5 Things Every Security PR Pro Should Read

Guest post by Melanie Ensign.

This is a guest post by infosec PR specialist Melanie Ensign.

Anyone who’s worked with me knows I have little tolerance for “tech PR” professionals who don’t put in the effort to develop the technical acumen and understanding required to provide honest, informed counsel to engineers or business leaders. Security PR isn’t just another type of crisis comms or product PR — we’re not talking about technology for the sake of convenience or entertainment. Security incidents are so frequent and varied in severity that static response plans are largely inadequate. Further, I believe security is a human right and the people element — policy, laws, education — has just as much, if not more impact on the safety of everyone online.

This doesn’t mean you need to go rebuild the Internet in your garage to prove you can keep up with the engineers, but at the very least you need to be able to translate complex concepts into simple terms without jargon, and help your teams define, prioritize, and communicate authentic narratives based on technical realities. You can’t do this effectively if you don’t really understand the subject matter.

For those willing to learn, here is a short list of recommended reading materials to get you started (or sharpen your edge).

In no particular order:

1. @ Large, by David Freedman & Charles Mann

This is the true story of a wide-spread compromise of networks at banks, universities, federal agencies, and a top-secret military weapons-research site. These events took place in the early 90s before law enforcement knew how to deal with this kind of crime and yet, the story includes many of the issues we still face in securing current systems — interconnectedness between organizations, authentication & user credentials, blurred legal jurisdiction, and Advanced Persistent Threats (APTs). I recommend this book for historical context because very few things today should be called “sophisticated” or “unprecedented.”

2. Cybersecurity & Cyberwar: What Everyone Needs to Know, by P.W. Singer & Allan Friedman

Some of our most important audiences, including consumers, do not have a background in engineering or security. Knowing how to speak plainly about complex environments is crucial for helping everyone make smart decisions about their security. This book is not written for technical experts — it’s an excellent case study for how to speak to a non-technical audience about important topics that could help them make smart decisions to improve their security.

3. Data and Goliath, by Bruce Schneier

Another important resource for historical context. Debates regarding law enforcement and encryption are not new, but perhaps we can learn from our previous mistakes — both on the technical side as well as how we communicate and engage around the issues.

4. Cyber Attacks: Protecting National Infrastructure, by Dr. Ed Amoroso

This book outlines basic principles of computer science and security architecture that often get lost in the hype of “next-gen” security technology: deception, separation, diversity, commonality, depth, discretion, collection, correlation, awareness, and response. Better attention to infrastructure design and its consequences can help both technical and comms/policy teams identify and address potential vulnerabilities.

Full disclosure: I worked with Dr. Amoroso and his team at AT&T for several years, but had no involvement in the creation, publication, or publicity of his books.

5. What is Code?, by Paul Ford

Code is the beginning and the end of many technical security challenges. Learn what it is and how it works.

There will be a test.

Melanie is a communications advisor dedicated to the infosec community. Throughout her career, she has provided strategic counsel across a range of communications disciplines including media relations, employee awareness, incident response, hacker relations, vulnerability disclosure programs, social engagement, and public policy.

Recommended articles