Ethical Challenges in Security Public Relations and Silicon Valley – Bryan Scanlon

Bryan Scanlon is the principal of Look Left Marketing. I first met him more than 15 years ago when he joined Schwartz Communications and he shared an office with me. I quickly realized he was one of the sharpest, most insightful PR pros I have ever known.

In his interview with Ethical Voices, Bryan provides great insight and advice on a number of topics including:

 Please tell us a little bit more about yourself, your job and your career

My roots are heavily in writing and creative writing. I did journalism, photography, and a number of things along those lines before I moved into PR. I had a PR job for a summer working at the college I was going to and, promptly, the president got fired in a very dramatic event. So, I was really thrown into it. Throughout my career, one of my main paths has been dealing with crisis or really difficult moments for companies. My second career path is technology. I eventually ended up running a lot of enterprise technologies at Schwartz Communications, moved out to California to run at office, and then finally became president of Schwartz. That led up to an acquisition by MSLGROUP, where I ran a global technology practice, and worked with some very large companies like PayPal.

Today, I’m the principal of Look Left Marketing which specializes in enterprise and infrastructure technology. This is the stuff that makes the world go around. It makes your computer or your transaction safer, better, faster. It makes people smarter and enable them to use data to make decisions. Or, quite frankly, the plumbing that keeps the digital world running. We take those very complex and technical topics and translate them down into a more digestible level.

What is the most difficult ethical challenge you ever confronted in your career?

For me it was a situation around 9/11. I was one of three or four of the very senior people in our security and enterprise practice. It turns out, there were some clients; and I don’t think that they really understood what they were doing, where folks were like, “We’re in the security business. We need to be on television right now, because we believe that it’s really going to be a cyberattack that’s next. They’re going to come after the critical infrastructure. We believe this is just the beginning.”

And in retrospect, the answer seems really easy. But, like all ethical dilemmas, in the moment, it’s a little difficult. Because, one, you’re running pretty high on emotion. We were in the PR business, so we always looked for opportunities to get clients on television. And we often took risks and tried to seize moments. But, that debate did not last long in my head. It was just, the answer was, “No. You really can’t do this.”

I asked every single one of those people. “Are you an expert in terrorism? Because those are the people that will provide value in this moment, or are you an expert in building design and construction, and safety? Then you could be of value to the public and to journalists.”

But, this notion of doing the fear mongering, which exists a lot with security even today, was just not right. And I remember one client was like, “Well, you work for me. You should just do what I tell you to do.” And I said, “Well, we cannot work for you. You can’t do this.” And that was the first time that I ever uttered those words of, “We could not work for you.” And say I am willing to walk away, because this is a line I’m not going to cross. For me, looking back, it seems like a “No duh” moment. Of course, you would do that. But, again, I think all ethical challenges in hindsight look like easier decisions than they are in the moment.

What is your process for working though ethical challenges and issues to come to a decision?

I think there’s a couple of questions that I now ask myself every day, and I encourage our staff to ask. In a very heated moment the first thing I always try and focus on is:

  • Stop Spinning. Stop thinking about what we should say, what’s the best way to say it. I want everybody to take a deep breath, and I just want to understand the facts. I don’t want any spin on them. That grounds you very quickly, and doesn’t let you get ahead of yourself. Too often companies instantly go into, “How do I make this better?” Or, “How do I get out of it?”
  • Hit the big reset button – Say, “I have a lot of questions about what happened, about what could happen, what we could do about it, but I’m not going to issue one recommendation on what we say or do until we understand that.”
  • Ask “Why?” We have to ask, “Why are we doing it? What is the purpose of this activity? What is the benefit for the company? What is the benefit for the world and the society, and what is the benefit for customers?” In other words, what problem does it solve for them? If you don’t like the answer, you’re just doing it for some hype-y purpose, or just to maybe make somebody happy, that’ll give you an ethical barometer on which to base a decision.

How do you convince people to take your recommendations?

There are three main ways.

  • I love to point companies back to their mission statement, because that is the ideal barometer for a company. I love to point them back to their mission and say, “Have we just gone off our mission? Did our values and mission change?” I find that that’s a little bit of a shake.
  • I use my experience. I share war stories where things have gone horribly wrong, or gone amazingly right because you did the right thing. Give those examples.
  • As an agency executive you’re an outsider in some ways to companies. I have found that getting out of the politics, there have been times where I literally picked up the phone and called a CEO and said, “Please don’t do this.” And that works. Worst case you say “I can’t be part of this. So, if you’re going to do this, it’s going to be without me and my agency.”

What are the ethics issues you see are unique or important around security PR?

There’s an absolute arms race going on, where it’s the bad guys versus the good guys, and the bad guys are, quite frankly, really well-armed and very intelligent. And they’re winning in some fronts. When an arms race happens, the rhetoric gets really high.

And I think what we’re seeing in security now is some companies making some very big promises – they make claims like, “We will stop all breaches.” Or, “We make breaches irrelevant.” And I really find that language extremely disturbing. For me, it’s like saying, “We have a safety collision system that we’ve just put in a car, and you’ll never have a crash.” Well, you could disable that and still have a crash. You could have somebody just back into you and have a crash.

That is creating these very, quite frankly, dangerous statements. There are so many vendors in security now. An average enterprise has like 80 or 90 different tools. And they all sound like they do the same thing, and in that kind of really high-stakes, risky environment where critical infrastructure could go down, or money gets stolen. Or, medical devices could be hacked. There’s a lot of room for hype there. And the market’s very crowded, so it forces you to one-up your competitor. And when you put both of those things in, you get this hype machine that keeps going higher and higher and higher and higher.

Things have to change, but there’s this temptation every day to do the, “The sky is falling. The sky is falling. The sky is falling.” People are getting very tired of it and the ultimate danger is we just become numb to it, and people stop listening to the important stuff.

How do you get people to stop the hype when your competitors are doing it?

The first question I ask is, “Let’s talk about facts. So, you say you can stop all breaches. Has your system ever been breached? Or all your customers, did every one of your customers not have a breach?” And the answer is, of course, “Well, of course, no. But that was other technology that got breached.” And it creates this discussion of just how farcical those claims could be.

And then, we apply, why are we doing this? What is the problem that we’re trying to solve? What is the pain that the customer really is doing, and how do we target that? And third, applying a belief system. And I think in security, there’s a lot of cooperation between the vendors despite all of this hype and rhetoric. Because they really believe in one thing, that there’re some bad guys out there, and we need to stop them. There’s a serve and protect component. And I think if we can steer people towards that, and remind them that that’s really the business that we’re in, things work out okay.

What is the ethical process for reporting a breach or risk your security company uncovers?

There’s this thing called “responsible disclosure” that is very common in the security industry. The really good guys, and I would say the vast majority of companies, abide by it. So, if you found a flaw in a version of Windows, or in an Alexa device – responsible disclosure’s tenets basically say this: I’m going to contact that company and tell them that I found that problem. And they’re going to have a chance to fix it, or have a patch available, before I disclose that. So, when you go public, you’re disclosing something that is likely already fixed or solved, or you’re contributing to the education of everyone of what they need to do to download or patch.

It’s something that we always ask our clients. Did you disclose this? Do they know? Is the patch going to be ready? Because, there is pressure in that competitive environment to release that news quickly before some other researcher reveals it.

There are people who have done a big show of disclosing vulnerability without contacting the company, and I find that highly unethical. And those people, I think pretty quickly, get some shade cast on them. You really never want to put a user at risk.

However, there is this other disturbing thing that’s happening a little bit in that I’m seeing the arms race come into play. Where, as part of that responsible disclosure, you’re inevitably telling other researchers, and those researchers then, themselves, face an ethical dilemma of when do they jump on it? And I actually had an instance last year where we were doing pre-briefings before responsibly disclosing a bug in critical infrastructure. And a reporter called another researcher, and that researcher quickly put some stuff together, hacked it, and then released it, and went ahead of our deadline, and risked going ahead of the problem being fixed. I think that’s not appropriate.

You have spent half your career in Silicon Valley. Are there any ethical issues that you’re running into that you think are unique to the Valley?

I think there are a few.

  • I think there’s a lot of money right now for companies, And I think any time that there’s money involved, ethics gets involved. You found a dollar on the street. Pick it up. What do you do with it? Right? And that’s a very basic ethical debate that is exacerbated when we are dealing with hundreds of millions of dollars. This creates ethical pressure.
  • The second macro thing is there is this incredible and very dangerous work culture that has emerged in Silicon Valley, where if you’re not always working, and always connected, and always at the next party to network, and always just available 24×7, you’re somehow acting irresponsibly in the gold rush. Let’s be clear. There’s clearly a technology gold rush happening right now. And if you’re not mining every day, then you’re somehow missing out.  There are people I know who basically don’t sleep, or they’re always on their phones. And I think, as a business owner – Are people getting enough time off? Are they getting enough connections? Can one person be in on call, the old-fashioned way? There is a doctor on call, and that’s the doctor who’s just going to handle this thing if something comes up. This worries me, because I think people burn out really fast, and then they also start creating mistakes. And some of those mistakes are going to be ethical. They’re just going to move too fast.
  • The third thing, I think, is privacy. There are enormous companies in the world, but particularly in Silicon Valley, who control and have an enormous amount of personal information. And I think we are at this watershed moment of, what do you do with that information? How do you collect it? Who do you share it with? And how do you use it? And if we go back to that belief framework that I started with, I think we’re at the moment where that has to be applied very rigorously.

And if you think about us as marketers, we’ve always thought about, what’s our traffic like? How do we get the numbers up? How do we get more leads in? We need to collect more emails so I can go to sales and show them all these leads that we’ve had. And it creates this, again, this arms race where the chart always has to go up to the right. I think that that’s a bit broken, now. We need to think about, well, why are we collecting this data? And what am I going to give somebody in return?

If we’re going to use that data to market out, how are we giving something of value to people? I think there’s been this great movement to inbound marketing, but it has also created this very dangerous thing where you’re just gathering emails, pulling in these nets of giant email addresses. And quite frankly, you’ve reached the point where the oceans have gotten over fished. There’s just too much. We’ve gathered too much of that data, and now we’re responsible for it. And it’s really hard to be responsible for that volume of activity, and continue to add value with those folks.

I’ve seen companies do really wonderful things where every three or four months, they have the guts to send a note out to say, “How are we doing? Do you want to stay on our list? Is there any of this content useful to you?” And if somebody says no, they let them go. Two years ago, that was unheard of.

How do you balance the time demands and expectations?

To fix this you have to set expectations pretty early on clients, on what the time it takes to do things. And pick good clients, and not be afraid to say, “Listen, this is just not for us. The chemistry’s not right.”

I find myself, sometimes, telling clients, “We’re just closed tomorrow. It’s a holiday. I am here, if something really urgent comes up. Just text me.” Or, one person will be the pager, on-duty for that. But, it’s hard, because there’s a time element in public relations. There’s this notion of seizing the moment. I think all of us have done the award applications that I talk about when you seize that moment. I think there can be this, “Oh, my god, I’m going to miss the moment.”

And what’s really interesting is, a very good photographer friend of mine has taught me that there’s always another moment. If you miss a picture, there will be another sunrise. There will be another moment where a dad picks up a child and puts him on their shoulders, and there’s this intimate moment to take a picture of. There will always be another moment. But I think in business, we said that that’s never the case, but there will be. I want to be clear, though, you still have to jump on those moments when you see them. You still have to be looking for them, and do that.

And I think people have to take time off. I took a major sabbatical at 45. I was very fortunate to be able to do that. I would say 90% of our people in our profession probably can’t. But, I think they should start planning on figuring out how to do that. And if they can’t take a year, how do I take three weeks once every few years? News is a very difficult animal right now to navigate. It can really wear on you, and I think that’s when you start making mistakes, and you start losing your drive. That’s where everybody’s unhappy.

Have the guts to recognize those moments, not only for yourself, but for your staff.

What is the best piece of ethics advice you were ever given?

I think probably the best piece of ethics advice I got was not professional, it was personal. I was basically told, “You have to understand, this is not something you can fix. You can’t fix this. There is no incredibly heroic effort that you can do to just make this go away and pretend like it never happened, or to avoid what is going to be a very hard road for potentially the rest of your life.”

There are just some things that you cannot control. And PR people love to control things. But there are just some things that you can’t control, and you have to let go. Because if you take all of that home with you, or you carry it with you, it just, it becomes a weight that is unbearable.

You’re going to miss things, there are going to be mistakes, and for me, the true character of anyone is what happens in those moments. How do you get past the mistake? How do you re-earn trust, if that’s what you have to do? What did you learn from that?

Mark McClennan, APR, Fellow PRSA
Follow Me
Mark W. McClennan, APR, Fellow PRSA, is the general manager of C+C's Boston office. C+C is a communications agency all about the good and purpose-driven brands. He has more than 20 years of tech and fintech agency experience, served as the 2016 National Chair of PRSA, drove the creation of the PRSA Ethics App and is the host of


Leave a Reply

Your email address will not be published. Required fields are marked *