Allie Mellen is an engineer, researcher, and technical consultant turned Forrester analyst. She supports security and risk professionals by covering security infrastructure and operations, so it’s safe to say she’s dialed into trends and stories both new and yet-to-come.
She can tell you first-hand how to make the analyst relationship work, how to become a go-to source for media, and where most cybersecurity companies go wrong with their messaging. We asked her about all those topics and more. Here’s what she had to say.
Mike: What major cybersecurity trends or stories are you interested in right now?
Allie: There’s so much going on in cybersecurity right now, it’s hard to pick just one or two. But if I have to narrow it down, I’d say my top two picks for cybersecurity trends I am interested in right now are ransomware and extended detection and response (XDR). At Forrester, I cover both of these topics (along with SecOps more generally).
I get a lot of questions from practitioners about how to build a strong defense against ransomware, what happens in the event of an incident, and how to navigate paying or not paying the ransom.
With regards to XDR, this is a new, emerging market segment that has a lot of potential to improve security operations. I like to joke that security analysts (not me type of analyst, but those in the SOC :)) have the worst job in the world; they are overworked, stressed, and have to find a way to make sure the organization doesn’t get breached. If XDR can make their lives easier, it would add a lot of value for security teams.
What cybersecurity topics deserve more attention than they’re receiving?
One of the benefits about being in cybersecurity is that it’s such an exciting field, and it’s getting a ton of attention right now. But that brings about its own set of challenges, as many jump to the flashier parts of security like penetration testing and incident response without recognizing that there are a lot of other jobs to fill.
The most important thing to get right when securing an enterprise is the basics, and a lot of that crosses over with IT. Things like having consistent and timely onboarding and offboarding procedures for employees, implementing a strong password policy, maintaining onsite and offsite backups.
These aren’t the shiny new toys of the security industry, but they are the foundational work that must be done right in order to get the most benefit out of the shiny new toys. Getting the basics right, when you are able to define and actually implement those basics, is the most important and underrated support for security teams.
What are some dos and don’ts for cybersecurity companies working with analysts?
This is a fantastic question. When it comes to working with industry analysts, I have a few important tips, some of which are expounded on in this blog by my colleagues.
First, come prepared by knowing what the format of the conversation is and knowing who you are talking to and what their coverage area is. Industry analysts have very little time to begin with, and it goes a long way when a cybersecurity company comes into a session prepared.
Second, communicate what value you provide for practitioners, how you do it, and what your vision is without using grandiose language. I have heard a lot of adjectives in my time as an analyst, I don’t need to hear more. 🙂
And third (and what I see as most important), communicate what challenges you are having to us. Industry analysts have a wide view of the market overall, a very granular view of the solutions in the market, and a daily link to practitioner challenges and successes. Many of us were practitioners ourselves (including me). We are here to help security companies too, especially when we know that feedback is listened to and will ultimately help practitioners succeed.
The last thing I have to mention is specifically for executives of security companies. Never come into a meeting and belittle your analyst relations person in front of an industry analyst. I have seen this happen before, and it’s truly infuriating. We interact with analyst relations teams regularly and see how much work they put in to maintain a great connection with us. An executive belittling their AR rep is completely unacceptable to me and I will call it out.
What are the biggest mistakes you see cybersecurity companies make in their messaging and how they are communicating about their products and services?
Oof. I read, listen to, and otherwise consume a lot of messaging around products and services, so this is a bit of a sore spot for me.
A few of my colleagues at Forrester recently released in-depth research on trust called The Trust Imperative. This research digs into what trust is, explains how it moves between groups, and what that means for businesses. I recommend this report to everyone, as I find it to be a critical piece for understanding how to structure messaging to your audience.
This is a long way of saying that the biggest mistakes cybersecurity companies make in their messaging is their lack of authenticity. There is a yearning by practitioners for a vendor to explain exactly what their product can and cannot do, what the value actually is, and what it would mean for their team to deploy and maintain that product. Companies that can do this with integrity and respect for the practitioners they serve are rare, which is one of the reasons cybersecurity is often considered a ‘buzzword bingo’ industry.
You are frequently interviewed by reporters for high-profile security stories. What advice do you have for working with the media?
Be timely, relevant, and authentic. Respect that journalists often write on very stressful deadlines and that you need to work with their schedule, not the other way around. If you don’t have a relevant answer for something, don’t make something up, as it will only make you seem less credible.
It’s really important to remember that being interviewed by reporters is not an ‘opportunity’ or a chance to ‘get well-known quickly’ — it’s about sharing a point of view to help move the conversation forward and give helpful, educational information to a wider audience.
What books/podcasts/resources would you recommend to people working in cybersecurity PR and marketing? ?
I really love the podcast Dare to Lead by Brené Brown, not solely as a infosec professional but also as a business professional. When it comes to security, there are a couple of resources I really love, including the WIRED Security podcast, Daniel Miessler’s blog, #infosec Twitter, and Schneier on Security.
And of course (shameless plug), I highly recommend following my Twitter @hackerxbella and blog as I post quite often on security topics. 🙂