Mar 07 2008
I’ve been blogging for over four years now and been employed by four different companies during that time. When I started blogging my employer at the time didn’t even know what a blog was and my co-workers thought I was weird for wanting to publish my thoughts on security (actually, they didn’t think I had many thoughts, but that’s a different matter). The next employer knew I blogged, I brought it up in my interview, but didn’t care if I blogged as long as it didn’t interfere with work. When I was hired at StillSecure last year, my blogging was a part of the decision to hire me. My current employer, Trustwave, knows I blog, knows I get press passes because of it, but largely doesn’t worry about it as long as I don’t say anything that will impact them. All in all, I’ve been very careful to make my employers aware of my activity and keep blogging separate from the jobs that pay the bills. This blog is mine and I won’t work for a company that tries to take it over or tell me what I can write about!
But it’s a very fine line I have to walk sometimes; I’ve been getting a lot of invitations to talk to companies who will be at RSA, which isn’t surprising given that I have a press pass for the third year in a row. The majority of these companies have products that aren’t related to my day job or are only tangentially related. If their products or services interest me, which is the minority, I’ll talk to them. There’s another group who make products and have services that are PCI-related; many of these are direct competitors of Trustwave, either because they also do PCI assessments or because they offer tools that are similar to what Trustwave offers. After one such offer, I consulted with my friend Mediaphyter to get a second opinion on the tack I should take with competitors. And being the good blogger she is, she immediately turned it into a blog post.
I’ve been good about notifying competitors about my employer, even though this is information they should have known before contacting me, something Mediaphyter points out. But I make a point of not mentioning my employer on the blog or in the podcast, simply because I want to keep as much distance as possible between the two different aspects of my life. A few companies have said they’d rather not meet after finding out who I work for, a couple have been more interested, and in two cases, I’ve decided to turn down meetings with competitors because of possible conflicts of interest. It’s not worth it to me to even have the potential for conflict here, since I like having an independent blog and I’d rather not call undue conflict or drama down upon myself.
It should be no surprise to anyone who reads the blog that I’m giving preference to vendors who deal with privacy issues. I’m also looking to talk to people who have cool ‘toys’ that might be outside my normal areas of expertise, but are still interesting to me. Lastly, I’m interested in talking to PCI-related companies, as long as they’re not direct competitors. I won’t be talking to anyone who does PCI assessments, PABP code review or PCI-related managed services. I will talk to vendors who offer up products that promise to be silver bullets and make you PCI compliant by just buying their product. I’ll be nice about it, but I’m planning on asking the hard questions that many marketing folks won’t be prepared to answer. So think twice if you’re approaching me to talk to your company about PCI.
I’ll be honest, some of the meetings I’m planning on having are looking for competitive intelligence; I want to know what the other guys are doing out there. But it’s for my own education, not to take back to my employer so I can say ‘look what XYZ corp is doing’. If they want to know what XYZ is planning, they can read the blog or listen to the podcast, just like anyone else.
Bloggers are harder for PR folks to get a handle on than traditional press. I only know of a few of bloggers who do it full time, and they’re all traditional media when you get down to it; blogging just happens to be their media. The rest of us have day jobs that may or may not be influential in our writing. Some of us represent a company when we blog and when we go to events, but I think the majority of us go to events like RSA representing ourselves and our blogs instead of our employer. That doesn’t mean who we work for doesn’t affect our blogging, it just means we think our blogging is more the more important factor. The PR representatives might be annoyed because the spreadsheet they get from RSA doesn’t reflect who we work for, but that’s not RSA’s responsibility; it’s up to the PR reps to do their research and make sure they’re not inviting a competitor in to find out about the products they’ll be offering 6 months from now. A Google search and looking at a LinkedIn profile doesn’t take more than a few minutes.
One last thought: I have never signed a non-disclosure agreement before I talked to a company about their product. If you bring out an NDA, I’ll walk out the door.