Interview extracts from the first volume of an oral history of cybersecurity practitioners.
News in cybersecurity tends to focus on either really novel discoveries or very bad failures. In either case it is one’s ability to effectively communicate that determines how facts are interpreted and events are perceived. As the founder of Hi-Touch PR, Danielle Ostrovsky has built a successful track record in the cybersecurity space and knows what it takes to get engineers to stop talking in code and start telling compelling stories.
Your background is in communication, not computer science. How did you find yourself in the cybersecurity space?
Danielle Ostrovsky In 2009, as the recession was in full swing, I moved out to San Francisco. I landed at a firm that dealt with business-to-business relationships and was put on three accounts: Bluecoat Systems; Fortify Software, which got acquired by HP; and PGP Corporation, which got acquired by Symantec. It was a great time to get involved in the industry as the term “cybersecurity” was starting to grow in usage, and President Obama announced that he was going to hire a cyber czar.
What is an average day like for you?
A lot of it is interacting with reporters. Whether it is incoming inquiries or outgoing pitches, I have to really be on top of the news of the day, if not a step ahead, in fact, and detect trends. If there has been a data breach or an attack, understanding who is behind it, what did they accomplish, what does that mean for the company that was breached, other companies in that industry, and ultimately what that means for consumers and customers.
It’s more than just tracking bad news, though. With increased government involvement in the space, issues around standards and regulations and obligations has become a huge factor that needs to be tracked—that organizations have to disclose breaches, all the issues related to data privacy. Those conversations have become a lot more interesting, especially with GDPR. There is a lot you have to pay attention to, not just from a competitive perspective, but in order to effectively communicate your own capabilities and positions. How do we help customers meet these requirements?
Security people tend to focus on technology or methodology. There is a tendency to think that the value of a great solution will be self-evident and fly off the shelves. How do you get clients to stop staring at the screen and start considering how to convince people that they should go with them and not the other guys?
I think the key to success in those situations is empathy … empathy for the founders or engineers … and not necessarily approaching the situation as one of “selling” the product, but rather expounding on how they solve a specific problem and the benefits of their approach. There is also empathy for the pain points of our customers. I find the companies that tend to be the most successful have founders who have been CEOs or CISOs, who understand the day-to-day problems people are facing and can put themselves in their customer’s shoes. I try to frame it has having a conversation, not pushing product, not just because the latter is less effective in general and it puts people off, but it’s easier to get people to talk about their solution in the context of problem solving than a financial transaction.
I find that organizations that don’t have a marketing organization, or disregard their efforts and spend more time and effort on product, really handicap themselves because when it comes time to talk about what they’ve built and why people should be interested, they don’t have a cohesive narrative in place prior to going to market. So, to your point, they may have an elegant solution, but they can’t talk about it in a compelling way, so they tend to lose to inferior solutions, and they express surprise that the very people they’re trying to help don’t engage. They don’t engage because they don’t understand, and you’ve done nothing to address that.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.