You’ve just finished any one of the numerous cybersecurity assessments that are common today. Congratulations… but now what? A-LIGN’s SVP of Marketing, Brian Gladstein, describes some of the ways to leverage that final report and drive new revenue into your business, starting with a press release and an announcement plan.

How to Announce Your Cybersecurity Assessment with a Press Release 

You’ve just finished your SOC 2 examination, or received your HITRUST certification, or you’ve completed any one of the numerous cybersecurity assessments that are common today. Congratulations! It must feel good to have the project behind you… but now what? Turns out there are many ways to leverage that final report to help build trust with customers, strengthen your brand, and drive new revenue into your business. 

I think it’s safe to say that most people involved in the audit process would not consider themselves “marketers”. In fact, for many, the very idea of self-promotion can be off-putting. But these days, cybersecurity assessments play a critical role in business. They generate trust with a future business partner or serve as a competitive differentiator that wins over a prospect. In this post I want to focus on how to announce your cybersecurity assessment report, and I’ll share some tips I’ve learned after 20 years marketing in the cybersecurity and high–tech industry. 

So, whether you’ve got a marketing department or a PR firm writing press releases for you, or it’s something you’ve got to do yourself as an executive at a small business, I hope these pointers and specific examples below will help you get the biggest impact from your assessment report announcement. 

Building a Plan 

The heart of any announcement like this is the press release – and I’ll dig deep into what to include in that write-up shortly. But press releases don’t exist in a vacuum – you need to get people to read them – so before I write a press release I like to think of how I’m going to get the word out. There are a few easy ways to do this: 

• Publish on the wire. There are a variety of wire services that distribute news reports to journalists and news organizations, for example newswire.com ($199 per press release) or Cision/PRWeb ($99-$389 per press release). Find the best fit for you if you don’t use a service already.  
• Create a blog post. Press releases tend to have a formal writing style, but a blog post is your chance to make a more personal, human statement about how you take your customers’ security seriously. Be sure to link to the official press release you’ve published. 
• Post on social media. Create a catchy graphic (Canva.com is always a great resource) and post about your report on social media. Ask employees to like and share – the increased engagement will help your post get more visibility. 
• Email your customers. Don’t underestimate how important a short email announcing the report can be for your customers. Point them to your social media post and ask them to share with their own networks. 
• Showcase your badge. Adding the certification or assessment badge to your website, email footers, and other marketing materials can be a quick and easy way to share the achievement with stakeholders. I’ll be sharing more tips on how to feature your certification on your website in an upcoming blog post – stay tuned! 

Finally, for important customers and other critical business relationships, it might be worth picking up the phone or integrating the announcement into a regular customer success cadence – that all depends on the ins and outs of your specific business ecosystem. 

Writing the Press Release  

Let’s get to the writing. I’m not going to go through all the basics of writing and formatting a press release from scratch – there are a number of resources online for that such as this article from Forbes or this one from class:PR. Start with one of those templates and approach the press release as follows: 

• Focus on one main idea. Before you put pen to paper, think about what the one, single idea you want your readers to walk away with. You’ll undoubtedly ground the main idea in the news of your report, but you have the opportunity to go beyond just the facts here. Why did you conduct this? What does it mean for your customers? How does this report reinforce your company values? A good press release delivers one powerful message and everything is written to reinforce that message. Start with the end in mind and you’ll end up with a strong press release. 

Write your main idea down as a statement, for example: 

• We have successfully completed our SOC 2 examination, demonstrating our commitment to protecting customers’ user profiles and personal information. 
• We have successfully completed our FedRAMP certification, allowing us to serve a significant portion of the Federal market with our cloud-based product. 
• We are proud to announce our HITRUST certification as part of our increased focus on third-party privacy and security across our vendor ecosystem. 
• Create a clear, newsworthy headline and subheading. No one will read your press release unless they believe it’s interesting, and they determine that by scanning the headline and maybe the subheading. Take plenty of time to iterate on these first two phrases until you get something that stands out. Shorter is usually better, but don’t water it down too much. Get that main idea in there and drive it home. 

Here’s an example that is a great place to start: 

MyCompany Completes SOC 2 Type II Audit, Reinforcing Its Commitment to Data Security
Unqualified audit by independent firm provides assurance to cloud-based customers entrusting MyCompany with sensitive information.

• Get right to the point. If you’ve never heard the phrase “buried the lead,” it’s what happens when the important news is so far down in the article that the reader never gets there. People today have short attention spans, so strip out any marketing fluff and get the main news and value points right up front in that first paragraph or two.   

CITY, State, Date — Company Name (include link), a (one line description about Company), today announced its successful completion of its System and Organization Controls 2 Type II (SOC 2 Type II) examination for the period of review period, as it looks to (statement about why this report matters, such as demonstrate its commitment to protecting customers’ sensitive information).  

The independent examination, conducted by leading cybersecurity assessment firm A‑LIGN, validates that Company’s security practices and controls meet the Trust Services Principles and Criteria for security, availability, and privacy over an extended period of time. 

• Use quotes from your leadership and your auditor. Your second or third paragraph should be a quote from your CEO or similarly prominent figure at your company, explaining why this assessment matters in clear, readable language. You can also throw a quote in from your auditor further down the press release (A-LIGN is always happy to provide quotes for our customers).  

“Our customers rely on us every day to process critical information that contains sensitive data, which makes protecting that data a top priority for us,” said Executive’s Name, Title of Company. “We are proud to have completed this important examination and assure all our customers that we take security as seriously as they do.” 

• Give readers a “next step”. The final paragraph or two of your press release is a good opportunity to describe a little more about the audit you went through and how readers can learn more. 

Established by the American Institute of Certified Public Accountants (AICPA), the SOC 2 examination is designed for organizations of any size, regardless of industry and scope, by ensuring the personal assets of their potential and existing customers are protected. SOC 2 reports are recognized globally and affirm that a company’s infrastructure, software, people, data, policies, procedures and operations have been formally reviewed.  

In addition to performing a SOC 2 audit on an annual basis, Company will make the report available to current or potential customers upon execution of a non-disclosure agreement (NDA). Visit www.company.com/trust for more details.  

• Include boilerplates for your auditor and yourself. Every press release ends with the ABOUT section, a standard description of any company mentioned in the article. These boilerplates are helpful to people scanning many press releases so they can get quick context about the subject of the article without having to do research. Be sure to include contact information for both you and your auditor so people know how to get in touch.  

About A-LIGN     

A-LIGN is a technology-enabled security and compliance partner trusted by more than 2,500 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider approach as a licensed SOC 1 and SOC 2 Auditor, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HISTRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, and PCI Qualified Security Assessor Company. Working with small businesses to global enterprises, A-LIGN experts and its proprietary compliance management platform, A-SCEND, are transforming the compliance experience. For more information, visit www.A‑LIGN.com.   

Other Press Release Tips 

There are a few other concepts worth keeping in mind as you write your press release. 

• Don’t treat the press release like ‘marketing’. These articles function much more effectively when they are written clearly and down-to-earth. Use fact-based, direct language that sticks to the who/what/where/why/how. 
• Keep it brief. The main body should be no more than 4-6 paragraphs, a couple of sentences each. 
• Be relatable. Avoid technical and industry jargon, and write for the average reader. Talk about your accomplishment, but always put it in the context of how your customers and partners will benefit. 

More Resources Coming Up 

The announcement of your cybersecurity assessment is a big deal. That’s why you should treat it that way. And stay tuned for more tips on marketing your cybersecurity assessment including training your sales team, adding it to your website, and more. 

Want to talk more about how to market your cybersecurity assessment? We are happy to help.