On press releases and ambulance chasing

2008-02-21

A while back, I remember seeing a sketch by Eddie Izzard. The detail eludes me but roughly speaking it covered the cyclic nature of being cool. One could progress from totally uncool, to slightly cool, to cool, to - put one matchstick in the corner of the mouth - very cool, to - put another matchstick in the other corner - totally uncool again.

So it is with technology-related PR, and nowhere is this more starkly illustrated than in the press releases associated with IT security. I have written about how hard it can be to incite a sometimes apathetic audience into action about very real threats; equally, many IT managers will agree how difficult it can be to get funding for security-related purchases. IT security companies have a vested interest in both of these issues: they are obviously not working altruistically. However, in my experience the majority nonetheless do want to deliver value to their clients.

Such desires may be reflected in IT security PR, which often needs not only to explain what a company does, but also why it matters. Frankly, when a "bad thing" is reported in the media it can be gift for any company that offers products in that area – but what to do when there is no bad news to piggyback on? The answer is to put out awareness-raising press releases, to augment the more standard ‘customer win’, ‘expands in Europe’, ‘new partnership’ fodder. It is here, just as with Eddie Izzard’s sketch, that we find the line which should probably not be crossed.

What are the different kinds of press releases? I would grade them into four categories:

· Best practice activity. A vendor may have put together a set of guidelines explaining how to deal with an issue. While it is a fair assumption that it may reference their product or service, it may also contain some sound advice. Press releases saying that a vendor has documented some best practice are little more than treading water in PR terms, but they are innocuous enough.

· Publicising research findings. A security vendor may conduct a study to highlight the scale of a given problem. This is useful when although the area is known about, there is general complacency that the issue has already been dealt with, or that it only happens to other people. Indeed, this is often the kind of activity that we get called in to help with – anonymous surveys may be the best way to talk about an issue that nobody is supposed to have.

· General awareness raising. These tend to be more educational, to highlight that a problem or threat really does exist. A good example of this would be PR surrounding man in the middle attacks, which are a valid candidate for awareness raising. The only downside is that sometimes such press releases assume the audience knows what is being talked about, which is more than a little counterproductive.

· Publicising specific examples of where things have gone wrong. This is probably the worst kind of awareness raising press release. At best, it draws attention to an example of where the threat has been realised, or malpractice has been found in that, “I told you so,” kind of way. At worst, it can only be construed as ambulance chasing, using some unfortunate soul who has found themselves wanting, and attempting to bask in the reflected publicity.

Don’t get me wrong. In general, I like receiving press releases. I may not read all of them, end to end, but I am not embarrassed to admit that I cannot keep on top of everything that is going on, all the time. So, if I am told about a threat that I did not know existed, nor indeed, a product which in some way can resolve that threat, I can add this to my catalogue of knowledge. Equally, however, I make no bones about the fact that I detest 'ambulance chasing' press releases. While I concede that it can be useful to use such incidents as examples, they should be used as no more than a passing mention to support any of the other kinds of awareness raising. Consider the difference in the following two statements:

· “The HMFE were foolish, and should get their act together,” said Charlie Farley, vice president of security firm Ultrasecurix. “By using technologies such as ours, it would never have happened in the first place.”

· “Ultrasecurix would like to announce the latest iteration of our product. “It has been redesigned from the ground up to deal with the latest generation of threats,” says Charlie Farley. The many features include… which enable comprehensive protection. “Situations such as those am highlighted at the HMFE only serve to highlight how things are changing and the need to stay vigilant.”

OK, the latter requires the company to have actually done something, which should maybe be the prerequisite in the first place. If, however, you feel the need to put out awareness raising press releases, remember the first three kinds before settling on the fourth. The bottom line is, if you can't be constructive and add value in the first few paragraphs, then please don't bother at all.