Cybersecurity represents a $2-trillion market opportunity. It’s recession-resistant, and an increase in the frequency and sophistication of attacks, as well as the regulatory responses, make it an ever more vital aspect of companies’ operations. Yet amidst the market boom and the dizzying array of XDR, EDR, pen testing, and threat intelligence offerings, it’s becoming difficult to stand out. The field is crowded, ad keywords are expensive, and the ability to gain exposure only through paid routes and business development is limited.
The market opportunity and current options to break through the noise make PR in cyber almost a necessity. However, in order for a PR campaign to be successful and expectations to be realistic, cyber companies need to take four key points into consideration:
Consider the newsworthy items and articles already at your disposal
Almost anything COULD potentially be news, and it’s essential to ask yourself the question, “Is this PR worthy?” before something becomes public or is shrugged off by an analyst. Typically, items that could be newsworthy include the following:
- Interesting blogs (not promotional and salesy!) that your content writer is working on can be adapted and pitched.
- Published blogs can be re-worked to fit the format of an opinion article. They definitely need to be re-worked, but can serve as a valuable jumping off point.
- Analyst reports. This one is obvious, but we’ll take you through how to assess what kind of coverage to expect in the next point.
- Analyst observations. Most analysts see a lot of interesting stuff across their platform or on the deep and dark web, but don’t have the bandwidth to turn it into a report.
Decide who to target strategically
If you have an analyst report involving a zero-day vulnerability affecting a large name brand, by all means, swing for the fences and pitch cyber, top tier, and any relevant trade publications (as long as it has been disclosed and patched). However, if it’s technical news like a new threat actor group or new approach, it’s probably only fit for cyber journalists. The right targeting is key because it helps build your reputation as a source for journalists, and if you’re pitching a salesy blog to a top-tier journalist, it will result in the exact opposite — being ignored or blocked.
Here are the general categories to assess what is being pitched:
Top Tier
Zero-day vulnerabilities involving a big brand, breaking news that’s geo-political, involving a big brand, or a major threat actor.
Second Tier
The discovery of a vulnerability that isn’t major in its impact or doesn’t involve a household name brand. An in-depth analysis of a threat actor group or a blog outlining a novel approach or interesting angle.
Third Tier
If you have a checklist for CISOs, a generic blog post on why XDR is needed, or something on the general rise of ransomware attacks, do yourself a favor and don’t try to pitch it out.
Wildcards
An analysis of a threat actor group and some second-tier discoveries might be top-tier. For example, if a minor threat actor group is using Telegram or Discord in a novel way, it could be interesting, or if it’s part of a wider trend. Another consideration is that a company could be big in Spain or Germany and garner no interest in the US, in which case, try contacting local publications or foreign correspondents.
Leverage your company’s PR ‘rockstars’
This tip is helpful for cybersecurity companies at every stage, but it’s essential if the company A) isn’t a threat intelligence company and B) is early stage. Many startups, especially early-stage ones, lack the regular news announcements of their larger peers and don’t have the advantage of being big enough that their CEOs get regular pickup just for giving their opinions. However, many have high-profile advisors and investors who can become media advocates for the company, not just by developing business leads but also by writing opinion pieces about the market the startup is in or the problem the company is solving.
In our own experience, we were able to get solid coverage for an early-stage startup when they had a report, but employing this strategy carved out even more of a significant footprint. Their advisor is a big name in geopolitical cyber circles, and he was enthusiastic to both write an opinion article outlining the issue they are solving for placement with his company title and to be pitched for interviews. The result was a series of highly visible articles, including one that made the front page of a major cyber publication. Investors can also serve as “PR Rockstars” through their name recognition and the fact that they open up different publication possibilities in business and investment.
Set the company apart by becoming a resource via research
Hundreds of pitches will be in an editor’s or journalist’s email inbox at any given time. While offering an opinion or asking for an interview based on a “unique” approach is easily accessible for any company and common to see for journalists, research is not. Putting in the extra effort to conduct a survey of 1,000+ consumers — there are plenty of options whereby the platform gathers responses for approximately $1,000 — or a few cyber executives, and combining it with market research can be highly effective. The approach, combined with companies’ insights, can turn a pitch from an ask into a resource for the journalist and create a newsworthy event that results in multiple articles.
One of the great aspects of creating a research report or whitepaper is that it can be utilized multiple times by marketing teams, becoming gated content, an email marketing campaign, or even a webinar topic. If it works, it can be scaled across additional topics or turned into a yearly or quarterly endeavor that provides predictable coverage that can be built upon with additional efforts to really make the company stand out.