Archives for February 2016

Behind the Headlines With Dan Gregory



In this interview with Maria Materise, Cision, SDI VP Dan Gregory shares PR insights and advice molded by pivotal experiences in the industry.

Storytelling, while central to PR strategies, is a delicate process. If you don’t understand the individual or group whose story you are telling, your story will sound false.

Dan Gregory, vice president of Susan Davis International, knows the importance of representing your client well and telling their story accurately. In this interview, he shares the difficulties of military communication, the need for successful communication in all industries and how to use movies as a guide for PR.

How did you get your start in PR?
Coming out of college, I was more focused on public speaking and speechwriting than general public relations. Public speaking was more exposed, intimate and immediate in how it connected the communicator and the audience in real time, allowing them to play off each other.

It is also an almost primitive way of communicating compared to most of today’s PR strategies. Yet, it can still be extremely powerful.

I only thought to make the leap to PR when a friend showed me how the strategies and skills of public speaking translated into media interviews. That realization led me to accept a position as a media trainer.

From there, I continued making connections between what originally attracted me to public speaking and the many other elements of public relations that I use today.

What’s the biggest lesson you learned from your first position?
My first position was at the Center for Strategic and International Studies (CSIS), a foreign policy and international security think tank. I was surrounded by extraordinarily intelligent people who earnestly wished to generate ideas that would change the world for the better. It was a side of Washington, DC that I do not think many Americans get to see.

As a communication professional surrounded by policy experts, I wasn’t immediately sure how I could contribute. However, over time, I realized that even the best ideas lived and died by how well they could be communicated.

Every idea needs to be understood, supported, and in most cases, funded. All those ingredients can be met through communications. That’s when I realized that there was a rewarding career opportunity in telling the story of good ideas.

What do you think are the key components of a successful PR strategy?
A successful PR strategy has all the elements of a great movie. It has to be based on a good story – a story that is emotional, memorable and does not run longer than necessary. The story should also be clear and easily understood, so that when people watch it (or hear it or read it), they can accurately repeat it to others.

A PR strategy should also have great characters. These characters must be ones that people can connect with, care about and hope for their success.

Lastly, the strategy needs to leave people feeling good. People naturally desire for things to reach a positive conclusion. In PR, if we are not telling a story with a feel-good ending, we have to tell audiences what they can do to help reach that positive conclusion.

How does your background in military communication help you in your position at Susan Davis International?
Susan Davis International has a long history of award-winning work in the military space, including serving Department of Defense agencies, Veteran Service Organizations and corporations looking to support and market to the military.

My experience in military communication was essential to being able to contribute effectively to these campaigns. The military community has its own language, preferred methods of receiving information and key issues of concern that are largely unknown or misunderstood by most Americans. If a PR campaign does not align with the way that the military speaks, it can quickly lose credibility and trust.

Therefore, our firm ensures our team has the highest levels of experience, understanding and appreciation for the military culture. And while my experience in the Pentagon was enormously instructive, I know I owe those who serve and their families to continue to learn as much as I can about their service.

How do you approach PR for sensitive topics such as those related to the military and veterans?
When I worked for the Army, one of my civilian colleagues in public affairs made a misstep about how she portrayed an issue very sensitive to those serving in uniform. I later overheard an officer angrily venting about the incident, and he kept repeating, “You don’t know what it is like for us. Don’t act like you know what it is like to be one of us. Don’t pretend you’ve been where we have been.”

That moment was completely sobering. His words drove home the tremendous responsibility I had as someone who never served in uniform, speaking and writing on behalf of those who did.

While it is ultimately my job to put myself in the shoes of the person I am representing, the truth that I would never truly know what it was like to be them has since pushed me to be as thorough as possible in understanding the people and the issues about which I communicate.  And it has encouraged me to approach much of my work with a great amount of humility.

How has PR changed in recent years?
The PR industry has been challenged by the fact that the rise in the number of communications channels has coincided with a severe case of FOMO (Fear of Missing Out). Even the most disciplined communication professionals can’t help but see a new website, social media platform or app and think, “Why aren’t we on that?” Even if the outlet is not the right fit for a client, it’s easy to feel jealous over all those potential media impressions.

This spread of FOMO has only been made worse by the distortion of what is newsworthy. Smaller newsroom budgets have resulted in more website space being devoted to clickbait, and TV news broadcasts relying on syndicated stories and viral videos.

For PR professionals, this emerging reality means that we can’t only sell the significance of our pitch. We also have to sell the popularity of the potential story, and make it as easy and inexpensive as possible for the media to cover it.

What advice do you have for those looking to begin a career in PR?
For every book you read about public relations, read three more about completely unrelated topics. An expansive knowledge about the world will increase your creativity, allow you to build networks and opportunities for your clients and develop your ability to identify communication opportunities in a greater number of areas.

Rapid Fire Round
1. I always thought I’d be…more involved in politics (don’t read this as a regret).
2. My guiltiest pleasure is…listening to movie scores while writing. “Shawshank Redemption’s” score is responsible for some of my best work.
3. The most interesting thing about me is…If I ever took a sabbatical from PR, I’d like to try my hand at flipping furniture.
4. My daily newspaper of choice is…The Washington Post.
5. My biggest pet peeve is…live tweeting speeches. As soon as you begin tweeting, you stop listening.
6. The thing that gets me up in the morning is…my cat sniffing my face. Oh, and wanting to make the world a better place.

Exploring the Cybersphere 2016 – February

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Are you in the crosshairs?

China’s Next Five-Year Plan Offers Preview of Cybersecurity Targets
Is your industry next in line to be targeted by China’s government-sponsored hackers? To find out, look at China’s latest five-year plan, suggests a global threat report released this morning. The report covers attacks by nation states, cybercriminals and hacktivists. “China is the biggest offender that we can see,” said Adam Meyers, vice president of intelligence at security vendor CrowdStrike, which produced the report. The country is mostly focused on collecting intelligence that supports its economic system, according to the report. “The last five-year plan was effectively a road-map of everything China was going to target,” he said.

Cyber Criminals Focus on the Super-Wealthy
Financial Times
High quality global journalism requires investment. Please share this article with others using the link below, do not cut & paste the article. See our Ts&Cs and Copyright Policy for more detail. Cyber criminals are trawling through wealth managers’ websites as well as social media networks to target the super-rich and trick them into parting with hundreds of millions of pounds a year, security experts say. Kroll, the security group, said it had seen an increase in the number of cyber attacks against the very wealthy and those who manage their private investments. Organizations that list details of senior staff online and networking sites such as LinkedIn are being filleted by criminals to find people with board-level job titles.

Huge Rise in Hack Attacks as Cyber-Criminals Target Small Businesses
The Guardian
It seemed like just another ordinary day for staff at vehicle hire company MNH Platinum. Little did they know that the simple click of an email link was about to threaten their entire business. It was early last year when the Blackburn-based firm was the victim of a virus which encrypted over 12,000 files on its company network. A ransom demand followed – the criminals would decrypt the company’s files in exchange for more than £3,000. With the virus proving impossible to remove without the loss of crucial company data, the firm had no choice but to pay up. “We were completely unprepared for a cyber breach simply due to a lack of awareness of the magnitude an attack of this type could have through mistakenly clicking a link in an email,” says managing director Mark Hindle. “I am thankful that we had a lucky escape, in that I was able to retrieve the documents that are crucial to the running of the business, albeit at a price.”

Give us a little privacy, would you please?

Eleventh-Hour Deal Reached to Keep Data Flowing Across the Atlantic
The Hill
The United States and the European Union have reached an eleventh-hour agreement that will permit Facebook, Google and thousands of other companies to continue handling Europeans’ personal data. Both Commerce Department and European Commission leaders insisted the new legal framework — which replaces a recently-invalidated agreement known as Safe Harbor — will stand up to court scrutiny. “There will be complainants and new court rulings, but I am pretty confident this will stand,” Justice Commissioner Vera Jourova said in a press conference unveiling the pact. The European high court struck down the original arrangement in October, claiming that the U.S. could not be seen to adequately protect privacy thanks to its mass surveillance practices.

Opinion: The Undoing of Germany’s Privacy Dogma
Germans vociferously objected to US surveillance after Edward Snowden revealed the vast scope of National Security Agency spying. So, when the European Court of Justice ruled in October to dismantle Safe Harbor, the legal arrangement that let American companies transfer Europeans’ data to the US, Berlin policymakers celebrated Europeans taking a stand for their right to privacy and digital sovereignty. But how things change. In a matter of months, after Islamic State terrorists killed 130 people in Paris and the refugee flows remain unabated, many Germans now recognize that intelligence cooperation with the US may be a price worth paying to combat threats dangerously close to home.

How Do Americans Weigh Privacy Versus National Security?
The Atlantic
Three years ago, Edward Snowden leaked troves of previously classified information that laid bare the American government’s widespread surveillance of its citizens. The takeaway was clear: We live in an age when private, personal information—from Google searches, to GPS locations, to swipes of your credit card—is being collected constantly and invisibly, and there’s little any individual can do about it. The U.S. government defended its actions by claiming that the information gathered would aid in fighting terrorism, both foreign and homegrown.

Reactions to the EU-US Privacy Shield
The new framework for the transfer of personal data between the European Union and the United States is really the evolution of over 15 years of established privacy regimes between the U.S. and the E.U. The result of the negotiations are really meant to reestablish trust in the U.S. and E.U. transatlantic relationship. The newly announced framework will be wholly replacing the now ‘dead’ E.U./U.S. Safe Harbor program. In fact the new framework established by the U.S. and E.U. will even go by a completely new moniker: E.U./U.S. Privacy Shield. E.U./U.S. Privacy Shield is said to both protects the fundamental right of privacy of European citizens while at the same time providing legal certainty for the thousands of U.S. based businesses that serve them.

Former CIA Director Endorses Unbreakable Encryption
The Hill
The former director of the Central Intelligence Agency and the National Security Agency said this week that the government should not have a backdoor into encrypted communications. “America is more secure with end-to-end unbreakable encryption,” said General Michael Hayden, now a principal of the security and risk management firm Chertoff Group, speaking at a Wall Street Journal conference. Hayden’s comments are part of a tense debate over the degree of access that law enforcement agencies should have into secure communications. In the wake of the terror attacks in Paris and San Bernardino, Calif., law enforcement and some lawmakers have been pressing tech companies to give investigators guaranteed access to encrypted data.

Privacy Board Gives High Marks to Spying Reforms
The Hill
The government’s privacy watchdog on Friday gave a positive assessment to the Obama administration’s efforts to reform federal spying powers. The small Privacy and Civil Liberties Oversight Board (PCLOB) said the government has started to enact reforms addressing each of the nearly two dozen recommendations it made two years ago, on the heels of Edward Snowden’s leaks about American surveillance. “[I]mportant measures have been taken to enhance the protection of Americans’ privacy and civil liberties and to strengthen the transparency of the government’s surveillance efforts, without jeopardizing our counterterrorism efforts,” the bipartisan five-member board said.
In 2014, months after Snowden’s leaks revealed details of U.S. spying, the PCLOB declared that the National Security Agency’s (NSA) bulk collection of Americans’ phone records was illegal.

Developing a Global Privacy Regime in the Age of Mass Surveillance: Four Key Principles
Open Democracy
The proliferation of mass surveillance practices in recent years has posed a number of tough challenges for the protection of human rights in democratic societies, most notably for the right to privacy. These challenges have been exacerbated by the considerable diversity in the legal and constitutional protection of privacy across the globe, with states engaging in far-reaching surveillance activity (such as the United States as demonstrated by the Snowden revelations) providing a fragmented and limited constitutional framework for the protection of privacy, especially regarding non-citizens. At the same time, privacy protection framed strictly from a national/territorial perspective is increasingly inadequate to address the globalisation of surveillance, as evidenced by the proliferation of extraterritorial surveillance practices by states.

Privacy Debate Explodes Over Apple’s Defiance
A long-simmering showdown between Silicon Valley and Washington over national security flared into a major political spat Wednesday, after Apple CEO Tim Cook vowed to resist the federal government’s demand for help breaking into an iPhone used by one of the attackers in last year’s deadly mass shooting in San Bernardino, California. The dispute between the tech giant and the FBI has put the entire industry on the defensive and prompted new calls, from the 2016 campaign trail to Capitol Hill, for tech companies to cooperate in terrorism investigations. Apple’s harshest critics included Donald Trump, who asked on Fox News, “Who do they think they are?” — while Senate Intelligence Committee member Tom Cotton (R-Ark.) charged that the company had chosen to “protect a dead ISIS terrorist’s privacy over the security of the American people.”

What business needs to know.

Fast Data Will Revolutionize Cybersecurity in 2016
How could ordering a pizza take down a bank? It’s frighteningly easy—and illustrates the need for faster, more-sophisticated technology to block the even more-pernicious cyber-security threats targeting big companies today. In the pizza example, a bank employee orders a pizza online, using his company email address to complete the transaction. And, like many people, he uses the same password for the pizza site as he does to log in to his bank’s workstation or intranet. Bad move: Clever hackers now automate cyber-attacks on some businesses with weaker security, like pizza parlors. They can easily snare the employee’s information, then try those login credentials on the bank’s website or employee VPN– and, if they work, tap into the bank’s internal networks.

Cybersecurity Statistics Predict a Hot Market For 2016 To 2020
Cybersecurity is a hot market, period. Read on if you want to know why. The worldwide cybersecurity industry is defined by market sizing estimates that range from $75 billion in 2015 to $170 billion by 2020. Or to put it another way, corporations and governments will spend roughly $100 billion on cybersecurity over the next four to five years. Internet of Things (IoT) security could add another $29 billion to those market figures by 2020. 9-figure deals lifted cybersecurity investments to an all-time high in 2015. An InformationWeek DarkReading article reports that cybersecurity stocks are way down in 2016, but a lot of venture capital money is still flowing into cyber companies.

Many Companies Still Procrastinating When It Comes To Cybersecurity
It’s going to take more than a massive hack against Sony Pictures, Anthem, and the Internal Revenue Service to persuade business executives to protect their companies from data breaches. A recent survey of 1,000 business executives by consulting company NTT Com Security said that the only half of the polled respondents had a formal plan in place to protect their data and networks in case of an attack. Additionally, a quarter of these executives “are certain that their company will suffer a security breach in the future,” the report stated.

Deloitte: For CyberSecurity – Offense Can Be the Best Defense
Integration Developer News
As 2016 begins, organizations are going on the offense to combat cyber threats, according to a report this month by Deloitte LLP. Companies and government agencies are no longer satisfied with simply “locking the doors” where cybersecurity is concerned, said the 2016 Deloitte Analytics Trends report. “Organizations with a sophisticated approach to cybersecurity are no longer satisfied with locking the doors after the robbery has been committed. [They] are beginning to employ more predictive approaches to threat intelligence and monitoring—in short, going on the offensive,” the Deloitte report found.

Liability can Change Attitudes to Corporate Cybersecurity
Throughout the past century we’ve witnessed how liability, regulation and legislation have been instrumental in improving security and safety. As Britain marks 50 years since the first seatbelt law was introduced this month, we celebrate how driver liability changed norms and saved thousands of lives. This massive potential is not limited to personal safety. In any market, the key drivers for change have largely been regulation and incentive, whether through legal liability or insurance cover. However, these agents of change are still immature in the cybersecurity market, and we’re seeing serious and unnecessary breaches as a result. This was highlighted last year by GCHQ director Robert Hannigan’s astute reflection that the free market is failing cybersecurity.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

February 23, 2016

Cyber Risk in the Maritime Industry

The following post introduces a series that will educate readers about the nature of cyber risk in the maritime industry. SDI partners with leading maritime services provider Hudson Analytix to provide cybersecurity support to members of the maritime industry.

Although thousands of years old, even today the maritime industry sustains more than 90% of the global economy. Every vessel and port terminal operator in the world creates, utilizes, stores, manages, and exchanges digital data, along with the financial information, via internal and external networks. To this end, maritime companies are rapidly adopting and integrating a broad range of operational technologies and systems, both wired and wireless, which facilitate faster, more efficient and streamlined operations.

The more network enabled devices are deployed and used, however, the more dependent the maritime industry overall will become and, thus, it will become more vulnerable to cyber threats. While networks need to provide high availability, we must also demand high integrity—they will need to be safe. To this end, unlike a standard database or router, a hacked [container] terminal management system could result in a massive number of misdirected assignments or a compromised GPS system could incrementally misdirect vessels outside of channels and into dangerous areas before a compromise is discovered, let alone corrected. Such scenarios could result in costly business disruption, property loss, or environmental damage.

Like Stuxnet 7 demonstrated in 2010 with the successful attack on Iran’s nuclear enrichment capabilities and Shamoon’s disruption of Qatar’s Ras Gas and Saudi Aramco’s computer systems, the expanded utilization and connectivity of highly integrated, networked SCADA and ICS equipment have outpaced the cybersecurity controls needed to secure such critical systems from cyber attack. Unfortunately, automated maritime systems are typically not managed to standard IT best practices. Instead, they are relegated to the traditional physical security practices stipulated by the ISPS and ISM regulations and have yet to be updated to address emergent cyber threats.

Cyber risks span the entirety of an organization—from C-suite executives susceptible to targeted social engineering attacks, to unsuspecting employees (the itinerant seafarer included!) falling prey to a spear-phishing attack and third party contractors accessing your company’s network. Addressing the challenge demands a top down enterprise approach.

By Max Bobys, vice president, Global Services, Hudson Analytix
February 16, 2016

Lessons from Ancient Sparta Apply to Data Privacy Expectations

– Son, either with this or on this.

Legend has it that Spartan mothers send their sons off to war with this blunt admonition. Either return home safely with your shield, showing that you did not run from battle, or be carried home on the shield. Cultural expectations for success thus were rather clear.

One of the more interesting aspects of the titanic cybersecurity struggle underway around the world lies in cultural expectations over the security of individuals’ personal data. This issue has been playing out in very public fashion over the past few months as the United States and the European Union (EU) negotiated an agreement on how data belonging to European citizens must be protected by U.S. companies that handle that data. Since 2000, the framework for protecting the data lay in what was termed the Safe Harbor agreement. Basically, the agreement required companies that collected personal data to inform people their data was being gathered, tell them what would be done with it, obtain permission to pass on the information to a third party, allow people access to the data gathered, ensure data integrity and security, and offer a way to enforce compliance.

All this fell apart when an Austrian privacy activist filed suit challenging the legality of Facebook’s handling of his personal information under European privacy law. As the suit played out it became increasingly clear that European nations were much more concerned about privacy than were many U.S. actors. The Safe Harbor agreement allowed for self-certification, enabling U.S. companies to self-certify that they would comply with EU data protection standards to allow transfer of European data to the United States. More than 5,000 companies did so.

The fly in the ointment was that while U.S. companies might certify that they were following Safe Harbor Principles, U.S. law made it possible for U.S. law enforcement and national security agencies to access data presumed protected by Safe Harbor. That smoldering issue ignited when former National Security Agency (NSA) contractor Edward Snowden made clear that the NSA had a thriving global surveillance program. The lawsuit that led to the demise of the Safe Harbor agreement was premised on the assertion that Facebook was not protecting users from the NSA’s mass surveillance program. In October 2015, the EU’s highest court, The European Court of Justice, essentially agreed with that assertion, finding the Safe Harbor agreement was not serving the purpose for which it was created.

Last week, the United States and the European Union announced a provisional agreement that creates “The Shield,” the successor to Safe Harbor. Read the fascinating back story on the creation of The Shield here. But, this will not be the end of the story. Europe will continue to be far more aggressive in protecting its citizens’ data than will the United States. It is a decided cultural distinction that will continue to have profound consequences. The Shield in whatever form may be seen as inadequate for fending off attacks on data privacy, and find its way back to the European Court of Justice.

Unlike ancient Sparta, expectations for success are not altogether clear. What is even more likely is that ever more restrictive approaches to data transfer and handling of European data will become the practice. U.S. companies should note this likelihood, as should companies around the world that will do business with the European Union. For multinational companies, privacy issues will become ever more challenging from both a compliance and customer expectation perspective.

By Tom Davis, SDI Cyber Risk Practice
February 9, 2016

SDI Chairman Hosts Guatemalan AG

attorney general guatemala susan davis intl dc

Hosting the impressive Thelma Aldana, Attorney General of Guatemala capped a terrific week at SDI! As AG she has proven her critics wrong again and again.

SDI Expands Cyber Risk Practice Into Latin America

Susan Davis

Tom Davis, Ambassador Julio Liggoria and Susan Davis pictured above.

SDI celebrates the expansion of their cyber risk practice into Latin America through alliance with Delta Consulting Group, headquartered in Panama, and Interimage LatinoAmerica, headquartered in Guatemala and Panama. Firms will leverage their combined strengths to offer high value cybersecurity services in the growing Latin American market.

Because That’s Where the Money Is

williesutton bank robber fbiWilliam Francis Sutton was born into an Irish Catholic family living in Brooklyn in 1901. Although the family led a bit of a hardscrabble life, no doubt his mother hoped that one day William would make something of himself. He did. He became one of the notorious bank robbers in American history, and earned a spot on the FBI’s “Ten Most Wanted Fugitives” list. When he passed, the New York Times obituary of “Slick Willie” Sutton said in part: “For most of his adult life, until he last went to prison in 1952, William Francis Sutton Jr. was consumed by two constant, driving ambitions. One was to make as many illegal withdrawals as possible, at gunpoint, from carefully selected banks. The other was to extricate himself from prisons he wound up in as a result of his bank robberies.”

Willie Sutton is credited with contributing one of the more pithy explanations of human behavior.  Asked why he robbed banks, Mr. Sutton is said to have replied, “Because that’s where the money is.” The logic behind the statement has found its way into Sutton’s Law, which, as taught in medical schools, basically suggests to first consider the obvious when seeking a diagnosis. One might apply similar logic to respond to a question often asked by corporate executives in companies that are not obvious first tier targets of cyber criminals—“why would we be a target?”

The simple answer is “because you have data that has value to someone else.” There is a thriving criminal economy fueled by data breaches. Many people are at least vaguely aware that stolen personally identifiable information (PII) has value, and may correctly venture that a prosperous black market exists for PII, as this piece by Wade Williamson attests. But the scale and sophistication of the cyber criminal economy vastly exceeds what one might imagine. Last November, The Economist reported on “What lies behind the JPMorgan Chase cyber attack.” JP Morgan was the victim of a breach in which the personal data of over 83 million customers was stolen.  What did the perpetrators do with the stolen data? Well, for one, they used it to manipulate stock prices, actually returning to victims whose identities had been stolen and pressuring them into buying cheap and nearly worthless securities, in a classic online “pump and dump” scheme.

The point is, if you have data that has value, and it would be odd if you did not, then you could be a target. Understand that data of value goes well beyond PII. It includes proprietary databases, business plans, market research, product designs, intellectual property, minutes of board meetings, and a host of other sensitive data that provides value to the company and is instrumental to your success.

Writing in the New York Times, Nicole Perloth noted that cybersecurity experts say… “The companies most prepared for online attacks…are those that have identified their most valuable assets, like a university’s groundbreaking research, a multinational’s acquisition strategy, Boeing’s blueprints to the next generation of stealth bomber, or Target’s customer data. Those companies take additional steps to protect that data by isolating it from the rest of their networks and encrypting it.”

In the late stages of his life, Willie Sutton consulted with banks on ways to improve their security. He may now be able to make a posthumous contribution to the cybersecurity posture of other businesses.  Look across the range of critical data in your company and ask a simple question, “What would Willie do?”

By Tom Davis, SDI Cyber Risk Practice
February 2, 2016