Last updated at Tue, 25 Apr 2023 21:38:38 GMT

Ho ho ho, Merry HaXmas! For those of you new to this series, every year we mark the 12 days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year we're kicking the series off with something not altogether hackery, but it's a gift, see, so very appropriate for the season.

For the past couple of years, I've provided free media training at various security conferences, often as part of an I Am The Cavalry track, and often with the assistance of a reporter. Big thank yous and lots of adoration for SantaJen's helpers: Steve Ragan - my most frequent partner in crime - Paul Roberts, and Jim Finkle.  In the spirit of giving that is synonymous with HaXmas, the purpose of this blog is to make that training freely available to anyone that's interested.

Why are we doing this?

It's pretty simple really: I believe security professionals have important information to share, which can help individuals and organizations understand how they are at risk, and what they need to do to protect themselves. You could say that's a gift, and I reckon it's pretty valuable.

The media can be a fantastic way of disseminating information broadly, and the good thing is that a lot of publications have dedicated security reporters these days. Unfortunately that doesn't mean it's all smooth sailing.

The challenge comes in the details. Security pros are typically dealing with a pretty complex and nuanced subject matter.  Media is driven by attention-grabbing headlines and a need to feed the attention-spans and limited knowledge of readers.  As a reporter, you have to cater to people with a range of familiarity, understanding, and interest in the subject matter, even if you write for a specialist security title. There can be a vast distance between the deep technical knowledge of a security pro, and the will-my-editor-like-it need of reporters, and that provides much opportunity for misunderstanding, misreporting, or oversharing.

NB: One thing I want to flag here is that my media training isn't about an adversarial relationship between spokesperson and reporter; it's about optimizing the engagement for a better result all the way around. We don't train people on this because we believe reporters are evilly conspiring against us. In fact, part of the reason I try to train with a reporter is to help build a greater understanding of their world, including their motivations, pressures and challenges. The training does talk about how to navigate certain reporter "techniques," but often these actions arise unintentionally, or for valid reasons (eg. a reporter going quiet on a call to catch up with their notes). You won't always encounter these techniques anyway, but if you do (and regardless of why they are used), you are better off knowing how to handle them.

So in a nutshell, the media training I deliver is designed to help security pros share the information they have in as impactful, non-FUDy, and helpful way as possible. My goal is that we'll get better at making security relevant beyond our echo chamber, and in turn we'll help people understand it and protect themselves.

Oh, and it probably doesn't hurt that getting good at briefing press helps our industry, and helps you as an individual build your career.

So what am I actually giving you?

Having received several requests for my slides, I created a deck designed for people to “self-teach,” which you can download here. And yes, people have been known to pay me to media train their spokespeople, so this is free professional training, as promised in the title.

The presentation is licensed for use under the Creative Commons BY 4.0 license, so you can feel free to share it. If you end up using to it to build an amazing career as a media trainer, I'd appreciate a cut of your newfound riches.

(If you feel that this is not hackery enough to be considered an appropriate gift for HaXmas, you can think of it as me teaching you how to “hack the media for fame and profit,” which is the title I sometimes present under at cons.)

Want more?

For those that want even more advice, Steve Ragan and Violet Blue have both written posts on interacting with media at conferences:

If you have specific questions, drop them into the comments section and I will try to answer them. If you have examples of putting the training into practice, I love to hear about it – let me know!

Merry HaXmas!

~@infosecjen