget that you need or to get the the data or to get the backing that you need from top executives you have to be really careful because otherwise you lose all your credibility right so we're we're in that same position you know we if we if we report like a knee jerk every breach that we hear about then you guys aren't even going to read

us anymore so that's the you know the balance that we you know can we learn something from this can you really get some value from you know a mistake that was made um or are we just you know adding to the to the pile um i think we really need to start thinking about that okay we're just about out of time let me talk a little bit you said you know your role as a journalist find out what happened and and how it matters can you talk a little bit about educating your readers because that apple story that came out about a month ago was apple hacked sexy pictures sexy naked pictures right great headline lots of clips but in

reality the headline was really more security questions are not secure and used to factor off and you didn't see a whole lot about that in the report yeah and that's and see that's that's where we try to you know for for us to start reading we have to separate ourselves from that you know the mainstream press you know you couldn't look at that story with jennifer lawrence naked pictures and that sort of thing we have to consciously set that aside and i think we did that in that case um and try to produce a story that actually is useful to you that you know what exactly was it that happened you know people are talking about it but what can

you add to that conversation and i think that's what you're looking for you know whether it's from us or someplace else you want data or a story or something where you can say okay let's add let me add some value to this conversation instead of just talking about what happened you know this is what we should do about it you know that kind of thing and that's it's hard to find that information

saturday night late or like sunday morning and one of my clients got an inbound request from us weekly i'm like and i was shocked that they took the interview but you know again very big story um the us weekly thing led to other broadcasts that they did later on that week it's celebrities so it was mainstream and everybody read about it no i mean it's a sexy story i think we're out of time we're getting kicked out thanks everybody

you