39

Melanie Ensign

About this episode

Communications professionals are often quiet coaches. They work their magic behind the scenes. They hold their opinions tightly and express them infrequently. In short, their influence is everywhere but their fingerprints are often invisible.

Melanie Ensign is having none of that. And we’re all the better for it.

In this 64 minute interview, you’ll have the pleasure of meeting one of the most influential and outspoken communications executives in the world of cybersecurity and privacy. We begin with her role as press department lead for DEFCON, a role she’s held for 8 years and explains is that exact inverse of what you think it is.

In our next topic, Melanie breaks out the verbal chainsaw and applies it with vigor to the voice-based social network Clubhouse. From privacy mistakes to seeming indifference to community feedback on the topic, she explains in detail why she recommends her clients (and anyone else) avoid Clubhouse until they clean up their act.

The remainder of the conversation is a mini-master class on how to succeed in communications for everyone from startups to new CISOs. Melanie dissects press releases and what to do instead of hitting Business Wire every Tuesday if you’re a young company. Young or old company, she shares why using fear uncertainty and doubt (FUD) to persuade people ultimately fails and how we can move past it as an industry.

Much of Melanie’s work at her company Discernible is working with CISOs and their teams on their internal communications. Influenced by her time working at Uber and Facebook, Melanie offers a game plan for moving from reactive to proactive communications. Her advice is not for the weak-willed: she refuses to clean up anyone’s mess and doesn’t think you should either.

This quickly has become one of our favorite episodes and there’s truly something for everyone in the dialogue-- except for those who dislike a little profanity to season their conversations. Note the explicit tag and enjoy the ride.

Jack: [00:00:00] And we're back. Welcome back to security voices. 

Dave: [00:00:03] Oh, it's been a while. It's been a while and so much in between. Yes, indeed. Welcome Melanie. Thanks for joining us. 

Melanie: [00:00:14] Thanks so much for inviting me. I have actually been a fan for quite a while, so I'm excited to finally get to jump into the hot seat. Ooh, 

Dave: [00:00:24] Jack, we found our elusive seventh fan.

We knew there were six. This is amazing. What a day. 

Melanie: [00:00:34] It was me all along who knew. 

Jack: [00:00:38] Awesome. That's really good to see you before we were talking. One of the great things about the new platform is we can see each other, those of you listening. Don't have to look at us in our cobbled up home studios, but it makes a little more personal.

And I was just trying to remember the last time, because I've missed a couple of deaf guns and have been crazy at a couple. Okay. You and I were last in the same space in Dublin, about four years ago. If I'm not mistaken, maybe five 

Jack: [00:01:04] your talk. There was one that I want to make sure we talk about too, because you were talking about one of your favorite topics or at least the one that you've talked about, which is why trying to scare people into cooperating is not a really good idea.

And doesn't work longterm. There were several auditors in that room and you called their baby's ugly. Cause that's kind of the way a lot of auditors work, but a couple of them, a couple of them saw the light. They were like, maybe that's why I have to make the same threat year after year. 

Melanie: [00:01:33] Yeah. Yeah. It is a very, very short term strategy.

Dave: [00:01:38] How did you get involved in DEF CON to begin it? So to be clear, you are among many things. The grand Dame of DEF CON communications. That's my title for you, not, not yours, but you shouldn't, you shouldn't negotiate for it. 

Melanie: [00:01:54] Jeff is listening right now. He may not agree with that. So I lead the press department for DEF CON.

So the goons that I lead, our team manages all of the journalists who participate in the event. And our team, I think is particularly unique in the world of press teams. In that our responsibility is not actually to promote the conference. Devcon does not need more publicity. Our role in the event is to recognize that journalists are going to come.

There is public interest and media interest in what's taking place at the conference. But the conference also is very strict when it comes to privacy. We want to welcome the press, but we actually don't want a whole bunch of. Camera crews all over the place, capturing everybody's video and faces. I mean, we don't even track registration, right?

So we don't know the names of everybody who's attended the event. And so my team is actually there to be the liaison between press and attendees, more so in support of the attendees than for press. And I think that that's a little bit different for most conferences and events where you may have a press team.

That's actually actively trying to solicit more attendance from reporters and we don't actually invite them. We recognize that they are going to be interested in coming. We welcome them. We try to help them out while they're there so they can understand the community and the culture and the topics that are being discussed.

But our role is not to promote DEF CON 

Dave: [00:03:28] that's quite a bit strange. I'm betting. That's not where the strange stuff ends. Do you have a, and I'm just wondering to myself, probably with respect to a communications team, What's the, like the average tattoo and piercing density on the communication team. It has to be far greater than any other assembled in mankind.

Melanie: [00:03:51] To be honest, it's not that different from what I see in corporate America, really, but to be fair, I also live in engineering world of corporate America and I see all kinds of things. So I think our PR team and our press team at Devcon looks very similar probably to the one that you work with every day.

Dave: [00:04:14] Well, the one on open Raven is me. 

Melanie: [00:04:17] So 

Dave: [00:04:19] no tattoos 

Melanie: [00:04:22] judging, judging from your, your collection of piercings and tattoos. I think you'd fit right in with our team. 

Dave: [00:04:30] Do you have a favorite story? Like give us maybe either a day in the life or a favorite story, paint a picture of what it's like. 

Melanie: [00:04:39] It goes by so fast.

I have to say the three days of DEF CON as the press lead, it's just a whirlwind of, to be fair, mostly nonsense, but it's a lot like my day-to-day job, right? When I was working in Silicon Valley, you have a whole bunch of highly opinionated people who all think they're right about everything and something happens and they don't actually know how to mediate situations.

And oftentimes my job is just a lot of interpersonal communication coaching. And so the type of drama and excitement that you may be imagining, I think because of what happens at DEF CON it's actually a small percentage of what we're doing. We're doing just a lot more conflict resolution because we are communications experts in a sea of non communications experts.

I will say there was an interesting time. I mean, it actually, this is pretty consistent every year, but for as much as my team does not really hole reporters in terms of what they can cover at the conference. Our host, the casino cares quite a bit about what shows up in the press from the conference. And so my team works very closely with the communications team at Caesars, because what they are concerned about is inaccurate reporting of hacks that impact the gaming floor.

They are a highly regulated industry. We seen this many years, so this is certainly not unique to any particular year, but whenever there's a report or tweets about, you know, somebody hacked in elevator, somebody hacked a slot machine. Most of those reports ended up being nonsense or perhaps 10 years old.

But every time they'll show up in the press, I have to get involved because the casino is concerned about regulators going, Oh, you've had a breach, you've had a hack. I don't think a lot of people understand how the federal and state governments feel about gambling and making sure that all of the rules are followed.

And so any perception that there's an issue matters to our host organization, all of those kind of, they're kind of like kitschy, petty hacks that certain reporters love to just put on Twitter does not actually news. It's just a screenshot of a elevator software. That's rebooting all of those things matter.

I think that's probably something that most attendees don't think about is the fact that DEF CON has to work very closely with Caesars. We are not a post friendly conference. We are thousands and thousands of people who just come and wreak havoc on their property every year. And so there have been a lot of conversations about whether or not DEF CON should leave Vegas or switch venues.

I'm going to be really honest with you. I don't like Vegas. I'm not a fan of Vegas. I wish we could host it anywhere, including the moon, but I just can't imagine any other venue in the world that is going to put up with our shenanigans. And I think that is something that a lot of people in the Devcon community often aren't aware of when it comes to the fact that there is vandalism, there is hockey.

Like this stuff happens every year and Caesar's puts up with us. And I just can't imagine anybody else putting up with us the way that Caesar says 

Dave: [00:08:06] just about anywhere in Detroit probably would to pick up my home state. Like dear God, we got humans. There's all these humans coming, look at 

Melanie: [00:08:15] them. But the thing is is we don't just come.

It's not just the physical space that we take up or the money that we might spend while we're there. I think we actually cost Caesars a good deal of money in terms of things that they have to clean up. When we leave. 

Jack: [00:08:28] I think one of the challenges as a semi outsider, one of the things people don't think about is that DEF CON wouldn't be DEF CON if it was at a convention center and you had to leave and go to your hotel, the being at the Alexis Park, being at Riv, being at Caesar's now it becomes a village posting, a bunch of villages.

It becomes a community. And so there aren't a lot of places where there are hotel conference facilities, big enough, anywhere that can do it. And like you said, that would, that would put up with it is a different animal altogether. And one of your challenges must be that the local press in Vegas loves to hype things and scare the locals about the evil hackers are coming every year.

And the stories that you hear, if you're like me and avoid the strip, when you can. The stories you hear are just insane. It's like, wow, I wish we were that clever. 

Melanie: [00:09:23] So I have two thoughts on that is one. I actually think over the last several years, local press have gotten better. The second part of that is that I actually blame people in our own community for how terrible they used to be because every single security company and consultant who goes to DEF CON pitches reporters to try to get interviews while they're there.

And they're the ones that drive those scary, crazy, like what the fuck is happening and chicken little stories. The call is coming from inside the house. 

Dave: [00:09:55] Yeah. I can totally see how that happens. I mean, and it's just, it's an incendiary environment, right? You've got Tinder on one side, you've got lighter fuel on one side, the letting fuel will be the copious amounts of drugs, alcohol, and everything else.

They're all, as you would need as a spark, all you need is a spark and everything goes, boom. 

Melanie: [00:10:17] Yeah. And at DEF CON that spark is usually somebody's ego. 

Dave: [00:10:22] Ooh. Oh my mind. We may have found a quote, Jack, 

Jack: [00:10:30] should we change topics? 

Melanie: [00:10:33] Oh, you mean so that I can keep my DEF CON roll. Thank you, 

Dave: [00:10:39] Jackie. You're you're asserting that, like there's some more of a show flow that was put together for this.

I appreciate that. 

Melanie: [00:10:46] Put a lot of work into that outline, 

Jack: [00:10:49] but I'm not paying attention to it. So I'm just going to say one word sharks. 

Dave: [00:10:54] Oh, 

Melanie: [00:10:56] I, yeah. 

Jack: [00:11:00] I just figured I'll say sharks and I'll let Melanie riff from there. Cause I understand that you have a fondness for sharks. 

Melanie: [00:11:07] I do. So I grew up as a kid wanting to be a shark scientist.

That was just my dream. And I actually started college as a Marine biology major and got about halfway through my program before I started getting introduced to jobs that are available with that degree. And all of a sudden it seemed like not a great use of my time. Now I have a lot of friends who did finish the program who were phenomenal scientists, and I just live vicariously through them.

But at that time for me, I just knew that diving and my passion for sharks was something that I didn't want somebody to tell me how to do that. I wanted it to be something that was a little bit more autonomous in my life so that I could just pursue that passion in whatever way, best fit me. And so I switched majors to pursue something that I thought was a better fit for me career wise.

So I do still spend quite a bit of time under water. I love swimming with sharks. I've swam with all different types of sharks. I've probably logged hundreds of hours diving with them so far. It's interesting. There's a lot of things that I learned about sharks that I still use in my day-to-day job, dealing with hackers.

So they actually have quite a few characteristics in common. And so it's not surprising that sharks come up often in my conversations about security. And I'm just so thrilled when they overlap, because I very much enjoy them. Both. 

Jack: [00:12:38] That's awesome. I actually was interested in Marine biology. One of my sisters was career Noah.

She was a budget analyst for decades, but I was near woods hole. And so I had friends that were scientists and friends that were in there. And yeah, the same sort of thing probably went through your mind, went through mine and, and then life happened and steered me in a different direction. I was just a wandering in woods hole a few weeks ago, middle of winter.

It's not an inviting place, but hooey and MBL and Noah there. So it's cool 

Dave: [00:13:11] stuff. I was always fascinated by jock Cousteau as a kid. And it's part of the reason why I moved to Los Angeles is I always wanted to learn how to scuba dive. So when I moved to 

Melanie: [00:13:24] LA being near cold water, 

Dave: [00:13:27] well, I was from Michigan.

So your cold water, my cold modern is different. My cold water has ice on it, sister. So, you know, this was a step up. I didn't even bother trying to dive in Michigan. So when I moved to LA, literally I had very little money. I couldn't afford a gym, but I could afford to get Patty certified. So I did, and my very first year in Redondo beach, and I've been diving ever since 96.

So yeah, I've done hundreds of dyes and I resisted, I loved all your stuff and your Twitter feed on it. And I was like, nah, I want to ask her about clubhouse. It's more recent or probably hooking more people, but much like yourselves. Yeah. It was really cool that you had that Marine biology background and that you keep true to that.

I haven't had much time to dive since I became a dad and everything else, but I love getting under water. 

Melanie: [00:14:17] I will tell you that my scientific training has frustrated every single boss I've ever had in communications. So I definitely stick to it. Not everybody is a fan, but I just, you know, I have a very analytical mind for better or worse in that certainly shapes how we think about my work.

Even in communications. 

Dave: [00:14:40] Awesome. Getting back to communications here. The one thing that's happened in the past couple of months, and it's not NFTs, we're not going to talk about NFTs. We're not going to do that here. It's not even kind of tempting at the point to where a man sold his fart for $85. I was like, you know, it's just done.

We can't touch it. But I do want to ask you about clubhouse, which seems to have some legitimate usage. It's the way that I look at it as sort of a live podcast. Almost like if podcasts are kind of like radio clubhouse seems to be unscripted, prompt to radio as a communications professional. How do you look at clubhouse?

And I'm curious as to how you talk to your clients. How about using it or not using it and so 

Melanie: [00:15:27] forth. I think there's one important thing to remember about me, even when I look at something as a communications professional is I'm also looking at something as a security and privacy professional. And so I can not give communications advice that isn't also considering data protection, privacy, and security implications.

And so honestly, where I'm at right now with clubhouse is that it is just not safe to use right now. I think there is potential. I hope they get their fucking act together. They know exactly what the problems are and just refuse to do anything about it. And so honestly, that's the advice that I'm giving clients right now is let's watch it.

Let's monitor it. There's actually a lot of things that you like about it that you can borrow and adopt on other platforms. I mean, Twitter spaces is becoming more available to people and they, it has far fewer privacy and security issues. Plus, you know, at least I know they actually have a fucking security and privacy team.

And respond to shit. But I think right now with clubhouses, just, I can't recommend it to anybody because it's not safe and it's not even just your privacy or your security that is at risk. It's all of your contacts because their onboarding process harvest all of your contact information. And I think it was Eva eff, who very astutely pointed out for all of the white men behind clubhouse, who hadn't considered this.

There are a lot of people in our address book that we don't actually want to hear from, again, they're in our address book for that specific reason as protection and the fact that you get notified when they joined the fact that they get notified when you joined all of that can be very traumatic for survivors of certain situations and experiences.

And none of that is being considered. And so I like the idea of audio. I think there's potential. I am seriously. I used to be disappointed. I think I'm now at the point of complete disgust at the lack of responsibility and accountability that clubhouse is taking in terms of security and privacy and truthfully, their PR statements are bullshit.

The team over at Stanford that Alex Thomas works with, did some investigative work and found that a lot of at the time clubhouse of backend infrastructure was actually based in China. And so they raised a bunch of security concerns about that and their response was we're working on it. And Oh, by the way, we now have a bug bounty program.

I don't know what the fuck a bug bounty program has to do with your backend infrastructure or the fact that you're harvesting user data without consent. I mean, even in the EU, you can't consent to give permission to somebody else's contact information. So there's already two European regulatory bodies, one out of Germany, and one out of France that are already investigating this app.

This non-profitable app is already under the same investigations and drama that their predecessors in Silicon Valley have gone through. And it is just incredibly frustrating that in 2021, it is acceptable for venture capitalists to continue to throw money into the same problems that we started 20 years ago.

There are people investing in clubhouse who invested in Facebook. We have gone through this, we have learned the lessons. There is no excuse to continue this bad behavior. So that's where I'm at right now. I hope they get their shit together. They're not close right now. I mean, we even saw last year when zoom had their issue, zoom immediately did something right.

And was all of a sudden, like here's our plan for identity encryption and what we're going to do in a year later. Lo and behold they're onstage and enigma presenting their end to end encryption paper with a ton of academic and industry credibility behind it. Nothing is ever perfect, but you can see the difference in response and investment from zoom compared to what's happening with clubhouse and clubhouse knows about all of these things, the privacy issues, they refuse to even acknowledge publicly and have not shared any plans about what they're going to do about it.

So what I'm telling clients right now, especially since my client's work insecurity and privacy, is that if you start hosting stuff on clubhouse, you're a big fat hypocrite. So let's watch it. Let's monitor it. Let's learn and borrow what we can and let's wait for them to get their shit together. And then we'll be the first ones to help promote their platform.

Dave: [00:19:57] So you don't want to have this same podcast and Redux on clubhouse. That's what I'm taking away from this. No, 

Melanie: [00:20:04] I will not be having the same conversation with you on clubhouse. That is correct. 

Dave: [00:20:09] Wow. Wow. We just stepped right into a powder keg, everything you say makes sense. It makes perfect sense. And what's interesting is also in your background.

I noted you spent time at Facebook as well. I spent about a year at Facebook. Yeah. Yeah. 

Melanie: [00:20:25] That's how I know that all of this shit is avoidable. 

Dave: [00:20:30] Let's say that they brought you on. Let's say that. You're, let's say just suspend disbelief for a moment. Let's give them the courtesy of the Melanie foot in the ass.

Get well-planned. 

Melanie: [00:20:46] What's the Getwell plan. We are assuming that they actually want to change. 

Dave: [00:20:51] Let's assume that for a moment. Suspend disbelief. Yeah. Let's give them free five minutes of counseling and you can continue to use as many expletives as you need to get through it, but give them your counsel.

What would you tell them to do to de crap defy themselves? 

Melanie: [00:21:09] Truthfully, I'm a comms professional. So most of my advices from the comp side, but what the most important thing as it comes professional is to not bullshit. There has to be real substance behind what you're saying. And so I think club has really needs to take to heart the criticism and the recommendations that have been shared by privacy experts.

From all over the world, very publicly and actually develop a plan for what they're going to do. And then you can talk about that plan, right? They need to have a better onboarding process so that they're not harvesting user data from people who don't even have accounts with them. They need to have a growth strategy that doesn't require this kind of vacuuming of, of user data.

And they need to actually engage with the privacy community. The fact that they've just mostly ignored everybody, except for Alex. Stamos is just not acceptable. That's not a dig on Alex, but that is just the fact that I don't know how they're choosing who they respond to if it's based on like Twitter followers or something.

But some of these privacy concerns are very serious. I mean, serious enough that you have multiple regulators investigating you. And so they need to have a plan for how they're going to onboard respectfully. They need to have a plan for. How they are going to grow and monetize their platform that does it include violating everybody's privacy.

And then the communications advice then is built on that. How do you then talk about what your actual plan is? And I think that's the challenge that they have right now is that there is no plan to talk about. 

Dave: [00:22:51] Hm. So stop BSE people 

Melanie: [00:22:56] and also learn what the fuck a bug bounty program is. It is not like the silver bullet for all like media requests about security and privacy.

Dave: [00:23:05] Yeah. If your product's just designed in a way in which violates privacy, no, one's going to report that as a bug. They're going to report that as a business model. 

Melanie: [00:23:14] Yeah. And by the way, if you go to their page on hacker one, it actually says that they're not accepting report. So,

Dave: [00:23:25] so you sign up for an account, but you won't take reports. 

Melanie: [00:23:29] Honestly, I do not have any inside information. So this is a hundred percent speculation. I suspect what happened is after the engagement with Stanford, I think somebody with a lot of experience at Stanford perhaps suggested that, Hey, there should be an easier way for people to disclose security issues to you.

And so they set up a security at email through hacker one. I think that is the extent of what they are calling their bug bounty program. Cause they don't have a team that actually staff it internally. So even if the program existed, it would not solve the problems that we're talking about. I think that they were like, Oh, we signed this contract with Hecker one.

So let's add it to our press statement, but I don't really think it exists. 

Dave: [00:24:13] So my attempt at a recap was foiled by you telling me Dave, there's a step zero before a step one, which is actually giving a shit about, about the 

Melanie: [00:24:23] topic. It has to be true. This is how I advise my clients, whether it was in-house clients or now with external clients.

Imagine what it is that you want to be true. Right? What is your ideal scenario that you would want to be able to say that you would want to be able to brag about, that you would want to be able to discuss? You have to then reverse engineer to make those things true before you start talking about that.

And so I'll sit down with product teams and I'll say, how do you want this launch to go? What is your ideal scenario for how this launch goes? And they can rattle off a couple of mostly superficial, but sometimes tangible outcomes that they want from their launch. And then I will work backwards and say, okay, here's what you actually need to do.

So that I can make that happen from a comms perspective. I'm not a magician. You actually have to be doing this stuff that you want people to associate with you. If you want to build a reputation for something, you actually have to be doing it. That's why it's so much easier to build a bad reputation, because it's just easier to be terrible at things.

Dave: [00:25:28] Oh, where, where do we go from here?

Jack: [00:25:33] Different episodes are different levels of ease to pull quotes out of. And this one, the challenge will be narrowing it 

Melanie: [00:25:40] down. You guys, I am a comms professionals. You brought in the expert.

Dave: [00:25:48] All right, comms professionals. We had a quick sidebar on this and email and I hate press releases. I feel like I have to do press releases on occasion, but I don't think anyone believes press releases anymore. 

Melanie: [00:26:05] That has been true for 30 years, just so you know. 

Dave: [00:26:08] Yeah. But yet we still keep up this Kabuki theater of churning these things out with crazy, like adjective chains in them, 

Melanie: [00:26:18] which is why nobody believes them.

Dave: [00:26:21] Right. Right. And then, you know, if you, and I've worked with good communications professionals and every time I'm told there's a formula, Hey, no one loves it, but you kind of have to do it. And here's, what's expected. Give me your take on press releases and what a startup should do with respect to press releases.

Melanie: [00:26:44] So there are two, I think, legitimate reasons why people still use press releases. And I will caveat this by saying, you don't have to use press releases to accomplish these two goals. But just based on my observations, these are the two things that somewhat motivate companies to keep using them. One is their VCs.

Tell them to. I don't know what it is about VCs loving to see their own name and portfolio companies in print, but they want to see this momentum of activity and announcements coming from portfolio companies. And so oftentimes it's the VC that is putting pressure on his startup to say, press releases is how you would announce this right?

Every time you sneeze put out a press release. And I think that is really more beneficial to the ego of the VC. I don't see it actually providing much value to the startup because what the startup needs. And this is an interesting area where that PR strategy between VCs and their portfolio companies may not always align, but what the startup needs is credibility, which you're not going to get from press release because you wrote it yourself.

Right. And it doesn't show up in any publication that people care about. It goes on business wire where you stick it on your own website. There's no reporter in the world. That anyone cares about, he was writing things off of a press release. And so if you're actually looking for opportunities to engage with media, you don't need a press release to do that.

Press releases really just kind of, it's like screaming into the wind. This second motivation that I see is that once you become post IPO, there are SCC requirements about certain changes in announcements, from a company that do need to be publicized because you need to show that you're giving everybody equal accessibility to that information that also does not have to be done through a press release.

It could be done through a blog post on your website. So I think there are legitimate reasons for why people are trying to do it. It's just, you don't need to pay all that money anymore to do these things. There are different alternatives and channels available for the startup in terms of what it is that you're actually trying to accomplish.

So my five second assessment is that it's not worth the money. 

Dave: [00:29:05] What would you advise a startup? They came to you and said, Hey, we're thinking of doing this press release. We're thinking of doing this launch. What would you, now that we're taking press releases out of their toolkit and I wouldn't go out on a limb and say, you wouldn't advise clubhouse either.

Let's set that one aside. What would your game plan for them look like? What do you think? A well executed product launch, or even like a company launch game plan would look like one that's modern, one that would engender the level of trust that you think would be, that would be useful. 

Melanie: [00:29:35] It starts with who it is you're trying to reach.

So I tend to look at things from the perspective of influence, right? What influences people's decisions, what influences people's perspectives, what influences people's behavior and the answer for that is going to be different depending on who it is that we're talking about. And so, as a small startup, the most important thing you need to know.

Is who is it that you're actually trying to engage with? Who needs to be part of the conversation who needs to maybe not be part of the conversation, but observe the conversation and know that the conversation happened, right? All of these things matter. And so there is a different game plan for each company dependent on those goals.

And one of the things that I see with a lot of security startups, and I'm starting to see more of it now that we have more privacy tech startups is that there seems to be an attempt of a one size fits all universal plan for startups. In general, you get your series a, you pitch it to tech crunch, and everybody else looks the same and say cookie cutter strategy.

And to some extent that can work. If your goal is simply to get an article in tech crunch about your funding. But you should have a goal for what that article actually is going to accomplish for you. That's what I'm saying. I think a lot of startup PR strategies actually just look like PR for the VC firm, rather than something that's going to be really meaningful for the startup.

In terms of getting you in front of the people who can buy your stuff and want to buy your stuff and are interested in what you're working on. I don't know a single, like VP of engineering, who's signing vendors because they read something in tech crunch. It's just not where decisions are made, but I do also recognize that when people invest in your company, you do have obligations to them.

And if they need to see an article in tech crunch, that's a good enough reason for me, but we need to be really honest about that. This is something to nurture the relationship with our investors versus this is the story that's going to increase sales and help us grow. 

Dave: [00:31:44] Are there any kind of young companies where you look at it and you think that they set an example that you think others should follow?

Are there any that you think are doing it really well? We don't bother going into the negative example because presumably a there's a ton of them be it hurts people's feelings and see it's not really helpful, but are there any good patterns you see out there where you had nudged company in their 

Melanie: [00:32:05] direction?

Yeah. So obviously I think my clients are doing great. Uh, and since I can't name them specifically, I'll just give a few examples of things that people have done. But so I do work with quite a few clients in the privacy tech space. And truthfully, a lot of them have just bypassed mainstream media and are going right into community engagement.

We don't have great privacy press on the technical side. There's a lot of great privacy reporters who are covering for mainstream national outlets, but not a whole lot that are getting into the nitty gritty, who can talk about service to service authentication, the difference between data deletion and data destruction and those types of things.

And so there are a lot of folks who are like our goal is to grow. We are a startup. We need to make some money. We need to get customers on board. And we're just doing a lot of matchmaking and networking and going directly to the people that we want to talk to. There's no rule that says you have to filter your message through the press.

And so that's understanding your goals, understanding who it is that you're trying to reach is actually a lot more, that is step zero before you can even determine what are the right communication strategies to get you to that point. 

Dave: [00:33:18] For me, that's one of the things that's just gotten so complicated in recent years, let's take the example of the privacy tech.

All right. So you have the privacy office, which in and of itself, you know, you state that as a monolith, but that could be quite a bit different. And then you've got the cloud infrastructure team. If you're a cloud first organization, that's going to get their hands on the product, or at least has a stake in it.

You have the data team, which is likely also going to be involved to have their own needs and so forth. And then you also have a security team who can be involved in the implementation. I think one of the great problems, particularly that young companies face now. Is you end up with a sales cycle and even a marketing plan where you could run into any of this different cast of characters who all have their own perspective, who all have their own needs.

And that just wasn't true before. I mean, Jack, it used to be back in the olden days of security, like you had the it team, right. And those crazy guys in AppSec, occasionally talk to the developers and they were punished for doing so, but the rest of it is just that one, it and security and it was easy.

Right. Great. 

Melanie: [00:34:27] Yeah. And actually this touches on an area that was in your discussion flow that you so thoughtfully put together, Dave, which is that the use of fear in the way that we communicate. Cause you just mentioned a whole bunch of teams who don't give a flip about data breaches, who just, aren't going to be scared by like the latest podium on report, because it's not, it's not in their KPIs to prevent those things from happening.

Right. They're focused on performance. They're focused on reliability. They're focused on speed and to fear just does not work on every single organization and every single function within a company. And so it's one of the reasons why, as we're seeing the buyer of security and privacy solutions evolve and diversify in terms of their responsibility and their role, they're not motivated by the same things that a SISO is motivated by.

And so a lot of the fear mongering and fear based marketing that I see from vendors, I think is somewhere kind of productive. And it's selling themselves short. They're only going to get so far when you throw out fear, you're only going to catch the people who respond to that. And that's a very, very small percentage of your potential.

Dave: [00:35:38] Wow. Let's dive into this. It seems kind of obvious, particularly in the past year that selling on fear just was the wrong answer. And we know that part of the reason people did it in the past is it worked. It works at least with a certain group of people. And there's a primal level where it works on everyone.

It's the same thing we see in other markets too. Security is not the only one to sell on fear. I think we've seen this historically in markets like insurance too, of course, in many others. So we're not alone in this. And again, maybe hit an apex last year when people said, look, people are freaked out.

Cortisol levels are through the roof. People are freaking limbic and frozen do not hit the FID button. But what do you tell them to do? Alternatively, basically you're giving them a well-worn tool that they're accustomed to. What do you replace it with? 

Melanie: [00:36:30] This is another area where my diving experience overlaps with my communications advice.

Avoiding FID does not mean that we pretend there isn't risk. Right? When I dive there is risk to that. There's inherent risk in the behavior that I am participating in. And when we teach people how to scuba dive, we don't tell them that nothing could ever go wrong. We don't tell them that there aren't risks when you're trying to breathe underwater at 90 feet of pressure.

So avoiding fear does not mean that you pretend that there aren't risks. Avoiding fear means that you focus on informing your audience rather than scaring your audience. And this is why that matters. Your brain responds to fear in a very specific way. We are hard wired when we experienced fear, not just informed risk, but fear are more primal hindbrain response kicks in, right?

That's where your blood pressure elevates. Your heart rate goes up. You might start sweating. You have difficulty speaking. This is your body preparing for your fight or flight response, right? What happens at the same time that your high brain kicks into gear is your higher level cognitive abilities actually shut down and it blocks the connections between the parts of your brain that are responsible for critical thinking and higher level judgment.

That is not the part of the brain that I want anybody in security and privacy to ever have shot down. That part needs to be firing on all cylinders all the time. Right for something that that's this important. And so it is really critical that we, as an industry and as a community, learn how to communicate about risk in a way that is informative and helpful.

But doesn't try to scare people because when you scare them, you are actually inhibiting the types of judgment that we need them to maintain in order to make good decisions about what they're doing. For example, if you've ever been through an incident response with an executive who had no business being involved, the panic that they cause fucks up, everything that everyone else is doing, a panicked executive is literally the worst thing that can happen.

Once you've been compromised, it just mucks with the whole process. And so it's why we do tabletop exercises with our executives over and over and over again. It's not because I actually need my CMO to understand how the forensic works. It's because I need my CMO to be comfortable sitting still and doing nothing, because if they try to get involved at the wrong moment, it's going to mess things up.

So I need them to trust the process. So they're informed about the risk, but they're not scared. It's the same reason that we do stress testing of incident response teams with engineers, right? Because we don't want them to have to make decisions about what the right team to do is in the heat of the moment when they're under pressure.

It seems very, very counterintuitive to me. And at times here responsible to push fear as a motivator in our vendor conversations when yes, there is risk. Absolutely. There is. But I want you to understand them so that we can address them. And I want to be a trusted advisor. I don't want to be known as chicken little who makes your blood pressure go up every time you see me, basically, I've got another bundle of bad news for you.

That is not how you gain influence over business decisions. Nobody wants to invite chicken little to the meeting. Nobody. 

Dave: [00:40:15] I think we can conjure up plenty of examples of bad fear-based communications, right? Like don't be the next headline, X percent of this turn into breaches, all that stuff. Like pretty common fear-based messaging.

If you've got a few examples by all mean, throw them out, but are there good examples that you think things that are exemplary or like tried and true ways of defunding your coms? What is the practical advice look like here? What does good look like to you? 

Melanie: [00:40:48] Yeah, so good is always educational. I want people to learn if people are learning something from what you're communicating, that's valuable, right?

It's one of the reasons why truthfully, a lot of companies open source projects, people get to learn a lot about their technology, a lot about their team, a lot about their approach. You haven't bought anything from them yet. Right? And in some cases you're just never going to, because they may not sell something that you can use, but you know of them, they've developed a reputation with you.

And most of them end up with a positive reputation in the industry because of those efforts. And so good looks like being the go-to resource, even when things aren't going wrong, security teams need to get themselves to the point where they're being consulted on more than just clean up duty. And the business will not see you that way.

If you don't behave that way, you need to walk into those conversations to talk about things like performance, agility, reliability. And if you can't meet the business where they are, they're just always going to perceive you as this team in the corner that we call when shit hits the fan. It's not the team that we ask for strategic advice about what we should do now.

And so it's interesting. We've, we've spent a lot of time so far today talking about a lot of the external communications and maybe that's because. You're both at vendors right now, but about half of my time is actually spent coaching internal security teams on how to influence the companies that they work for, how to gain, influence with a CFO or CTO or your CEO.

How do you influence your board? How do you gain respect and credibility with people that don't report to you? Who don't have to do the things you say, how do you actually get them to do the things that you say? 

Dave: [00:42:43] Yeah. You know, we've, we've guided you towards the areas of our interest, but you know, that was the logical next direction.

So let's take the bait and go there. I think you've given us enough of the window of the anti-patterns that we've seen. What is exemplary CSO coms look like? Let's say you've got someone who's fresh. Who's just become a CSO, the mythical creature. And they say, I want to make sure that I get this right, Melanie.

Give me the operating system for a comms in this so that I get it right from day one. What would you advise them? 

Melanie: [00:43:23] Sure. So this isn't going to surprise you, but I'm going to start with, what are your goals? What do you actually want to accomplish, which is different depending on where you are in your journey as a CSO, as well as the situation for your team, right?

Being a brand new CSO, as in your first CSO job is not completely dissimilar to being inexperienced CSO who joins a new organization that change of leadership has a profound impact on the team. And you have a very short window of time in which to get it right before the entire team writes you off, which is going to be problematic for you for a while.

You can recover from it. It just takes time. And so for brand new CSO or CSO that is adopting a new organization, It's really important to understand what their current pain points are. What is their experience? Where are they having a difficult time getting their objectives met? Is it because they're not getting resources, which I know is the common trope, right?

That security is understaffed, or is it just the fact that they don't actually know how to negotiate with infrastructure teams or developers on actually getting to the same shared goals and outcomes? Mediating a meeting between security engineers and product teams is very common for my company. Now, in terms of helping them learn how to communicate with each other, you may not need a whole ton of money.

If you can actually just get this other team to help you. And so you need to actually understand where the friction is within the organization. What is preventing your team from being successful? Parallel to that. I also recommend that they have their own separate executive communications strategy. They need to be developing themselves as a trusted advisor to business leaders.

So while you're helping all of the ICS and folks on your team become better communicators themselves, you yourself need to elevate your position in order to elevate the influence of the entire organization. And so a lot of this specific tactics around that strategy will depend on who it is that you're working with.

CEOs are not all the same CTOs are not all the same. And so it really depends on who do you need to have a relationship with in the organization in order to be successful and have more control over your destiny. And the first step of that is actually when you join the organization, you need to very quickly identify who are the actual decision makers in that company.

And who is it that actually gets stuff done. It may not have anything to do with your reporting chain. You may actually have a very weak or kind of wet blanket manager that may not be the person that you need to influence in order to get what you need for your organization. Day one, you need to start figuring out who calls the shots and who it is that you need to be developing relationships with.

And who's trusted is that you need, in order to be successful. 

Dave: [00:46:19] It makes a lot of sense, especially when you consider what we said before, where organizations have, we've got a lot of new roles, you know, you've got chief privacy officers. Now you have chief data officers. You have people in new responsibilities.

It makes sense that you'd have to do that. But if the person looks at you and says, how do I figure that out? Do you promptly fire them as a client because you realize they're screwed or do you have any more helpful 

Melanie: [00:46:46] response? And that's what they pay me for.

I'll give you an example that I used back in my days at Uber that required zero money to get something really important, accomplished for us at Uber. I reported into the communications team, but I was dedicated to the security, privacy and engineering teams. So I led communications for those organizations.

One of the challenges that we had at one point while I was there was just getting security tickets closed. The security team was just constantly having to hound developers to fix their shit. This is a common problem at lots of companies where you've got things coming in through bug bounty or various vulnerability scans and the security thing wasn't actually owned the system where the code.

So they know that there's the problem, but they don't actually have the ability to fix it. They've got to go engage with the owners and who actually created the problem to begin with. And that is not always easy for teams that are not trained in interpersonal communications. So one of the things that I was able to do as a communications person was I negotiated with the app sec team who at the time was owning the various vulnerability management stuff.

This was back when the team was really, really small, but I actually own the process for all external blog content that was coming out of the technical organizations. And so I added a requirement to that process that if you had any open security tickets, you were not going to give conference talks or publish blog posts until those tickets were closed.

And part of that was to help the security team. Part of that was also to say, look, if your shit is broken, I'm not going to put it on the internet for everybody to look at. We're only going to brag about stuff that we're proud of and stuff that we know is in good condition. And so the security team had actually built a dashboard so we could see which organizations had opened security tickets.

And I had access to that. So every time somebody would submit a blog post, or a request to give a conference talk, I would look them up in the dashboard. And if they had open tickets, I would say, here are the JIRA tickets that are still open. These need to be addressed and closed and approved by the security team.

And then I'd be happy to review your content.

To get stuff fixed and that did not require any major battle between the CSO and the CFO. That was just recognizing the actual levers that you have to drive influence and behavior change. 

Dave: [00:49:17] Wow. That's awesome. And it makes perfect sense. Take care of your own house first. 

Melanie: [00:49:24] Yeah, I mean, I think it's just a matter of security teams thinking about their role a little bit differently.

I think we are too quick to assume a submissive role compared to the business. It's not just the fact that we can help the business do more things. It's the fact that we are actually human and we don't deserve to be abused. So if you want my help cleaning something up, you better include me in the process of making the mess.

That was something that I told people in job interviews for my whole career is I don't clean up messes. I didn't make. If you want my help, you include me from the very beginning so that if we can't avoid the mess completely, we can at least minimize it. 

Dave: [00:50:05] Yeah. And this has been one of the themes that we kicked around prior to this, in our email exchanges.

And I know it's been a topic for you is proactive versus crisis communications. Let's pull on that thread before we wrap up here. I think the crisis communications doesn't take a lot of imagination to figure out what that looks like. Stuff goes wrong. You jump in, everybody gets that, right. We're all smashed together and it's complicated.

It's painful, but what is the right proactive communications strategy look like for a security team? What does it entail? What does it include? 

Melanie: [00:50:42] So there's two pieces here that I want to touch on the first is that your communication strategy for an actual crisis. And I, I debate what is an actual crisis.

I'm not sure every incident qualifies as a crisis. You will live through it. The world will go on. But the comms strategy for a security incident should not look very different from your everyday calm strategy and same thing with the incident response team for your security team, you should be doing the exact same process and protocols every single day.

We all know that at the start of an incident, you don't actually know whether or not it's a real incident. It could be a false positive, it could not have been something like maybe there's a problem with the tooling. And so you are following that process up until, you know, for sure exactly what's happening and can make a determination of whether or not, you know, it needs to be escalated.

Or if, you know, it ends up not being anything at all. And your communications plan should follow that exact same process and procedure. So for security communications proactively. We're talking about the things that we're building, we're talking about, the things that we're doing, and we're focusing a lot more on other security organizations and others in the industry.

You will want to have friends when things go wrong and you have to make those friends. Now, the ideal state is for somebody to say, wow, if it could happen to them, it could happen to anybody. But people can only say that if they actually know what you've been doing this whole time, and the difference between the way the InfoSec community will respond on social media, which drives a lot of the infoset coverage is not going to change mainstream coverage.

It will influence the InfoSec journalists. The way that that InfoSec professionals will respond to your incident on social media is really based on how much Goodwill and benefit of the doubt you have earned over the last X number of years. And so if your team's coming out to the world, Is a massive data breach.

Truthfully, people are going to look for reasons to say that you were incompetent. It's not a fair assessment. It's not a fair reaction. I have a lot of thoughts about the way that we respond to incidents in our own community, because we all live in glass houses. But that is just the reality of the situation.

That if, if you want to benefit of the doubt, when something happens, you have to earn that in advance. And so not having a proactive plan means that you are just waiting for something bad to happen, and then hoping for the best 

Dave: [00:53:22] to play it back is you need to be on a regular basis. You need to engage with the community.

So that might mean. Joining community Slack channels. It might mean speaking at meetups contributing open source projects, even just asking questions, Hey, we're doing it this way. Is there a better way, or we're thinking about this and that way, when the shit hits the fan, you have people who have natural empathy for you, as opposed to people who just going to shrug it off, who don't know who you are and don't know what you're doing other than what they can see on the website.

Does that sound right? 

Melanie: [00:53:56] Yeah. It's giving people a reason to pause before they throw you under the bus. 

Dave: [00:54:02] I'll say this, the recent solar wind incidents. I didn't see a lot of mudslinging. 

Melanie: [00:54:08] Yeah. I think it's because a lot of people were actually living through it themselves. 

Dave: [00:54:13] Yeah, I do think people have grown up a little bit too in that regard.

And people realize Duncan on your pals when they get hacked, that it could be you, whether you're going to through yourself, it, isn't hard to envision yourself going through it. 

Melanie: [00:54:27] But to your point, you use the terminology, everybody's going through this thing. It's almost impossible to expect people to have that reaction.

If they don't actually know anything about that team, the organization, if they don't have context there. And so it was interesting. Cause I had quite a few clients who, even though they didn't actually have risk exposure because of solar winds. They still had a whole bunch of customer inquiries about it.

Right? And so we were drafting communications on, how do you explain to your customers what your risk exposure is? And even if it's zero, you need to be able to explain that in a way that is both accurate and reassuring and in a way that they can actually prove, right. Nobody believes a CSO. That's just like, Nope, it didn't affect us.

Have a nice day. And your customers may not be security experts, right? If you're not a security vendor, your users and your customers are not security experts. So imagine being a B2B company that perhaps sells to HR professionals and you're explaining to them the situation with solar winds, And so there are a lot of communication tasks and responsibilities surrounding an incident.

Even if your organization is not the one that's compromised because we're all connected. And any time something big happens, it gets this much publicity. Everybody's just immediately sending out those questionnaires to all their vendors to figure out what their risk exposure is. And so a lot of security teams are not prepared for those questions.

And so we have to get that process developed again in advance, because what you don't want is just some random account rep having back and forth emails with a customer, that's going to create both legal liability, but also could actually be technically inaccurate from a security perspective. And so hurting all of those cats in advance, that you have a really clear process that people know how to follow and that they trust so that when they get any questions related to a security incident, it's getting routed through the appropriate folks that you have a consistent and accurate message for everybody.

Dave: [00:56:30] It feels like you've been asked that a few times. It was incredibly not that it sounded well rehearsed or inauthentic, but it was just incredibly thoughtful and thorough and so on. You can feel the passion, you can feel the heat behind it. 

Melanie: [00:56:45] It is one of the most overlooked aspects of security communications.

And so I do talk about it a lot because I will get a lot of companies who come to me asking for one thing. And once I've done the assessment, I'm like this communication process actually looks like Swiss cheese. And there's quite a few things that we need to address because just having a process for media statements is not going to be enough.

If you, as a comms, professional, want to have the information you need as quickly as you want it. We have to improve the operational communication of security teams and with our cross-functional partners. 

Dave: [00:57:23] All right, let's move into the speed round. What's the last book, article podcasts, article of media snippet, haiku that you ingested that left a Mark on you.

Melanie: [00:57:35] Hmm. Okay. So this is going to be maybe lame and super predictable. But the last thing I read that really stuck with me and it, I regretted it took me so long to actually read it because it's been available for a while now, but Cisco has an annual privacy ROI benchmark report that they put out every year and every year it sticks with me.

But this year in particular, really stuck with me when they talk about how much ROI companies are getting from their privacy tech investments, but also how much privacy actually matters for closing deals. And I think there's a lot of things that the security and privacy industries can learn from each other in terms of communicating value and ROI for those investments.

It's one of the biggest drivers that I see, even with startups, they may not have a CSO, but they've got a suck too, because they know that they're going to need it in order to sign contracts with certain types of customers. And so, you know, that always sticks with me when I find new ways to talk about the value of something that actually has substance behind it.

That was the most recent thing. 

Dave: [00:58:41] Wow. We've had Conaman, we've had biographies, we've never had Sysco. I think this might be, this might be their finest moment. 

Melanie: [00:58:52] I mean, I happen to know the team that started this report years ago and it just continues to be a really good resource for me because I find most corporate research to be mostly shit.

This was one that I think is really good. 

Dave: [00:59:06] All right. Who do you actually, I'm curious, where do you go to get your news typically? Like what's your top five list of places you go to keep abreast of what's happening in the world of security and privacy. 

Melanie: [00:59:18] I would say certain Slack channels, certain discord servers, and certain group tech.

That's where I start, because what's important to me is actually knowing what's important to everybody else. So I want to see what everybody else is talking about before I go do my own research about what's happening, that they're not talking about 

Dave: [00:59:41] community 

Melanie: [00:59:41] first influence first.

Dave: [00:59:47] All right. Fair enough. Fair enough. When you need to phone a friend, who do you call? 

Melanie: [00:59:53] I have a really good friend in Texas who kind of is my sounding board for all major decisions.

Dave: [01:00:04] Favorite 

Melanie: [01:00:04] shark Maaco, 

Dave: [01:00:08] favorite dive site, 

Melanie: [01:00:10] if you would. I would say Hawaii is definitely my favorite area for diabetes, Hawaii in particular. 

Dave: [01:00:17] Awesome. And what's getting better. What's all right. All right. Stepping back and being specific here we are in security. The vultures are always circling, but what's getting better.

What's improved in the last 12 months and it might be especially hard to find given the last 12 months have been madhouse, but having said that, what have you seen get better in the last 12 to 18 months? 

Melanie: [01:00:45] So a broad answer and then a more precise answer. The broad answer is that I have seen a lot more willingness to learn and adopt concepts and learnings from other disciplines.

So honestly, the InfoSec community has a tendency to read a book about something, and then think that we're an expert on it and give a talk about it and give people all kinds of terrible advice. And I'm seeing more interest in reaching outside of our community to find those actual experts, as well as those concepts and principles that can be applied within a security context.

And one area where I think this is getting particularly better in large part due to the incredibly mental health, uh, stress that we have all been dealing with over the last 12 months, even more so than normal is the fact that since the entire world is going through a collective mental health crisis, there is a lot more information to find and to share about.

Mental health and from actual experts and professionals, right? People with degrees and certifications in these types of things. So there's less dependence on us just having to sit through a panel at a security conference of engineers, talking about their own experiences while those are wonderful and incredibly courageous to share.

When I think there's a lot of value, I'm also seeing more participation from actual health professionals because they're being asked more often by our community to come teach us so that we're not just trying to figure out everything on our own. I think it's one of the wonderful things about this community is that we love to understand how things work and we love to take things apart and we love to learn new things, but we struggle with how much knowledge and how much training do we need to have before we are actually.

Credible and responsible in sharing advice with other people. And I think mental health is an area where I have actually seen improvement, where there is more of an appetite to bring in medical experts and health professional experts to help our community cope and heal from a lot of the trauma and the stress that just comes with doing our job and particularly doing our job over the last 12 months, which has just been such a huge burden for people to carry.

Dave: [01:03:20] That's fascinating. And it strikes me that part of the reason I've loved being insecurity and have stayed in it is it's so dynamic. It changes all the time. There's so many things that are beginning all the time that are just brand new, that I think there is sort of a belief that you fall into where it's like, wow, the body of knowledge is this deep it's brand new.

So let's go in let's build expertise. And I think it is sort of an industry bias. It's one of the cool things about it is it's incredibly dynamic. It rewrites itself so frequently, but you can see how we would build kind of a negative tendency in that regard. And you Bumble into these spaces where there's many, many decades of research and centuries even, right?

Yeah. Yeah. You can see how we'd fall into that trap. Yeah. 

Jack: [01:04:08] Consequences for getting it wrong too. 

Melanie: [01:04:10] Hmm. I'm glad to see some of that shifting. I think it's unfortunate that the catalyst for that seems to be that we're all just struggling so much more and that the world is struggling along with us, that these are topics that are being talked about in mainstream media and on social media and with our friends and family more so than they were before, which is actually a very wonderful thing.

And it's making it easier. I think for those in our community to find outside information so that we're not so insular in where we get our sources of information. 

Dave: [01:04:45] Lovely. Great 

Jack: [01:04:46] point to wrap. Thanks for joining us, Melanie. 

Melanie: [01:04:49] Yeah. Thanks for listening to my rant. 

Dave: [01:04:54] It was incredible. Thank you. Thank you.

Meet our guest

Melanie Ensign

Founder & CEO, Discernible

After managing security and privacy communications for some of the world’s most notable brands, including Facebook, Uber, and AT&T, Melanie started Discernible Inc to help more organizations adopt effective communications strategies to improve security and privacy outcomes. Today she counsels security and privacy executives as well as technical teams on everything from incident preparedness to earning influence with the business and effective cross-functional collaboration.

She is also a certified rescue scuba diver and brings many lessons learned preparing for and navigating through unexpected, high-risk underwater incidents to her professional work. Additionally, Melanie leads the press department for DEF CON, the world’s largest hacker conference.