#HWCyberSquad is ready for Black Hat 2019… Are You?

As Black Hat USA 2019 draws ever closer, so does the anticipation and excitement for over 19,000 security professionals who call one of the nation’s largest cybersecurity summits a second home.

Always promising and delivering the latest and greatest on threat research, malware and all things cybersecurity, Black Hat has grown significantly over the years, becoming a venue for some of the greatest minds from the world’s foremost cybersecurity organizations to convene and discuss the state of global security, technology and research. 

What We’re Looking Forward To

Def Con, a hacker conversation, featuring former L0pht members, including Veracode’s CTO Chris Wysopal

This year’s event, focusing on DevSecOps, nation-state attacks, vulnerabilities, open-source and more, promises to be bigger and better than ever. 

“Black Hat received an incredibly large number of submissions for this year’s event,” said Heather Donner, Black Hat PR Manager. “This year we will see themes covering the full security spectrum, spanning voting technology, auto vulnerabilities, research on WhatsApp, and major mobile talks. We’re also expecting to see a focus on privacy and consumer risks emerge as a key trend this year.”

A few of our clients weighed in on what they’re expecting to see more of as well:

“The security industry has seen many significant shifts this year – most notably through accelerating industry consolidation which has come to reshape the SOC as we know it. For us, this started with Splunk’s acquisition of Phantom last year, and has continued with a number of acquisitions affecting the SIEM and SOAR market across the landscape,” said Haiyan Song, SVP and GM of Security Markets at Splunk. “I’m always fascinated to hear more from customers and partners on how recent market acquisitions are affecting the rate of product innovation, how analytics-driven security is enabling a new kind of data management, how automation is making people more effective and productive, and how unknown data – or as we call it at Splunk, ‘dark data’ – is impacting privacy, legislation, and in the end how organizations grapple with security.”

“The professions of software development and information security are overlapping more than they ever have before and the trend is accelerating,” explained Chris Wysopal, Veracode CTO and co-founder. “There have always been software companies that have built security products, but this isn’t about that. This is about software developers performing traditional security practices and security professionals building software to secure their organizations.”

“The way businesses use technology has changed dramatically in the last 15 years,” Wysopal continued. “Enterprises are not simply deploying, configuring, and securing vendor produced software. Enterprises are building their own solutions using software assembled from open source, code from their own massive development teams, and run on the APIs and services of cloud providers. Security has to be integrated into every step of the building process and not just assessed at the end. After all, development is continuous now so there is no end!”

What’s New This Year

Always new and always evolving, we asked our Black Hat expert, Heather Donner, what new offerings and programs this year’s Black Hat has in store.

“We’ve added exciting new features and programs to this year’s event to give attendees the opportunity to gain hands-on experience working with new tools and practicing new techniques,” Donner noted. “Attendees can check out the all-new Arsenal Lab, which provides a unique opportunity to play with hardware, ICS gear, and IoT devices in a controlled environment, as well as the first-ever Micro Summits, which are designed to foster education and collaboration on focused topics in the information security industry.”

With the added emphasis on interaction and education at this year’s event, we’re more excited than ever to see what talks from Akamai (here and here), BitSight, Endgame, Forcepoint, Intel, Qualys, Splunk (here and here), and more will bring, and what thought-provoking insights we take away. 

We’re ready for Black Hat 2019… are you?

Let us know if you’d like to connect with Highwire PR at the show! Contact secleads@highwirepr.com for more details.

Analyst Trade Shows Standout in an Increasingly Digital World

For all the talk about marketing’s digital transformation, a heck of a lot of people are still attending physical trade shows. More than 42K attended the largest B2B security show, RSA Conference, in March 2019. More than 180K were in Las Vegas in January 2018 for CES, the massive consumer electronics show.

Many years ago, I believed that trade show popularity followed an inverted arc curve. At the apex of the curve– when a given show reached the peak of its popularity– is marketing saturation. Attendees would realize that a given show’s vendors all said the same thing, or, even worse, that the only people attending were non-practitioners. The show’s popularity would then see a precipitous decline.

My theory is easily disproved, given the longevity of certain shows I have attended for the majority of my career. But also disproven is a belief conditioned deep in my mind that the importance of physical trade shows will ultimately wane, given 1:1 marketing and the internet.

In truth, the concept of the trade show is amorphous and resilient. Alongside horizontal trade shows, such as CES, are a variety of other types of shows, such as user conferences. They commence as gatherings of peers to learn best practices for a specific solution but morph into living, breathing communities of their own.

A similar morphing might be underway among events run by industry analyst firms, which often prove to be wise investments by my clients. Incorporating industry analyst trade shows into a marketing mix is important for any B2B technology company, as long as those companies ponder a few key questions:

What’s the objective of your attendance? For companies interested in branding, a larger horizontal show avails you to a wide audience. Sponsoring trade show happenings, such as receptions or parties, creates buzz. Vertical and industry-analyst-driven events are more precise in their audience, and they should be considered if the objective is equally more narrow, such as driving customer acquisition.

One reason for attending an industry analyst event is to earn an audience with the analysts themselves. Regular communication with them is key to understanding the conditioning of the market and to teach the analyst as to why a given solution is ideal for where an industry is headed.

What is the target audience for the organization running the event? Certainly it’s important to know who is attending a given show, but a better way to look at this is to evaluate the audience that the show’s organizers care about. The more zeroed-in an organizer is on a target audience, the more zeroed-in that organization’s event is on that audience.

Evaluating the audiences an analyst firm cares about is not hard—simply review published research. However, organizations sometimes are misled by the credibility of a given firm and blindly sign up for that firm’s events, even if the firm doesn’t write for the correct end-user audience and has not defined a research area for those users. Most analyst firms place tech vendors in categories; if a given firm doesn’t have a category for you, it’s probably a wasted investment to attend that firm’s events.

Are there desirable outcomes beyond visibility and high-level lead generation? The right analyst trade shows gather a targeted list of influencers that matter to marketing efforts. Today’s digital world presents wide-ranging opportunities to leverage them.

Influencer dinners during the events are an informal setting to discuss trends. If they are positioned as such they have long-tail benefits. Dinner guests are more likely in the future to engage with the host’s content, act as a reference for marketing campaigns, or, obviously, mention the company in online comments or stories.

On-site social efforts by an exhibitor demonstrate that company’s commitment to the target audience. Visuals and short YouTube-quality videos from the events drive better engagement numbers than general thought leadership content.

Physical trade shows remain an important part of an organization’s marketing mix. And increasing the investment in shows run by analysts can deliver a nice return, as long as the audience and potential impact of such an investment are carefully weighed.

Setting the National Agenda on Privacy & Policy

When we think about cybersecurity today, the first thing that comes to mind for many of us is privacy. So far, setting the national agenda on the topic has been a tumultuous and inconsistent journey but as we’re witnessing more data breaches and more infringements on user privacy than ever before, the concept of trust and the need for data governance is pertinent now more than ever.

We’ve seen the US government make strides toward more regulated and responsible data usage, and we’ve seen other regions globally implement strategies to combat data misuse – for example, the EU’s implementation of GDPR which took place close to a year ago has been met with some praise. However, it seems that as a country – and as an ever-evolving group of consumers and technology advocates – the US has yet to determine who and how we will set the standard for the future of privacy.

What we have seen so far

Most recently, we have been drawn into the back-and-forth between businesses and legislators over what data usage and transparency among consumers will look like in the state of California, via the California Consumer Privacy Act. The Act, which was signed into law in June and will go into effect in 2020, essentially gives residents of California the right to know what data businesses collect about them, why those businesses collect that information, and allows the resident to request businesses delete any information about them. It also gives individuals the right to opt out of having their personal information shared or sold. This obviously poses a massive roadblock for organizations who use user data to determine business decisions, marketing value, and more in the world of data currency.

In fact, approximately 76 percent of IT leaders globally agree that “the organization that has the most data is going to win”, according to a recent report on the state of data from one of our clients, Splunk. Essentially, data is big money these days, which isn’t all too comforting to the consumer.

Role models in the world of policy

As we had mentioned previously, although the US is still experimenting with how we’re going to approach privacy legislation, the EU has been operating with GDPR in place for nearly a year now. Although we’ve already witnessed several tech giants bear the brunt of this new reality (Google was fined a whopping $57 million for its GDPR violations), we’ve also seen immense benefits and substantial praise for this new law.

Should the US consider implementing new legislation like GDPR? Possibly – its particularly worth considering if your organization deals with processing personal data for anyone in the EU, notes our client BitSight. But the US is taking steps to create its own policy roadmap, and we’ve seen states like Massachusetts, New Mexico, New York, Utah and Washington already begin to weigh in on their own versions of data protection legislation similar to the CCPA and GPPR.

What this all means

Essentially what we are getting at, is that the future of privacy and policy is still very much to be determined. Outlined below are a couple of articles we believe are worth reading, to catch you up on the latest regarding data policy – if you haven’t already been following a long. Take a look, let us know what you think, or better yet, weigh in on the conversation with your state representatives.

Here at Highwire, we believe everyone has a voice and everyone has a story. It just so happens that as the story surrounding data legislation in the US and abroad continues to unfold, we have a unique opportunity to get involved in the conversation. Let us know what you think.

RSA Day 3: The security industry’s dark secret takes center stage

Thursday’s opening keynote addressed an issue that has become front and center for the security industry over the last year—mental health.

Last August at Black Hat was the first time a specific conference track had been dedicated to the infosec community to present on stress, burnout and mental health. Fortunately, that has carried over to RSA which featured a stimulating conversation between Josh Corman of I am the Cavalry and Christina Maslach, a Professor of Psychology (Emerita) and a Researcher at the Healthy Workplaces Center at the University of California, Berkeley.

As Maslach stated, Silicon Valley has always encouraged and rewarded burnout. In the ’90s during the dot-com boom, it was seen as a badge of honor to work for days on end and sleeping (when you could) underneath your desk. You would do this for a couple of years with the reward being some sick stock options.

Workforce shortage exacerbates burnout

The skills shortage in the cyber industry has been a common topic for years now and most vendors use it as a talking point by claiming their AI/ML infused products will augment this issue. This skills shortage has another effect though—increasing the chance of burnout.

As Maslach mentioned to Corman on-stage it’s hard not to react to every single little sound or vibration whether it comes from our phone or computer. However, that is just an everyday human problem, now think about this in the context of a security operations engineer.

Organizations typically use dozens of different tools on a daily basis—CSO reported in 2016 that the average company uses 75. I installed a Google Calendar extension into Slack this week and am overwhelmed just from those notifications, it’s hard to picture that x75.

Culture and managerial structure can be a differentiator

I particularly enjoyed Corman’s personal anecdotes from his infosec career and how different managerial structures and company culture can either help combat or unintentionally encourage burnout.

Companies should be mindful that certain managerial decisions or even reward systems can directly contribute to burnout. Organizations that ask all members for feedback on ways to treat each other better can help be proactive given our resources are people and as stated previously those are already in short supply.

Incident responders are the digital equivalent of first responders in the medical field. At times we have to hold secrets about our work which can add additional stress. Unfortunately, there are times when coworkers are showing signs of burnout and instead of empathy and compassion they are called weak and told they aren’t cut out for the industry.

Stay in your lane

It was refreshing to listen to Corman and Maslach given earlier drama this week as SOAR upstart, Swimlane, attempted a tone-deaf stunt that backfired as RSA banned the vendor from the conference at Moscone.

Swimlane staged a fake protest to promote its product which relies heavily on automation and positioned itself as helping combat analyst burnout and stress. (See a picture of the protest from Tom’s Guide security editor, Paul Wagenseil.)

To make matters worse, Swimlane issued a press release claiming it was wronged by RSA. Whatever buzz they hoped to generate at the show ended up rubbing many the wrong way.

I for one enjoyed my time with the adoptable puppies at the ThreatQuotient booth. This was a cuddlier and friendlier way to generate attention at a packed Moscone Center rather than playing the victim after poking light at mental health to promote a product.

Building a safe and inclusive infosec community

At the end of the day we’re going to get the culture we invest in and it’s important to work for an organization that encourages feedback and ideas from every member.

During a conversation with a data scientist colleague this week he remarked, “the greatest minds of our generation are trying to get people to click on ads.” This was top of mind as I took in Thursday’s keynote.

While it won’t happen overnight, hopefully raising the issue of mental health in our industry and fostering an inclusive and safe environment can counteract the very people who are trying to make us more glued to our screens.

RSA Day 2: Getting More Involved in the Cyber Issues that Matter

While yesterday’s RSA keynotes highlighted the need for increased trust and transparency in cybersecurity, today’s discussions were all centered around how to make those changes a reality – starting with getting individuals more involved in the issues that matter.

Calls for Comprehensive Legislation

Harvard Kennedy School’s Bruce Schneier kicked off the conversation by discussing how technologists can get more involved in impacting cybersecurity legislation. While the internet has developed exponentially since its creation, legislation surrounding it has not. Schneier stressed that this needs to be changed and it needs to start with people who understand the technologies dominating the security landscape on both sides of the battlefield.

He touched on current cybersecurity regulations like the EU’s implementation of GDPR, Australia’s implementation of legislation that enables law enforcement to access encrypted data upon request, and how the U.S. can start getting more involved in the conversation. The takeaway? If we want technology to continue to grow and expand in a way that is going to be beneficial, we have to get it under control. And the best way to ensure its longevity is by getting the people who know it best more involved.

Power to the People

Microsoft’s Corporate VP of the Cybersecurity Solutions Group, Ann Johnson, also used her time to discuss the more human aspects of the industry – namely noting how expanding the cyber workforce and increasing its diversity will be the best way to propel the technology behind it. She emphasized that work in cybersecurity can be the most rewarding, yet the most taxing. This could explain both the exceptionally high stress rate among industry professionals and the three million job openings still vacant within cybersecurity organizations.

Johnson encouraged organizations to prioritize a diverse workforce and to foster more positive atmospheres. She discussed how these steps can boost employee retention and provide variety in organizational approaches to issues. She also noted that more diverse teams make better decisions 87% of the time. Johnson highlighted how work in technology and cybersecurity, in particular, is beginning to change. As today’s tools become more capable of alleviating some of the responsibility formerly held by human counterparts, professionals are starting to explore new avenues in the field. “Tech is amplifying our human capacity to separate the humans from the noise,” Johnson said.

Combining Tech and Human Intelligence

Facebook’s Head of Cyber Security, Nathaniel Gleicher, and Twitter’s VP of Trust and Safety, Del Harvey, also discussed the necessary partnership between tech and human responsibility, which together allows platforms to better differentiate between human and non-human interference and determine next steps accordingly. They each discussed some of the sensitivities that both platforms face when regulating user content, most notably how to differentiate technical interference with legitimate content so as not to violate users’ first amendment rights. But both individuals noted that as technology continues to advance, the lines between technology and legislation continue to blur.

Overall, day two of RSA highlighted the incredible contrast between just how far technology and cybersecurity have come, and how much farther the industry and legislation behind it must advance in order to keep it as reliable and benevolent as possible. But if today’s speakers emphasized anything, it was that change is never quite as far away as it seems –  in fact, it is already taking place and it is starting with security technologists like you and me.

RSA Day 1: Takeaways from the #HWCyberSquad

Last year we saw major data breaches monopolize the headlines, while privacy issues became top policy discussion items. 2018 was the year that trust was lost.

The 2019 RSA Conference theme “better” was broken down in this morning’s opening keynotes with the idea of trust in mind as the security community comes together to grapple with these major issues. The keynotes outlined three steps in order to achieve better trust in the future.  

Risk and Trust can Coexist

The first step in building trust within security is recognizing that risk and trust can coexist. Software has increasingly integrated into all aspects of our lives, and with that, data consumption has also increased, creating a high cyber risk environment.

By focusing on risk management and recognizing its prevalence, security teams will begin to gain that trust back. We are seeing this addressed by technologies being created with risk management integrations. New technologies are now ensuring some form of risk management or mitigation options. Along with these integrations, policies are also starting to emerge to support risk management and ultimately ensure trust in a high-risk landscape.

Man and Machine Need to Work Together

The second step is recognizing that if people work closely with machines we will produce the most trusted security. When AI was first introduced to the security world, many people worried that machines would take over jobs, because they could quickly and efficiently resolve issues or questions. However, we found that although machines could get to an answer quicker than any human, they could not explain how they got there. This broke down the trust in the machine’s ability to verify the security it was providing.

We now know that the best way to build trust in security is for human and machine to work closely together. The technology can then accurately and quickly resolve the issues that the security teams identify and ask it to address.

Creating a Chain of Trust

The final step is to build a chain of trust. Having security teams work and communicate together will be the best way to achieve the most trusted results. In the past, security teams worked in the background and only shared insight and data with a closed group of peers. However, this culture has already seen a major shift. There have even been infosec sharing companies created with the sole purpose of sharing insight and data to help others better protect and secure data.

Businesses are learning from this and evolving the chain of trust to also reach consumers by keeping them informed of what data they have collected on each person and what it is being used for.

Moving into 2019, the security industry is already taking major steps forward in regaining trust in what they’re capable of to achieve a better future.

Check back tomorrow for the next blog in this series live from RSA.

The #HWCyberSquad Recommends These Five Security Events in 2019

As one of the biggest security conferences of the year draws closer, the #HWCyberSquad decided to examine other key cybersecurity events that are of value from both a networking and PR perspective. With so much noise around RSA and Black Hat, smaller events are becoming increasingly valuable in publicizing research and for networking with influential contacts in both media and security.

Highwire’s own Ben Wolfson chatted with several notable security influencers from Ars Technica, VICE, Motherboard, WIRED and VirusBulletin on their experiences at some of the lesser-known, but rising-in-influence conferences.

CyberWarCon [inaugural conference was held on Nov. 28, 2018, TBD on 2019 edition]

CyberWarCon kicked off it’s inaugural conference as a one-day, single track event in DC in November of last year. Organized by FireEye’s John Hultquist the content was geared around nation-state topics, ICS cybersecurity and cyber policy debates.

It featured a keynote from Thomas Rid and a compelling debate on U.S. cyber deterrence operations featuring Jason Healey and Neil Jenkins. Both Wired’s Lily Newman and Wall Street Journal’s Dustin Volz voiced their enjoyment of the event. The show generated a lot of engagement on infosec Twitter accounts with other DC-area security reporters in attendance along with many practitioners and incident responders.

Derbycon [Sept. 20 – 22, 2019]

DerbyCon celebrated its eighth iteration this October. The Louisville-based conference has an elite attendee profile comprised of recognized practitioners and more technical security media. According to national security editor at Ars Technica, Sean Gallagher, “media that attend DerbyCon are hardcore security people – [there are a] small number of reporters there [that are] deep in the industry. Outside of DEFCON, [it’s] probably one of the more well-known hacker conferences with high-quality content.”

The content is extremely technical and now gets over 1,000 attendees. From a PR standpoint, many speakers attend to workshop and present material they hope to submit to DEF CON later in the year. Key takeaway: This conference is of high value to network and learn. Note:  Founder Dave Kennedy recently announced the September 2019 show will mark the last edition of DerbyCon.

HOPE — Hackers on Planet Earth [July 20-23, 2018; TBD for next edition]

Typically a bi-annual event held in Manhattan, the content and attendees are very much in-line with the cyberpunk movement. Topics that are popular include internet free speech/regulation, encryption, privacy and more. While this might not be an event to recommend your client participate in, it is a great one to meet reporters on-site and attend as a PR practitioner.

According to VICE Motherboard’s cybersecurity reporter, Lorenzo Francheschi-Biccherai,the audience is more activists and political than other conferences. Talks are less research driven and are more political. There are some interesting talks but totally different style than Black Hat and DEFCON.”  

VirusBulletin [Oct. 2-4, 2019]

VirusBulletin is a magazine solely dedicated to the prevention, detection and removal of malware which has an annual conference in late-September or early-October for cybersecurity pros. The location changes each year (2018 edition was in Montreal) making it a global conference, albeit more expensive to travel to. The speakers and attendees are often the who’s who of security researchers with the majority of influential security companies represented.

Lily Newman, cybersecurity reporter at WIRED, attended this year’s event and confirmed the crowd is largely researcher focused, but not academic like USENIX. It’s one she felt was very valuable and hopes to attend again. According to VirusBulletin editor, Martijn Grooten, “Virus Bulletin is the main event where researchers and others working in threat intelligence get together to discuss the latest threats and the tools to detect and analyze them.”

ShmooCon [Jan. 18-20, 2019]

ShmooCon has rocketed in popularity over the last few years and with 2,200 attendees at January’s event, it’s difficult to get in. From a PR standpoint, you’re unlikely to get a ticket unless you work with a sponsor company. Shmoo, along with DerbyCon, functions as a workshop for practitioners to present material they hope will be accepted at DEFCON. This is an intimate venue and conference and that works to your advantage by providing direct access to practitioners and media. Given its location in DC there is usually a strong mix of media that attend — if your client is presenting it’s an opportunity to set up 1:1 reporter meetings.

Sean Gallagher is a huge fan and frequent attendee of Shmoo. He enjoys it as its a lower paying threshold for people to attend and the audience is all security practitioners meaning a lot of sources to network with. Given the location in DC, ShmooCon still has a good audience mix of students, government agency and vendor practitioners.

For 2019, look at these shows if you want to learn something new or take advantage of the locale to set up media briefings. And if you’re headed to RSA 2019, Highwire’s security practice will be there so reach us at secleads@highwirepr.com if you want to catch up!

#HWCyberSquad Named “PR Team of the Year” by Info Security Product Guide

Highwire’s security practice (#HWCyberSquad) was recognized as the Public Relations Team of the Year by the 15th Annual 2019 Info Security PG’s Global Excellence Awards, and as the leader of this tenacious group, I could not be more honored and proud of our team!

Over the years, our cybersecurity practice has expanded and evolved, becoming a core component of Highwire’s diverse client base. We work with innovative global brands who are tackling the cybersecurity problem from different angles — from applying AI to emerging threats, to creating new categories around human centric security and bridging relationships between security and DevOps, we have deep experience that runs the security gamut.

Our team has been responsible for driving multi-faceted integrated PR campaign, leveraging social media to amplify earned and owned content with paid promotion, and developing meaningful relationships with top tier media in the security space for the better part of its past 10 years as an agency. To be recognized and rewarded for our hard work means so much to our team, and further exemplifies our belief in the work and effort that we are putting in every day to elevate our clients’ stories.

The Global Excellence Awards, compiled by the industry leader in information security research – Info Security Program Guide, recognize cybersecurity programs and information technology solutions with innovative products, solutions, and services that are setting the bar higher for others in all areas of security and tech.

In addition to recognizing Highwire for its work in the industry, we are proud to share that this year’s Global Excellence Awards also recognized five of our outstanding clients for their ground-breaking work in security, including:

  • Akamai was recognized as a Grand Trophy Winner, a gold winner for both Enterprise Secure Access and Security Products and Solutions for Retail of the year; a silver winner for Innovation in Enterprise Security, DDoS Mitigation, Security Products and Solutions for Media and Entertainment, and best overall Security Company of the Year; and a bronze winner for White Paper or Research Report of the year.
  • Code42 was recognized as the Security Products and Solutions for Enterprise winner of the year.
  • Darktrace was recognized as a gold winner in cloud security, and Industrial Control Systems (ICS) and SCADA; a silver winner for Cyber Security Vendor Achievement of the Year, for its launch of the first ever autonomous response technology to neutralize cyber-attacks; and was recognized as the Best Overall Security Company of the Year.
  • InfoBlox was recognized as the New Products and Services winner of the year, for the Infoblox ActiveTrust Suite; and a bronze winner for Best Deployments in U.S.A..
  • Ixia was recognized as a silver winner for Best Security Hardware Product (New or Updated version), for Vision ONE with Active SSL; and a gold winner for Cyber Security Vendor Achievement of the Year, for serving as an integral addition to Keysight’s continued industry leadership.

As a security practice, we could not be more proud to work with the people that we do, day in and day out. Our teams and our clients are an exceptional group, and as demonstrated above, are certainly doing more than their fare share to pave the way for the future of an industry that evolves and advances quicker than most. For this award, and for our team, our clients and to work in the industry that we do everyday, we are incredibly grateful. Here’s to seeing what the next year has in store.

What the RSA 2019 Speaker Submissions Tell us About Security Trendlines

The RSA Conference in the U.S. has maintained its stance as one of the most popular events in security since its founding in 1991. In 2018, RSA welcomed approximately 50,000 attendees.

While many attendees have griped about how corporate the show floor has become, the keynotes and speaker presentations continue to draw some of the industry’s most forward-thinking leaders on a broad range of topics.

This year, representatives from the committee that selects RSA sessions hosted a podcast where they identified the most popular topics submitted for each track and what they predict to be the 2019 industry trends as a result. Highwire’s #CyberSquad listened in and summed up the key points, which we expect to closely mirror 2019 media trends. Read on for the skinny:

Hackers and Threats Track: DevSecOps to Become Mainstream

This year RSA added a new speaking track called Hackers and Threats to meet a more technical audience that’s focused on live demos and/or code dissection. There are two popular session topics for this track, the Internet of Things (IoT), as well as AI and ML. For IoT the focus is on how security teams can maintain security with the increasing amount of data coming in from multiple devices. For AI and ML, these sessions tie to tactical ways that businesses can leverage these capabilities while also breaking down how adversaries are working just as quickly to create techniques to subvert them. The main message throughout all the speaking sessions in this track is DevSecOps. This is a term the industry will see taking over headlines in the years to come as security teams prove how successful this approach is in ensuring agility, automation, and scalability.  

Emerging Threats Track: Ransomware Maintains Popularity Over Cryptojacking

Cryptojacking took over headlines throughout 2018 as a newly publicized form of attack whereby a bad actor gains unauthorized access to someone’s computer to mine for cryptocurrency like bitcoin. However, recent research revealed that despite the attention, cryptojacking does not have a very high return on investment, with popular websites only making $119-340 per day. So, while cryptojacking will continue to be a focus in the media, due mainly to its newness and ties to organized crime, ransomware will maintain its popularity with cybercriminals and media focus on successful attacks because of its increasingly high earnings – a $2B industry in 2018.

Blockchain and Applied Crypto Track: Blockchain for Good

Blockchain has continuously been a buzzword in the security industry, although the conversations around it have started to shift from a magical unicorn to a tool that organizations are working to understand so they can leverage it for their own security practices. In the Blockchain and Applied Crypto track, leveraging blockchain for good prevailed as the most popular track topic. Moving into 2019, as more companies across industries learn how to create a blockchain system applicable to their security ecosystem, we’ll begin to see a rebranding of this technology toward protection for all.

Security Strategy and Architecture Track: Zero Trust in Third Parties

Organizations face one of their biggest challenges when securing their trust with third-party partners – the grey area between a trusted company employee and an obvious outsider threat. In this year’s Security Strategy and Architecture track, the majority of speaking sessions focus on dealing with this challenge and defining Zero Trust. In order to have a functioning and successful partnership, trust in the access granted to third parties needs to be authorized and access needs to be monitored. This will continue to be a topic of discussion throughout 2019 as companies look inward at their own third-party trust processes and ensure the proper access for all sensitive data they are storing.

Highwire’s cybersecurity practice will be at the RSA 2019 conference to catch up with our clients, speak with industry influencers on the showroom floor, and learn as much as possible about the latest trends to inform new ideas and storylines in 2019 and beyond.

Want to catch up at the show? Email secleads@highwirepr.com.

The Next 10: Making Your Mark in an Evolving Cybersecurity Comms Landscape

#HWCyberSquad leader Christine Elswick shares insights into creating future cyber leaders

A glowing light in cyberspace

Election hacking. Targeted attacks on our power grid systems. Ransomware debilitating global network infrastructure. Hundreds of millions of passwords stolen from businesses in one fell swoop. This is the reality we face in today’s cyber threat landscape.

The continued onslaught of cyberattacks has essentially made cybersecurity mainstream—and effective and transparent communication in the wake of such a crisis is now a critical skill for any business to have. This evolution has created an opportunity for leading vendors to educate the masses about the critical reality of today’s cyber world. If done right, security companies have the opportunity to become household names within the next 10 years.

But the growing market makes it difficult for a single company to stand out from the crowd. So how can a cybersecurity business differentiate itself, rebuild trust in the age of breach fatigue, and educate the world in the wake of cyber warfare?

In this blog, I’ll walk you through strategic recommendations that will elevate your thought leadership, strengthen relationships with the media that matter, and align with today’s headlines.

Rebuild Trust—We’ve witnessed the expansion of mainstream cybersecurity awareness in everyday society in recent years, as demonstrated through television shows such as Mr. Robot and blockbuster hits like Snowden and Ocean’s 8. As scary as it sounds, cyber interference in the real world has moved out of the realm of science fiction to everyday conversation. Look no further than this year’s midterm elections.

It’s clear that cybersecurity is no longer only for the most technically gifted; it has directly reached the lives of ordinary people. The growth of IoT devices like smart voice assistants or connected door locks means we can’t ignore the threat of cybercriminals to our everyday lives. Further, with Big Tech in the hot seat for its misuse of data, it’s an opportune time for security companies to rebuild trust within the enterprise and beyond.

Security companies need to reach executives outside of the security world now more than ever to raise awareness of what is at stake. We cannot afford to let cybersecurity be a problem only for enterprise security teams alone to deal with. This means that cybersecurity communications cannot be limited to trade and industry publications, but must also reach broader audiences.

Integrate Your Comms—One part media relations, three parts press release, and a dash of analyst engagement. Years ago, this was the recipe for PR success. Today, organizations must take an integrated approach to communications. Leveraging digital strategies such as social engagement and influencer marketing alongside ”traditional” thought leadership is vital to amplifying a company’s vision and cutting through the industry noise.

On the influencer side of things, journalists writing longer-lead feature stories for publications like The Wall Street Journal and New York Times are increasingly seeking non-vendor sources, looking to prestigious academic institutions, think tanks, current and former government officials and in the case of WSJ Pro Cybersecurity, CISOs at non-tech Fortune 500 companies for perspective. Aligning with these influencers will help strengthen your company’s reputation through thought leadership.

When it comes to social engagement, it’s critical that you establish an authentic voice that aligns with your brand across all channels and leverage this medium to extend the life of your content. In the fast-moving, volatile world that is cybersecurity, speed is also critical. You must be able to move quickly and nimbly to get your company’s voice heard.

Get Creative with Telling Your Story—It’s no secret: the industry is crowded. Just two minutes on the RSA or Black Hat show floor or a look at the latest VC investment headlines will tell you that.

Never has PR been more critical to help the real leaders stand out. But it’s important that companies challenge themselves to be creative with campaigns to break away from the pack. This means showing that the company is more than just a product. It means that thought leadership should be supported by identifying independent thinkers with deliberate, experience-tested philosophies. It means discussing real-world examples (even if anonymized!) of how your technology actually makes an impact and stops cyber attacks in real-time across Fortune 500 businesses. These examples tell a story that pulls the reader in.

Don’t Forget the Fundamentals.

  • The importance of a cyber playbook—There are only two types of companies left in the U.S.: those that have been hacked, and those that don’t know they’ve been hacked. With this in mind, companies must have a crisis plan that will guide them through worst case scenarios. Highwire recommends going as far as involving third parties (who will theoretically support the business in a time of crisis) and reporters as part of the course.
  • Rapid response: Unless a spokesperson has direct knowledge of the incident or previous experience that makes him/her an expert on the particular topic, do not ambulance chance—it only undermines their credibility and frustrates reporters. As public understanding of cybersecurity grows, so too will the demand for thoughtful, nuanced reporting on these incidents. The experts who reporters will turn to the most for their thought leadership are the ones who can offer unique insights and help people understand the real impact, without spreading FUD.
  • Increasing importance of strategic events—A way for executives to talk about real issues and interact with like-minded peers, events have become a crucial medium for the industry. The cybersecurity community is a tight-knit group so building on those relationships in person is essential to becoming a respected voice in the industry. In recent years, high profile events such as WSJ.D Live, MIT EmTech and Collision have created dedicated cybersecurity tracks. CNBC and Bloomberg are other top-tier publications placing a heavy emphasis in cybersecurity across their global events, and newer conferences continue to emerge, such as the third annual Aspen Cyber Summit—held for the first time on the West Coast last week. At RSA 2018, Alex Stamos and others launched OURSA to discuss issues not tackled at the larger mainstage conference—diversity & inclusion, privacy & security implications, and ethics of emerging technologies. Watch out for the #HWCyberSquad’s upcoming blog on security events that are becoming strategic opportunities to build relationships and showcase research.
  • Aligning the business to key trends—Tying your business to key trends—both security and non-security related—will be important to elevating the brand and creating a connection to a broader audience. In the next 10 years, topics that will likely to continue to be front and center in the news include: all things artificial intelligence and human intelligence; AI-based attacks; data privacy and GDPR; diversity and inclusion; nation-state security and cyber warfare; the economic impact of security on a global scale; IoT and smart cities; consolidation across the security market; quantum computing and much more.

The internet has become a crowded, labyrinthian place to conduct business and share information. There are hundreds of cybersecurity startups emerging every month, each claiming to have the silver bullet to addressing the cyber crisis, and legacy players snatching up smaller ones in order to acquire next-generation capabilities to remain relevant. But intelligent communications is our map to show us the way forward and create an opportunity for the cyber leaders of the future to make their mark.

The true leaders will emerge through compelling storytelling that showcases their impact to a broader audience. The age of cyber war is just beginning and it will create lasting change on the world and the cybersecurity industry over the next 10 years. But one thing is certain: communications will be a critical piece of the puzzle in establishing credibility and trust in these uncertain times.