BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

9 Reasons Why Selling Fear Does Not Work on a CISO - CISO/Security Vendor Relationship
Hey Security, It's Time We Had "The Talk" About PR - CISO/Security Vendor Relationship
Is Traditional InfoSec Marketing Even Necessary? - CISO/Security Vendor Relationships
CISO/Security Vendor Relationship: How to Get a Prospect to Test Your Security Product
How SAP Took One Concept and Turned It into 500 Pieces of Content
CISO/Security Vendor Relationship: 15 Ways to Make 'First Contact' with a CISO
Edit Story
ForbesEntrepreneursSales & Marketing

After Their Massive Social Media Fail, What Should Security Firm Cygilant Do Now?

David Spark
Former Contributor
Opinions expressed by Forbes Contributors are their own.
This article is more than 6 years old.

Storyblocks

Last week, in a flash of poorly planned inspiration, Boston-based security firm, Cygilant, thought it was time for a security vendor to “be like Trump” and start insulting industry professionals on Twitter.

You can read about the entire debacle on ZDNet. It’s a treatise of what not to do in social media.

Cygilant’s mistakes were 43 shades of wrong:

  • Used the latest threat to tout their own solution
  • Insulted multiple respected security professionals
  • Used a ”you don’t know what you’re doing”-style attack as a means to try to get a sales call
  • Claimed they are experts in patch management when it appears they don’t even do it fully themselves
  • Sent a condescending response to the volley of insults they initiated: “Thanks for the free marketing, kids! #HowYouDoMarketing”
  • Deleted tweets in an effort to erase mistakes (They’ve been captured and can be read under the hashtag #IAmEnlighten, which was inspired by this now deleted Tweet from Cygilant)
  • They used the classic non-apology of “if we hurt anyone’s feelings” we apologize. They referred to their language as “harsh and aggressive” (when in reality it was disrespectful) and then tried to shift their apology to a sales discussion.

The security community can be incredibly supportive, but only if you have some level of humility. If your engagement technique is to be a pompous ass, like what Cygilant did, then the community will come down on you like an anvil, as it has.

Even with attempted apologies, there doesn’t appear to be one thing Cygilant did right.

What should they do now?

STEP 1: Determine Cygilant’s values

“Whenever there’s a social media blow up, the pattern I see repeated in almost every crisis communications situation gone bad stems from values,” said Josh Weinberg (@joshuaw), leadership coach and strategy consultant, Digital Life Group.

Cygilant must ask, “What are our values and was this behavior reflective of those values?”

STEP 2: Prove with past actions that these truly are Cygilant’s values

“Companies can state they have certain values,” said Weinberg. “But you have to watch what people do, not what they say are their values.”

It’s easy for Cygilant to posthumously look at this situation and make some lofty claim about their values (e.g, ”we’re here to improve security worldwide,“ ”we’re here to educate the community”), but if there’s no past evidence that proves they adhere to these values, then those values simply don’t exist.

STEP 3: Figure out how the social media meltdown happen

Once the values are determined and agreed upon, next is to figure out why it went sideways. According to Weinberg that can be the result of either:

  1. Lack of values driving the company's actions
  2. The wrong values
  3. Someone violated the values

The kneejerk reaction from the cybersecurity community may be that they have no values, but we don’t actually know what happened.

Was this a rogue employee working for the competition?

Does the CEO have a drinking problem?

Did an employee get scorned by a lover and they were looking to take it out on someone?

Who knows?

STEP 4: Stop the bleeding

“The most important thing is to make sure that this doesn’t spread to current and potential customers and partners, who likely do not want to be associated with jerks. That will turn the episode from embarrassing to expensive and even can threaten the viability of the business,” said Rob Adler (@robadler), partner, Claritize Consulting. “The best thing to do is to get ahead of things with them. You have to assume that the competition will be contacting them. You need to be open and honest and show them this was an aberration that won’t happen again.”

STEP 5: Publicly expose what was discovered

Up to this point, the security community has written the Cygilant story.

They’re a bunch of jackasses.

It’s up to Cygilant to change that.

Cygilant will need to explain what happened. At that moment, they can take back ownership of their story.

STEP 6: Apologize with public actions

The solution is not to stay quiet and believe that “time will heal” or “people have short memories.”

As part of their public exposure, Cygilant will need to write another apology and explain what they’re going to do to improve the situation. Here are some suggestions. Do any and all publicly:

Clean house: Get rid of the person who is responsible for these tweets and anyone else who can’t adhere to company values (that assumes the values are there).

Hire an outside consultant: Bring in one of the people they offended, a respected security professional, or security journalist to do an audit on the company’s values. Weinberg suggests that the hired analyst create two public reports: one that explains what they did wrong and how they should go about fixing it and then a second report one year later to see how they’ve done.

Publicly state values: Explain what the company’s newfound values are and make sure that future actions in public and social media somehow point back to those values.

STEP 7: Become the leader on the thing you just screwed up on

Today, Cygilant is known as “the security vendor that disrespects the infosec community.”

To reverse that brand, Weinberg suggests Cygilant actively develop an open organization analyzing the issue of respect within the security industry. Create content about the issue, hold meetups, and applaud those within the community who show the most respect (e.g., give out awards).

STEP 8: Don’t hide behind social media, get out there and be seen

This cannot be done if they stay behind the screen. Cygilant will have to put a public face on what they’ve done and how they’re trying to improve. It’s very easy for people to attack others on social media, but most people are far more fearful to do it to someone they see in person. Attend events, sponsor events, and engage very publicly in conversation.

STEP 9: Record and publish the experience

This step is the hardest but will definitely put Cygilant on the map, possibly across multiple industries.

Cygilant can amplify its relation-growing efforts by recording and publishing the experience of trying to turn its image around. Brand the effort. If others learn from it and warmly respond that’s the best Cygilant can hope for.

This will be a valuable learning experience for everyone. The journey of trying to improve the experience and learning from it will be fascinating. With humor and humility, brag about accomplishments, even the smallest ones (e.g., “Hey look, we got a positive tweet”).

So that the disenfranchised security community can see who Cygilant is, start doing video reports. Consider live video streams which will allow for direct and immediate feedback.

CONCLUSION: Actions speak louder than words

From what we see so far, it doesn’t appear that Cygilant has taken any of these actions. While many like to attack a company for their failures, I and others in the industry would be eager to see the company makes a turnaround. It would be a captivating story to watch.

Huge thanks to Maxime Rousseau (@maxrousseau), CISO, Personal Capital, for bringing this story to my attention.

Follow me on Twitter
David Spark
David Spark