Women’s History Month: 5 Ways Cybersecurity Companies Can Create an Equitable Workforce

When it comes to representation of women, the cybersecurity industry has actually improved somewhat in recent years — the percentage of women in the industry jumped from 11% in 2013 to 20% in 2019. Still, 20% is hardly a stat to celebrate, and it’s clear that the security community has a lot more work to do to achieve an equitable workforce. 

The theme for International Women’s Day (IWD) this week was #EachForEqual, and the IWD organization is encouraging everyone to celebrate female achievement, raise awareness against bias, and take action for equality. In honor of that and Women’s History Month, Highwire has gathered recommendations for prioritizing diversity and creating more inclusive work environments.

Here are a few ways cyber companies (and all companies!) can join in on #EachForEqual:

    1. Establish a Diversity & Inclusion Committee

  • At Highwire, we’re proud to not only prioritize diverse hiring, but to have systems in place to educate everyone at the company about various races, sexual orientations, and religions throughout the world. Our D&I committee is dedicated to teaching every employee something new about minorities and global cultures each month, with the goal of creating a more inclusive culture. Committees like this help keep companies accountable for D&I and ensure employees from underrepresented groups feel celebrated and supported.

     2. Bring Your Daughter to Work Day

  • A new twist on an old tradition, “Bring Your Daughter to Work Day” is a great way to show young girls that they have a place in the cybersecurity industry from an early age and help them understand their freedom to choose whatever career they want. Hosting an all-girl hackathon is also a fun way to cultivate the next generation of cybersecurity pros. 

     3. Partner with Women and Minority Empowerment Organizations

  • Another way to highlight your company’s dedication to diversity and inclusion is by partnering with a nonprofit focused on the same. For instance, the International Consortium of Minority Cybersecurity Professionals strives for the consistent representation of women and minorities in cybersecurity with programs designed to foster recruitment, inclusion, and retention. Encourage your employees to become a mentor in their Mutual Match Mentor-Protégé Program, or host a lunch or dinner for those involved.

     4. Implement Unbiased Hiring Solutions and Practices

  • There are many systems for bias-free hiring, and it’s important to consider them all to determine what works best for your company’s needs. One option is anonymizing the resumé review process, because even something as simple as removing the name from a resume can reduce bias. A work sample test is a good next step in ensuring the candidate is evaluated on skill instead of gender, race, or another protected class. In addition, having women representation at the c-level and in the boardroom is a great way to attract more junior female candidates. 

      5. Offer Benefits that Support Women and Families

  • If you haven’t already, it’s time to make all employees feel equal through pay equity and benefits such as parental leave and daycare options for those who choose to become parents. These seemingly basic offerings can be the biggest considerations for top candidates.

As Beyoncé once sang, girls run the world…but not the cybersecurity industry just yet. Attracting more women to the industry will take time and commitment from industry leaders. Implementing strategies like the above is a good first step in creating a more equitable cybersecurity workforce.

VIDEO: Meet the #HWCyberSquad & get a firsthand look at top RSA trends

This year’s #RSAC2020 was one for the books. I’ve been attending the show for 14 years and I’m always on the lookout for what’s different or unique year-over-year. This year was more of the same in terms of the outcry for stronger security leadership and a different approach, attribution debates and the promise of a million and one new security tools that will “stop” the latest cyber attack. So, I focused on something different this year. The sheer awesome-ness of my #HWCyberSquad was striking. I have never been more inspired by my team, our clients, the depth of expertise, and the strength of our partnerships.

See below for a few of this year’s highlights:

  • We kicked off the week with some incredible news — the #HWCyberSquad was named 2020 PR Team of the Year by Info Security Products Guide for the second year in a row. This team represents the true power of collaboration, creativity and drive.
  • Our detailed and thoughtful daily recaps (see Day 1, Day 2 and Day 3) captured RSA keynotes and all of the smart sessions hosted by our clients. We even got some standout coverage of our clients’ talks (see WIRED story featuring Chris Wysopal, founder and CTO of Veracode).
  • We connected with reporters that we respect and feel grateful to be able to work with day-in-and-day-out on top security stories (e.g. see our Q&A with Reporter Alyssa Newcomb/Fortune and recap of our Cult of the Dead Cow Book Club with Joe Menn/Reuters).
  • We hosted the annual Security Comms Happy Hour with our partner Meredith Corley and our friends at Offleash PR, W2Comms and Chen PR.
  • We had the largest team of talented cyber security professionals to-date onsite and took some time to celebrate our win with our annual Cyber Security Appreciate Dinner (six years running!)

What separates the #HWCyberSquad is our passion and dedication to our team and our clients, and to honing our craft as cybersecurity PR professionals. We are grounded in our Highwire values (passion, curiosity, creation, balance, and collaboration), and they guide us in everything we do. We pride ourselves on our ability to identify timely trends and topics that shape and inform our clients’ PR programs. After all, it’s a crazy-crowded market so you need practitioners that are always thinking two steps ahead.

With that, I am so excited to share this incredible “RSA Top Trends ” video produced by our very own #HWCyberSquad team. You don’t want to miss it.

Cheers to RSA 2020 and we look forward to seeing you all at Black Hat! 

Stay healthy!

Christine 

P.S. After the first conference of 2020, one thing is clear: Politics and policy continue to impact cybersecurity in almost every way. We’re investing time and talent into our policy expertise (you can check out an example here) and will be rolling out some exciting policy projects this year. Keep an eye out!

RSA Day 3: How To Successfully Apply an Enterprise Cybersecurity Mindset to Other Industries

Welcome to the final RSAC 2020 daily recap. Today’s keynotes encapsulated how what we know, as security professionals, can be applied beyond the enterprise security industry and where we go from here. 

To get caught up or refreshed on what happened during Day 1 and Day 2, please see Highwire’s additional blogs: 

RSA Day 1: Why Cybersecurity Isn’t Working and Where We Go From Here

RSA Day 2: Finding New Ways to Explore the ‘Human Element’

Securing Critical Infrastructure

Today’s keynotes kicked off with Dragos’ CEO and founder, Robert Lee’s deep dive into what enterprise security professionals need to understand about how to support the security of critical infrastructure. He noted that industrial security is vastly different from enterprise security, and applying the same software across the field can have negative implications. 

In looking back at 2019, Lee noted that 55% of industrial control systems vulnerabilities had a patch but no alternative remediation. He mentioned that in the majority of these cases, simple recommendations would have made the vulnerabilities not hackable, but IT professionals are used to focusing on the patch. The hyper focus in enterprise security on endpoints “doesn’t really apply” to ICS. In fact, from Lee’s research, more than 50% of vulnerabilities are ‘useless’ and don’t deserve time wasted attempting to create a patch. You can read Dragos’ full 2019 year in review report here.

The most critical takeaway from Lee’s talk is that, from his research, 91% of clients had the opportunity to increase security in their environments but were blocked by vendors. His advice to OEMs as they leave the conference? “Your opportunity in 2020 is to figure out the barriers for your clients and help them figure out the easy hardenings” in their environments. He shared resources and next steps for OEMs here.

Hacking Your Life

Next, we heard from Bruce Schneier, a security technologist and lecturer at the Harvard Kennedy School, who discussed how “our expertise in security [can be transmitted] to other activities.” Case in point, security skills are becoming more broadly applicable. 

A great example of how security terms and concepts can be applied to other areas of our lives? Junk food. It represents one instance of how a change in the threat model (the introduction of new food processes and chemicals) produced a new vulnerability (our cravings for sugar). But it’s not the only example of how security frameworks can be applied to other areas of our lives. 

Schneier’s biggest examples were political. How is a tax code like computer code? Why is election spending hacking our democracy? His ideas are still in development but he mentioned he will likely further develop the framework through a book or essay soon. 

The Triangle of Information Security

During Akamai CSO Andy Ellis’ talk, he compared his company to the “shopping mall of the internet,” laughingly dubbing himself their “Paul Blart” (mall cop). Ellis dove into the three pillars of information security: Integrity, Availability and Confidentiality. 

While starting with the integrity of the system is the foundation of security, both the availability of the technology and protecting the confidentiality of its users are equally important. 

Ellis ended his talk noting that while IoT and 5G are new challenges that will affect how we approach each of these pillars, new challenges also guarantee that the security industry will continue to expand, and that it will continue to be crucially and increasingly important to other industries.

The Future of Cybersecurity and the Future of Auto

In the final keynote of the morning, General Motors’ CEO and Chairwoman, Mary Barra discussed the future of transportation. She discussed how “there are virtually no industries today that are invulnerable to cyberattacks,” the automotive industry being no different.

For GM, eliminating car crashes, carbon emissions, and traffic in cities are the three priorities for the next 20 years. In order to do this, Barra knows cybersecurity is essential, mentioning that she believes safety and cybersecurity go hand-in-hand and “a company’s defenses are only as strong as [its] weakest link.” 

To achieve this goal, GM has invested in the future of cybersecurity talent, connecting with 300,000 students and teachers nationally, calling back to a critical point: For us to invest in the future of cybersecurity, we need to focus on the talent gap and on filling IT positions with women and minorities, expanding our demographics. 

Where Do We Go From Here?

As the conference wraps up, I’ll leave you with my biggest takeaway. While an enterprise mindset can be applied to other sectors, from industrial security to politics to automotive, to reach the next level, our knowledge of the information security triangle needs to spread to educate wider demographics. The future of cybersecurity requires more voices. 

While I loved that at RSAC, and for the first time in my life, I didn’t have to wait in line for the women’s restroom, it was just another example of our need to continue to grow as a community. We’ve made leaps and bounds, but it doesn’t stop here.

RSA Day 1: Why Cybersecurity Isn’t Working and Where We Go From Here

The #HWCyberSquad is on the ground at RSA 2020, and we’ll be recapping each day’s highlights right here in one place! Tune in all week for the latest from our award-winning security practice.

This year’s RSA theme is The Human Element, which certainly came through in today’s opening keynotes. Speakers and panelists kicked off this week’s conference by critically examining the past, present, and future of cybersecurity, and how we can better secure not just technology, but the people behind it. 

People At The Forefront

We kicked off the day with RSA Security President, Rohit Ghai, who recapped what cybersecurity has looked like in the past, what it looks like now, and how it should ideally evolve and shift as we head into 2020 and beyond. He led by saying that in order to change the future of cybersecurity, we need to do three things — examine and analyze the stories we have, imagine the story we want, and strategize a way to realistically achieve it. He argued that right now, cybersecurity professionals are living in a state of cognitive dissonance. They understand that humans need to be at the center of what they do, but are not doing enough to consider humans when creating cybersecurity strategies. Ghai noted that leaders are being too technical in their approaches to cybersecurity, and that “preparing for the worst does not prepare you for the likely.” By putting humans at the forefront of cybersecurity, organizations will be better equipped to stop emerging threats. 

Designing Cybersecurity For The Everyday Individual

Another theme highlighted in today’s presentations was the need for cybersecurity that the everyday individual can easily digest — not just the experts. Wendy Nather, Head of Advisory CISOs at Cisco, highlighted three ways that we can do this — shifting from a control model to a collaboration model, simplifying the cybersecurity controls we use, and opening up cybersecurity culture to everyone. By designing cybersecurity to be adopted rather than for it to be enforced, organizations can make cybersecurity something that users would rather choose. If security was designed in a digestible, consumer-grade fashion, humans could more easily adapt in their everyday lives. 

Cybersecurity At A Global Scale 

Of course, some of the hottest global issues were also discussed, including the pros, cons, and practicality of quantum computing, and what is being done around election security as we approach voting day. 

Steve Grobman, Senior Vice President and Chief Technology Officer at McAfee, made the case that our current practices are far too similar to what we’ve employed in the past — particularly as it pertains to quantum computing. Quantum computing is a real risk, even if it isn’t completely here yet. Panelists on the annual Cryptographer Panel shared similar sentiments, noting that currently, quantum computing is nowhere near safe enough to protect against nation states. All agreed that quantum computing needs to be designed cyber-smart if it will ever be a possibility. 

The same goes for election security – panelists on the Cryptographer Panel compared our election security to a “cyber pearl harbor” and spoke to how we need to engineer our voting systems to be inherently secure. Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency, noted that 2016 was a clear wakeup call, but reassured audience members that federal leaders across agencies are working diligently to make sure the 2020 election keeps voters protected.

Overall, there’s one thing that all of the speakers agreed on today — the current model for cybersecurity just isn’t working. Business leaders and security practitioners alike need to implement smarter cybersecurity measures that put more focus on the people. How humans — both benevolent and malicious — act and think need to be at the forefront of everything we employ if we want to protect against emerging threats at local and global scales.

Stay tuned for tomorrow’s keynote recap, and be sure to follow Highwire on Twitter and Instagram for more RSA 2020 insights at @HighwirePR.

Navigating Your Way Through RSA 2020

The week we’ve been planning, preparing and fretting over is finally here! RSA Conference 2020 takes place at Moscone Center this week in San Francisco with more than 40,000 attendees expected. 

Tradeshows can be hectic, so we’ve outlined some key events, parties and sessions to have on your radar as well as a map highlighting some important things – food, water, transportation, good meeting spots and more.

Interested in connecting with Highwire at the show? Reach out to SecLeads@highwirepr.com. 

 

+++

 

Highwire Sponsored Events:

Security Comms Happy Hour

  • When: Monday, February 24 from 6-7p.m PST
  • Where: Tres Restaurant (130 Townsend St. San Francisco, CA)
  • What: This is a great way to network with cybersecurity comms professionals, share stories and talk about best practices in this dynamic industry. Register via eventbrite

Disaster Recovery Breakfast  

  • When: Thursday, February 27 from 8-11a.m. PST 
  • Where: The Metron TableTop Tap House (175 4th St, San Francisco, CA 94103)
  • What: Network, eat, and most importantly relax. Attendance is free, so register at rsvp@securosis.com and see this blog post for additional details.

 

Highwire Client Locations, Events & Speaking Sessions:

Client Booth Locations

  • Akamai: Booth #6153, North Expo
  • BitSight: Booth #1167, South Expo
  • Code42: Booth #6079, North Expo
  • Forcepoint: Booth #5965, North Expo
  • GitLab: No booth but see above for details on speaking sessions
  • Illumio: Booth #5459, North Expo
  • Intel Security: No booth but see above for details on speaking sessions
  • Interos: No booth, but will be on the show floor
  • MobileIron: Booth #1727, South Expo
  • One Identity: Booth #6271, North Expo
  • Qualys: Hosting QSC 2020 at Four Seasons on 2/25
  • SonicWall: Booth #5559, North Expo
  • Splunk: Booth #5865, North Expo
  • Veracode: Booth #5553, North Expo
  • vArmour: No booth, but will be on the show floor

Events/Parties

  • Forcepoint RSA Welcome Reception 
    • Location: The St. Regis San Francisco, 125 3rd St, San Francisco, CA 94103, Yerba Buena Terrace, 4th Floor
    • Date: Monday, February 24
    • Time: 7:00 – 9:00 p.m. PT
  • vArmour Concert Party with Nothing But Thieves
    • Location: The Grand, 520 4th Street, San Francisco, CA 94107
    • Date: Monday, February 24
    • Time: 8:30 p.m. – 12:00 a.m. PT
  • vArmour + Digital Shadows Security Leaders RSA Party
    • Location: City View at Metreon, 135 4th St #4000, San Francisco, CA 94103, USA
    • Date: Wednesday, February 26
    • Time: 6:00 – 9:00 p.m. PT
  • Qualys QSC Private Reception
    • Location: Veranda Ballroom on the 5th Floor, Four Seasons Hotel, San Francisco
    • Date: Wednesday, February 26
    • Time: 6:00 – 9:30 p.m. PT

Speaking Sessions

Tuesday, February 25

  • Veracode’s Javier Perez Talk on “Time to Spell Out Open Source Software Security”
    • Location Moscone West, 3022
    • Date: Tuesday, February 25
    • Time: 1:00 – 2:00 p.m. PT
  • Qualys Security Conference 2020 San Francisco
    • Location: Veranda Ballroom on the 5th Floor, Four Seasons Hotel, San Francisco
    • Date: Tuesday, February 25
    • Time: 8:30 a.m. – 4:00 p.m. PT
  • Splunk’s Oliver Friedrichs, Jac Noel, and Lee Peterson Talk on “Modernizing the Security Operations Center: A Security Leader Panel:
    • Location: Moscone South
    • Date: Tuesday, February 25
    • Time: 3:40 – 4:30 p.m. PT
  • Code42’s Talk on “The Insider Threat: You’re Flying Blind”
    • Location: Moscone North Expo
    • Date: Tuesday, February 25
    • Time: 4:20-4:50 p.m. PT
  • One Identity’s Talk on “Security Starts Here…Identity”
    • Location: Moscone South
    • Date: Tuesday, February 25
    • Time: 2:10 – 2:30 p.m. PT
  • Intel’s Casimir Wierzynski Talk on “Protect Privacy in a Data-Driven World: Privacy-Preserving Machine Learning”
    • Location: Moscone West
    • Date: Tuesday, February 25
    • Time: 1:00 – 1:50 p.m. PT
  • Intel’s Rahuldeva Ghosh and Dr. Zheng Zhang Talk on “Nowhere to Hide: How HW Telemetry and ML Can Make Life Tough for Exploits”
    • Location: Moscone West
    • Date: Tuesday, February 25
    • Time: 3:40 – 4:30 p.m. PT

Wednesday, February 26

  • Forcepoint’s Homayun Yaqub Talk on “Modern Strategies for Protecting Users and Data in a Borderless World”
    • Location: Moscone South, 207
    • Date: Wednesday, February 26 
    • Time: 2:50 – 3:40 p.m. PT
  • Veracode’s Chris Wysopal and Jay Jacobs Talk on “8 Million Findings in 1 Year: Fresh Look at the State of Software”
    • Location: Moscone West, 3014
    • Date: Wednesday, February 26
    • Time: 9:30 – 10:00 a.m. PT
  • SonicWall’s Brook Chelmo Talk on “Mindhunter: My Two-Week Conversation with a Ransomware Cell”
    • Location: Moscone North Expo
    • Date: Wednesday, February 26
    • Time: 10:30 – 11:00 a.m. PT
  • GitLab’s Cindy Blake Talk on “Best Practices for Adding Security to DevOps”
    • Location: Moscone West
    • Date: Wednesday, February 26
    • Time: 9:20 – 10:10 a.m. PT

Thursday, February 27

  • GitLab’s Cindy Blake Talk on “How to Harness Dev and Their Native Tools to Accelerate DevSecOps”
    • Location: Moscone West
    • Date: Thursday, February 27
    • Time: 1:30 – 2:20 p.m. PT
  • Akamai’s Andy Ellis Talk on “20 Years In: Security’s Grand Challenges, Then and Now”
    • Location: Moscone West Street Level
    • Date: Thursday, February 27
    • Time: 10:35 – 10:55 a.m. PT
  • Illumio’s Talk on “More Powerful Segmentation for More Powerful Threats”
    • Location: Moscone North Expo
    • Date: Thursday, February 27
    • Time: 10:30 – 11:00 a.m. PT
  • Veracode’s Ryan O’Boyle Talk on “A Security Pro in Developer’s Clothing”
    • Location: Moscone North Expo
    • Date: Thursday, February 27
    • Time: 12:40 – 1:10 p.m. PT
  • BitSight’s Jake Olcott Talk on “Do Investors Care About Cyber Risk?”
    • Location: Moscone West
    • Date: Thursday, February 27
    • Time: 2:50 – 3:40 p.m. PT

Friday, February 28

  • Veracode’s Chris Wysopal and Katie Moussouris Talk on “Coordinated Vulnerability Disclosure – You’ve come a long way baby”
    • Location: Moscone South Esplanade
    • Date: Friday, February 28
    • Time: 8:30 – 9:00 a.m. PT

 

Inside the Mind of Business Tech Journalist Alyssa Newcomb 

I recently spoke with business technology reporter Alyssa Newcomb, who writes for a variety of publications like NBC and Fortune, and has worked with companies in our #HWCyberSquad for more than five years. In the Q&A below, she shares what makes something “newsworthy” and the security trends she currently finds most fascinating. Oh, and did I mention a (cringeworthy) PR horror story? *Keeps reading* 

Bailey: What security trends or topics are you most interested in covering right now?

Alyssa: Ransomware hit just about every industry last year. I’m fascinated by the idea of ransomware and other types of hacks being offered to people “as a service.” You no longer need major technical skills to pull off a hack, since there are people on the dark web offering to help potential hackers get started for a fee. And of course, it’s 2020, so election security is definitely on my radar.

Bailey: What makes something “newsworthy”? 

Alyssa: I think people sometimes assume the fact their product or company exists makes it newsworthy. When I look for stories or evaluate studies, I’m most interested in two things: Thinking a few moves ahead to how this might become bigger in the future, and finally, if it’s something happening now: Would my Aunt Carol care about it? 

Bailey: What areas of security do you feel aren’t being covered enough or what’s been overdone? Are we doing a good job of talking about D&I and mental health in the industry?

Alyssa: The security industry obviously has some work to do when it comes to diversity and inclusion, especially when it comes to the speaker lineups at conferences. I’d like to see more companies putting forward diverse voices for interviews. I always try my best to make sure I am quoting a diverse group of experts in my stories, but I think we all can do a better job here. I haven’t really covered mental health in the industry, but I think anytime we can have open conversations about mental health, it’s a good thing. 

Bailey: What’s your worst PR horror story?

Alyssa: It makes me cringe when I’m pitched an interview with a “lady founder” or “female badass expert of XYZ.” I think that does a disservice to the female leaders in tech, and pitches should be led with far more interesting tidbits than the fact the interview subject identifies as a woman. You’d be surprised how many pitches like this I get. I mean come on!

Alyssa’s Q&A is further proof why transactional interactions are never the way to build a relationship with a reporter. Understand who you’re talking to on the other end is not a bot and that PR/reporter relationships can be mutually beneficial if you take the time to grow with each other. 

Here’s my challenge to you — ditch that blanket product announcement pitch that you were going to send after you’re done reading this (*Gasp – how did she know?*) and build a real narrative tied to what the journalist may actually be interested in exploring. 

Like Alyssa said, why would (and should) Aunt Carol care about your news?

RSAC 2020: Everything You Need To Know

RSA Conference is quickly approaching, and the #HWCyberSquad is getting its ducks in a row. For close to 30 years, the week-long conference has drawn the best and brightest in cybersecurity to discuss current trends and challenges impacting the space. 

This year, RSAC’s theme is The Human Element, which will explore how even though an automated future is inevitable, our most valuable weapon is and will always be ourselves. While artificial intelligence and machine learning are expected to fight against threats better than we ever could, humans will always be needed when it comes to making challenging ethical decisions. RSAC believes that “when we recognize that cybersecurity is, fundamentally, about people protecting people, the world becomes a better, more secure place.” 

The Human Element isn’t the only thing that will be talked about, though — topics like DevSecOps, AI and ML, and insider threats are set to take center stage alongside even more pressing conversations around election security, ransomware threats, 5G, and privacy. This year, we expect to hear compelling conversations about modern approaches to security as we enter into a new decade — how are we approaching security in new and different ways? 

 

Security Then and Now

As we head full force into 2020, a number of sessions will focus on how security strategies have changed and where they are going. Akamai’s talk on Security’s Grand Challenges, Then and Now will look at where we came from, and how our biggest challenges have shifted, and Forcepoint’s talk on Modern Strategies for Protecting Users and Data in a Borderless World will highlight why modern cybersecurity needs a mindset change. Splunk will be moderating a panel with experts from Intel and Starbucks on Modernizing the Security Operations Center, and Illumio will be highlighting why we need to approach the more powerful threats that we are seeing with a new approach — more powerful segmentation. Each of these sessions hits on a key theme that cybersecurity strategies are not what they used to be — and we need to take a new approach. 

As attackers become increasingly sophisticated, we’re also seeing researchers share in-depth insights into some of the most impactful attacks. In a session, SonicWall shares insights into a Two-Week Conversation with a Ransomware Cell which begins with the young leader of a Russian ransomware cell. Nicknamed “Twig,” SonicWall’s confidential contact unveils how alarmingly easy it is for their cell to find, target and attack modern networks.

 

The Era of DevSecOps

We are continuing to see the security and developer world overlap, as businesses look to shift left and make the transition from DevOps to DevSecOps. We’ll see a number of sessions providing businesses with best practices on bringing security into the development process, from GitLab’s talk on Best Practices for Adding Security to DevOps, to Veracode’s session on helping developers to understand security,  A Security Pro in Developer’s Clothing. From base-level “how to’s” to more technical instruction, the DevSecOps movement is here to stay, and security practitioners will be sharing their unique insights for businesses to be set up for success, including How to Harness Dev and Their Native Tools to Accelerate DevSecOps.

 

How Identity Impacts Security Strategies

Coinciding with RSAC’s human element theme, Code42 and One Identity will both host talks focused on how identity impacts the ways we approach cybersecurity. Insider threats aren’t going anywhere anytime soon, and they’re continuing to impact businesses — Code42 and One Identity outline how practitioners can better secure their organizations by mitigating these risks. 

 

AI and Machine Learning

New technologies are continuing to impact the ways organizations stay secure — particularly machine learning. Intel will focus on how ML can help from two different angles: how we can use ML to protect privacy in a data-driven world and How HW Telemetry and ML Can Make Life Tough for Exploits. They’ll share the benefits of implementing ML technologies into security frameworks and how it can better protect businesses.  

The #HWCyberSquad will be at RSAC to learn from the experts, connect with reporters and industry influencers, and gain an even deeper understanding of the pressing issues facing businesses in 2020 and beyond. 

Want to catch up at the show? Email secleads@highwirepr.com, and stay tuned for more RSA content as we get closer to the event.

 

Be sure to stop by the Expo Hall to learn more about each of our clients, listed below: 

Client Booth Locations

  • Akamai: Booth #6153, North Expo
  • BitSight: Booth #1167, South Expo
  • Code42: Booth #6079, North Expo
  • Forcepoint: Booth #5965, North Expo
  • GitLab: No booth but see above for details on speaking sessions
  • Illumio: Booth #5459, North Expo
  • Intel Security: No booth but see above for details on speaking sessions
  • Interos: No booth, but will be on the show floor
  • MobileIron: Booth #1727, South Expo
  • One Identity: Booth #6271, North Expo
  • Qualys: Hosting QSC 2020 at Four Seasons on 2/25
  • SonicWall: Booth #5559, North Expo
  • Splunk: Booth #5865, North Expo
  • Veracode: Booth #5553, North Expo
  • vArmour: No booth, but will be on the show floor

Additionally, check out all of our clients’ events, parties, and speaking sessions throughout the week, listed below:

Events/Parties

  1. Forcepoint RSA Welcome Reception 
    • Location: The St. Regis San Francisco, 125 3rd St, San Francisco, CA 94103, Yerba Buena Terrace, 4th Floor
    • Date: Monday, February 24
    • Time: 7:00 – 9:00 p.m. PT
  2. vArmour Concert Party with Nothing But Thieves
    • Location: The Grand, 520 4th Street, San Francisco, CA 94107
    • Date: Monday, February 24
    • Time: 8:30 p.m. – 12:00 a.m. PT
  3. vArmour + Digital Shadows Security Leaders RSA Party
    • Location: City View at Metreon, 135 4th St #4000, San Francisco, CA 94103, USA
    • Date: Wednesday, February 26
    • Time: 6:00 – 9:00 p.m. PT
  4. Qualys QSC Private Reception
    • Location: Veranda Ballroom on the 5th Floor, Four Seasons Hotel, San Francisco
    • Date: Wednesday, February 26
    • Time: 6:00 – 9:30 p.m. PT
  5. Securosis Disaster Recovery Breakfast
    • Location: Tabletop Tap House, 175 4th St, San Francisco, CA 94103, USA
    • Date: Thursday, February 25
    • Time: 8:00 – 11:00 a.m. PT

Speaking Sessions

  1. Veracode’s Javier Perez Talk on “Time to Spell Out Open Source Software Security”
    • Location Moscone West, 3022
    • Date: Tuesday, February 25
    • Time: 1:00 – 2:00 p.m. PT
  2. Qualys Security Conference 2020 San Francisco
    • Location: Veranda Ballroom on the 5th Floor, Four Seasons Hotel, San Francisco
    • Date: Tuesday, February 25
    • Time: 8:30 a.m. – 4:00 p.m. PT
    • Register here
  3. Splunk’s Oliver Friedrichs, Jac Noel, and Lee Peterson Talk on “Modernizing the Security Operations Center: A Security Leader Panel:
    • Location: Moscone South
    • Date: Tuesday, February 25
    • Time: 3:40 – 4:30 p.m. PT
  4. Code42’s Talk on “The Insider Threat: You’re Flying Blind”
    • Location: Moscone North Expo
    • Date: Tuesday, February 25
    • Time: 4:20-4:50 p.m. PT
  5. One Identity’s Talk on “Security Starts Here…Identity”
    • Location: Moscone South
    • Date: Tuesday, February 25
    • Time: 2:10 – 2:30 p.m. PT
  6. Intel’s Casimir Wierzynski Talk on “Protect Privacy in a Data-Driven World: Privacy-Preserving Machine Learning”
    • Location: Moscone West
    • Date: Tuesday, February 25
    • Time: 1:00 – 1:50 p.m. PT
  7. Intel’s Rahuldeva Ghosh and Dr. Zheng Zhang Talk on “Nowhere to Hide: How HW Telemetry and ML Can Make Life Tough for Exploits”
    • Location: Moscone West
    • Date: Tuesday, February 25
    • Time: 3:40 – 4:30 p.m. PT
  8. Forcepoint’s Homayun Yaqub Talk on “Modern Strategies for Protecting Users and Data in a Borderless World”
    • Location: Moscone South, 207
    • Date: Wednesday, February 26 
    • Time: 2:50 – 3:40 p.m. PT
  9. Veracode’s Chris Wysopal and Jay Jacobs Talk on “8 Million Findings in 1 Year: Fresh Look at the State of Software”
    • Location: Moscone West, 3014
    • Date: Wednesday, February 26
    • Time: 9:30 – 10:00 a.m. PT
  10. SonicWall’s Brook Chelmo Talk on “Mindhunter: My Two-Week Conversation with a Ransomware Cell”
    • Location: Moscone North Expo
    • Date: Wednesday, February 26
    • Time: 10:30 – 11:00 a.m. PT
  11. GitLab’s Cindy Blake Talk on “Best Practices for Adding Security to DevOps”
    • Location: Moscone West
    • Date: Wednesday, February 26
    • Time: 9:20 – 10:10 a.m. PT
  12. GitLab’s Cindy Blake Talk on “How to Harness Dev and Their Native Tools to Accelerate DevSecOps”
    • Location: Moscone West
    • Date: Thursday, February 27
    • Time: 1:30 – 2:20 p.m. PT
  13. Akamai’s Andy Ellis Talk on “20 Years In: Security’s Grand Challenges, Then and Now”
    • Location: Moscone West Street Level
    • Date: Thursday, February 27
    • Time: 10:35 – 10:55 a.m. PT
  14. Illumio’s Talk on “More Powerful Segmentation for More Powerful Threats”
    • Location: Moscone North Expo
    • Date: Thursday, February 27
    • Time: 10:30 – 11:00 a.m. PT
  15. Veracode’s Ryan O’Boyle Talk on “A Security Pro in Developer’s Clothing”
    • Location: Moscone North Expo
    • Date: Thursday, February 27
    • Time: 12:40 – 1:10 p.m. PT
  16. BitSight’s Jake Olcott Talk on “Do Investors Care About Cyber Risk?”
    • Location: Moscone West
    • Date: Thursday, February 27
    • Time: 2:50 – 3:40 p.m. PT
  17. Veracode’s Chris Wysopal and Katie Moussouris Talk on “Coordinated Vulnerability Disclosure – You’ve come a long way baby”
    • Location: Moscone South Esplanade
    • Date: Friday, February 28
    • Time: 8:30 – 9:00 a.m. PT

Approaching Sensitive News Cycles Without Guns Blazing

Today’s media landscape can be an intimidating place. With top headlines touting sensitive topics like geopolitical warfare, the 2020 U.S. Presidential election, and industry competition, it’s easy to see why many organizations shy away from entering the conversation. But not all sensitive subjects need to be scary to broach from a communications perspective. 

In fact, our security practice recently had noteworthy success inserting commentary from clients into the media conversation surrounding Iran’s speculated cyber warfare retaliation on the U.S., following the death of a prominent Iranian military general – an incredibly sensitive topic by all accounts. By leveraging strategic, forward-thinking insights surrounding the news cycle, the Highwire team was able to strategically secure coverage in publications like Fortune, AP, Recode, The Hill and Financial Times that positioned subject matter experts as industry thought leaders.

Taking a deeper look at best practices when it comes to approaching sensitive subjects, here are a few of our tried and true tips and tricks for dipping your toes in the contentious media landscape without being too controversial.

Play to Your Strengths

In order to craft compelling commentary, you need to first identify your company’s tie to the story at hand. Inevitably, there will be hundreds of other companies that are attempting to connect their thoughts to the exact same story. Pinpoint a way that you can offer a unique perspective to cut through the noise.

There are many ways to do this. One example is playing up the thought leader’s background and how it makes him or her an expert on the topic at hand. In the recent Iran cyber threat news cycle, we leveraged a spokesperson’s involvement with the House of Representatives Homeland Security Committee to establish authority on the topic, which led to a briefing and coverage in The Hill. 

Another approach is to take advantage of specific technology considerations and news elements at play. For example, one of the biggest concerns in the Iran-U.S. cyber tension story was phishing and other social engineering tactics being used against government employees – a media and thought leadership gold mine for any phishing expert! 

Leveraging relationships with influential media who know your business and respect your brand is also key. Many times, coverage is earned as a result of an ongoing relationship with a reporter. If you’re apprehensive about getting your message out there, run it by a reporter that you trust before disseminating your message widely.

Compelling Commentary Doesn’t Need to be Negative

Part of the reason our clients had such success in securing placements around the Iranian-cyber warfare news cycle was because we were able to work with our clients to strategically craft commentary that was compelling, without inciting fear, uncertainty or doubt.

Often when we have clients who are apprehensive about commenting on sensitive stories, it is because there tends to be a premonition that compelling commentary needs to be negative and controversial. This is not true. 

The best way to get involved in a story is to provide a unique perspective (as aforementioned) and offer a solution to the problem at hand. With this news cycle, we were able to leverage executive commentary that was forward-thinking and offered a suggested outcome based on expertise and insights that had been gained from witnessing similar incidents play out in the past. 

Don’t Force it if it Doesn’t Fit

With all that being said, perhaps most importantly, you should never feel like you have to comment on a topic if it’s not a fit. Journalists are looking for sources that have a direct tie to the story at hand and who add a new point of view to the discussion. If the expertise and connection to the story is a stretch and your spokespeople are simply sharing more of the same thoughts as other sources, it’s best to sit the news cycle out. 

Uncertainty can be a scary place, but so is inaction. We find that some of our most compelling results are gleaned as a result of proactive outreach, or outreach that would not have occurred unless inspired by a direct tie to a story or reporter or news cycle – and that’s regardless of industry. 

Anything else that we missed? Feel free to let us know at secleads@highwirepr.com, and let us know if you’re attending RSA! We’d love to connect with you.

‘The Most Wonderful Time of the Year’ Has Arrived for Cybersecurity Holiday Readiness Campaigns

The online retail market is flush with cash – just last year between Thanksgiving and Christmas, U.S. consumers spent a record $850 billion and sales are expected to exceed $1.1. trillion this year. This stat not only makes a consumer say “wow”, it’s the perfect “pitch ammo” for a PR pro to use to hook a journalist when conducting a holiday readiness campaign. 

We all want to land on the “nice list” for our clients and reporters, so here are 3 tips you can use to get in the holiday spirit when executing your media strategy this year and developing a plan for next season. 

  • Don’t fa-la-la behind (start outreach early!)

Lots of PR pros want to wait until peak holiday season to get outreach underway to reporters, but it’s likely too late. The trick is to get ahead of the game and start pitching your ideal storylines in early October and continue to spin new angles and follow up with reporters into the new year. This is also prime time to capitalize on your clients’ vertical business units or marketing objectives. Reason being? Think of the various “milestones” cybercriminals capitalize on throughout the core holiday months — Black Friday, Cyber Monday, holiday exchanges/returns, etc. They all tie to a vertical industry in some way (retail, financial services, etc.). Toss your stale security pitches and think outside the box — “leverage the knowns” as a client once told me. These are the newshooks reporters write about every year so it’s up to us to think of fresh ways to tell the story.

  • ….But, yule be sorry if you pitch something “just to pitch”

Poll a handful of reporters with different beats and they will all agree on one thing — don’t force feed a story. That doesn’t mean you can’t get creative in how you approach your pitch or angle (this is encouraged — especially with verticals!), but bear in mind that there has to be some tie to the holiday season that a reporter and their audience can bite on beyond just security. Maybe it’s a new cyber attack method that’s ramping up during the holidays that retailers don’t know about (looking at you, credential stuffing) or a best practices approach for authorizing holiday contractors in financial services. The key here is to push boundaries and be creative, but also be ready to admit if it’s likely too big of a stretch. Being vulnerable (and opening with honesty) to a reporter puts you in a better position to build an authentic relationship and could potentially be the deciding factor on whether or not they would go for the story. Remember, don’t be a Scrooge!

  • Sleigh the campaign by leveraging timely research

The holidays present a great opportunity for your client to tap their research team for new threat insights that may hit one of their verticals particularly hard during the holidays. Retail always comes to mind, but I challenge you to think of others. For example, cybercriminals treat tax season (which begins in January) as open season for phishing campaigns. Suddenly your retail angle becomes financial services and research insights tied to phishing could be the golden ticket to your “holiday” feature.

Now, only ~10 months until we get to do it again and tackle 2021 holiday readiness! 

How Regulatory Fines Became the New Normal in 2019

2019 was a landmark year for regulation in technology. We celebrated the one year anniversary of EU-based GDPR in May, the approval of the California Consumer Privacy Act (CCPA) in October (which will officially go into effect on Jan 1, 2020), and saw the emergence of several global regulatory watchdogs. All culminating in a record-breaking number of regulatory infringement fines for tech companies who failed to prioritize the rights and privacy of consumers in 2019. And the bad news is, if companies don’t begin to get serious about privacy and data security issues in 2020, that number is only going to go up. 

A Timeline of Unfortunate Events 

The regulatory year started off with a bang, when in January, the French data protection authority (CNIL) announced it was fining Google nearly $57 million, for failing to properly disclose to users how their data was being collected across Google’s services. At the time, the penalty marked the largest privacy violation to date under GDPR, appearing only seven months after the law had gone into effect.

In March, Google faced regulation violations yet again, this time a $1.7 billion fine on charges that Google’s advertising practices violated antitrust laws in Europe. European watchdogs noted that Google had violated antitrust rules by imposing unfair terms on companies that used its search bar on their websites in the region.

Then came July, a busy month for privacy regulators. Facebook faced a record-breaking $5 billion fine as part of a settlement with the FTC – the largest penalty ever imposed on a company for violating consumers’ privacy rights. As a part of its settlement with the FTC, Facebook also agreed to adopt new protections for the data users share on the network. Around the same time, Facebook separately agreed to pay $100 million to settle data misuse charges brought on by the SEC. Talk about a rough 30 days. 

Additionally, British Airways faced a $230 million GDPR fine for its 2018 data breach which affected 500,000 customers. And similarly, Marriott was slapped with a $123 million fine for its data breach in 2018 which saw 383 million guest records and 18.5 million encrypted passport numbers stolen. Later in July, Equifax agreed to pay $575 million as a part of a global settlement with the FTC, following the credit reporting company data breach in 2017. The breach affected approximately 147 million people due to Equifax’s failure to take necessary precautions to secure its network. 

Finally, in September, Google-owned YouTube was fined $170 million by the FTC to settle accusations that the platform had illegally collected personal information about children without their parents’ consent. The settlement required Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA) Rule.

Less Than Fine

As technology and tech giants have continued to advance and expand at an unprecedented scale, we witnessed a critical third party enter into the business/consumer interaction in 2019 – the regulators. Established not only to prioritize the rights of the consumers’ but also to manage the reach of tech giants, 2019 was the year that global regulators and watchdogs established themselves as protectors of the people, defenders of data democracy, and as forces to be reckoned with in the tech world. 

So what will 2020 hold for all three parties? No one can be quite certain yet. But what we can expect is that the watchdogs will continue to advocate for transparent data management practices, honest and timely breach disclosures, and increased data privacy regulation, whether tech companies decide to comply or not. We can expect that the CCPA will mark only the start of data privacy legislation in the US, and that the rest of the world will likely begin to follow along the path GDPR has set by adopting legislation of their own. Countries like Brazil, Australia, Japan, South Korea, and Thailand are already doing so.