How One PR Manager Turned a Security Crisis into a Trust-Building Opportunity

Yeah, that's OK. OK. So for, for in this situation, my customer was um the CEO and the, the head of engineering at a company called Malwarebytes, and While I was running uh global communications there, um, we had a situation where there's a well-known security researcher named Tavis, and how long do you want these answers to be? Sorry, I just, it's up to you. OK. Um, there was a well-known security researcher named Tavis Ormandy. He was, um, his job was to basically find software vulnerabilities and security software. Um, and he alerted us to 7 security vulnerabilities in the consumer version of our anti-virus software. He gave us a 90 day grace period to address the issue before he publicly disclosed the vulnerabilities on his blog site. Our CEO and head of engineering, they wanted to fix the, fix the vulnerabilities before the 90 day period expired. And in my judgment, the, the situation was a good opportunity to, to build customer trust, and I was concerned that would be very challenging to fix all the vulnerabilities in the ninety-day period. I also that, and also, um, in the spirit of wanting to be open and transparent with our customers, um, I believe we need to be proactive and tell our customers about the vulnerabilities. We had 250 million consumer and 50,000 enterprise customers. And also from a journalist's point of view, we had a good relationship with journalists. Many of them used our product, and I wanted them to, to, to recognize and be, uh, recognize that we're being honest and straightforward and trustworthy with our customers. So, I, um, the CEO, um, Sorry, the, the research revealed that a that a code injection vulnerability would result in code executing on the target machine. And being that I had spent time at Cisco and Sun, um working on crisis issues like this, I knew 90 days was not sufficient. Um, and, um, well, I had, well, I, well, I had good data, um, from previous roles, I didn't have good data in this situation. I didn't have enough time, so I had to sort of work around the corner there. Um, and, and so what I did is I set up a meeting with the head of engineering to discuss my concerns. I provided him with case studies of other disclosures, like, uh, Kaspersky and And he said and other companies that Tavis Ormandy had had exposed their vulnerabilities. Um, so after meeting with him and sort of discussing my past experience, He agreed that the engineer, engineering team would not be able to fix all the issues prior to disclosure. So I had to, I used that information and the fact that he was on side to, to meet with the CEO and convince the CEO through a one-page brief that I put together that um That we needed to uh change our plans in terms of, uh, we needed to be more open and transparent with our customers. So the CEO agreed to the change, we, we proceeded with my plan, um, I wrote a blog post on his behalf. Uh, we announced a bug bounty program. We, we apologized for, um, for the vulnerabilities to, to all our customers. And, um, within, within 90 days, we were only able to fix 4 of the vulnerabilities. There were still 3 left to be, to be patched. Um, but the results were good. We had 40 articles with 90%, uh, being neutral to positive. Only 10% were negative, and a great deal of the articles were uh were balanced because they focused on, yes, the disclosures, but they also focused on this bug bounty program that we announced. Um, so that's, yeah, my example.

So it was unique there was um I was able to look around the corner, whereas the, the senior leadership at my company was not, and I was able to use my foresight based on experience and see that if we didn't do anything, um, The coverage would have been 90% negative, um, and, and I saw this with, uh, with Kaspersky and I said where they didn't make any disclosures, they didn't come out publicly, and the coverage was, was very negative.

Well, I think, um, I think it had to do with my, uh, my previous experiences, right? The fact that, um, when I was at Cisco, we, we faced a reputational threat. It was alleged that Cisco routers were being used for NSA spying. Uh, the Guardian printed photos of the, of the router

Exactly. So, I worked on that. I, I'm the one who created, proposed and implemented a strategy of being open and transparent. Um, it didn't take, it didn't take a lot of convincing there because we had a I don't know. We had a, a, a policy of telling it all, telling it fast when it came to, um, to crisis issues. It didn't make sense to, to hold back. So anyway, I used that experience and my foresight to persuade the head of engineering who, who had, who, who trusted me based on that expertise, um. At at Cisco and other companies.

It's true, but what they did do was they, they covered the, uh, Jon Stewart, who was the head of security, chief security officer. Um, he, his blog post was covered by the Guardian. Um, so while they didn't retract that previous story, they did cover our, um, our coming out and saying that, um, you know, that we had nothing to do with it. Um.