1 ©2018 RSA Security, LLC., a Dell Technologies business

RSA VERBAL GUIDELINES

2

Our verbal identity refers to our brand voice: how we "sound" as a

company and the sentiments we express in our communications.

The RSA brand voice is built on the following three attributes:

Clear. Confident. Compelling.

These attributes were selected for a variety of reasons, among them: They're timeless,

not trendy; they reinforce our visual brand and business goals; and they're flexible.

In the sections that follow, you'll find an overview of the industry trends that gave rise to

our new "Clear. Confident. Compelling." brand voice, along with detailed guidance on

how to implement it. Please follow these guidelines carefully to ensure consistency and a

high level of quality across our communications.

VERBAL IDENTITY

3

Just as our visual brand identity underwent a major transformation in 2017, the

time has come to refresh and refocus the brand voice we use across our

external communications. Our voice as a company should reflect our visual

identity and support the same goals:

▪ Reposition RSA as the enterprise cybersecurity and business risk

management leader.

▪ Make RSA synonymous with the concept of business-driven security by

reinforcing our messaging around digital risk and the convergence of

cybersecurity and risk management.

▪ Reposition RSA as an INNOVATIVE LEADER.

▪ Ensure RSA is recognized as a trusted advisor to our business decision-

maker, technology decision-maker, partner and media/analyst audiences.

▪ Differentiate ourselves in an increasingly crowded, competitive market.

What exactly is our brand voice? It’s best summed up in the following three

attributes:

CLEAR. CONFIDENT. COMPELLING.

INTRODUCTION

The pages that follow present a business case for this new brand voice. They

provide an overview of the industry shifts and trends prompting us to reexamine

our voice and explain why the attributes clear, confident and compelling should

form the foundation. This guide also features writing tips and annotated

examples of how we can bring these attributes to life in our external

communications.

The second half of this document serves as a copy style guide for RSA. It covers

the nuts and bolts of spelling, punctuation and formatting, and takes into

consideration search engine optimization and other digital media requirements.

Creating a comprehensive style and usage guide that covers every issue a writer,

editor or proofreader may encounter is no small feat, and surely, there are entries

missing from this document. If you notice something missing, please reach out

to brand@rsa.com and we’ll consider it for inclusion in a future update.

The guidelines contained herein were created in consultation with The

Associated Press Stylebook (online edition), The Chicago Manual of Style, The

Elements of Style, and other reputable sources.

The goal of this style guide is to help RSA build and maintain its credibility by

improving the quality and consistency of all external communications. We write

for a very sophisticated audience: Our customers and prospects are well-

educated and well-read, and many of them work at the highest levels of their

organizations. Our communications must exceed their standards and scrutiny.

4

INDUSTRY TRENDS

5

Cybersecurity has become a business priority.

For decades, public- and private-sector enterprises treated cybersecurity as a technology issue. Cybersecurity teams functioned within the IT department and relied on technology (firewalls, intrusion detection systems, anti-virus software) to prevent security breaches. Business executives, already estranged from the mysterious workings of their IT departments, saw little reason to get involved.

To this day, many organizations continue to treat cybersecurity as a technology issue. But leading organizations—especially those in highly regulated industries like financial services—realize the technology-centric approach is no longer viable. It doesn’t adequately protect their organizations against today’s threats, and it’s becoming financially burdensome. As a result, they’re embracing a new approach. At RSA, we call it business-driven security.

What has prompted this shift among industry leaders?

A number of factors have converged. For one, cyber threats have multiplied in quantity and impact. From Target, Sony and Equifax to government and political targets, organizations have repeatedly seen the damage a cyber attack can create. According to an in-depth study conducted by Deloitte, the total cost of a cyber attack can easily reach into the billions of dollars for large organizations, and the financial, operational and reputational impacts can linger for as long as five years. All this has put business leaders on notice.

INDUSTRY TRENDS SHAPING THE RSA BRAND VOICE

In addition, regulatory bodies, including the European Union with its General Data

Protection Regulation (GDPR), have shined a blinding spotlight on cyber risk. In

the U.S., healthcare providers bound by the HIPAA and HITECH Acts face massive

regulatory fines for data breaches, not to mention the threat of class action lawsuits,

at a time when they’re already under tremendous financial pressure.

In the financial services sector, the global financial crisis of 2008 and the regulations

that came out of it (Dodd-Frank, Basel III) focused on reducing risk across the

industry. While neither Dodd-Frank nor Basel III address cybersecurity specifically,

these regulations have had the overall effect of heightening corporate boards’

sensitivity to risk, including cyber risk. Even if Dodd-Frank gets repealed in the U.S.,

there’s no question boards and business leaders in this sector will continue to play

an active role in overseeing cyber risk, given the potentially devastating impact a

systemic cyber attack could have on the U.S. and global economy.

Meanwhile, the SEC’s 2011 cybersecurity guidance, the Federal Information

Security Management Act (FISMA), former President Barack Obama’s

2013 executive order 13636 and the NIST Cybersecurity Framework have drawn

even more attention to cybersecurity across public and private sector enterprises.

Taken together, these factors have catapulted cybersecurity out of the back room

and into the boardroom, and have compelled RSA to transform both its visual brand

identity and its brand voice.

6

The factors that have made cybersecurity a business issue are changing

the role of the CISO. CISOs are under mounting pressure to address

cybersecurity as a business risk and act more like business risk managers

than security technologists. They’re being summoned by corporate boards

to answer tough questions about cyber risk that they’re often unprepared to

answer.

Moreover, CISOs’ traditional reporting relationships are being questioned.

Where CISOs have traditionally reported to CIOs, some organizations and

risk management experts say that structure needs to change.

The Federal Financial Institutions Examination Council (FFIEC), for

example, maintains that the CISO-CIO reporting relationship

creates conflicts of interest that heighten an organization’s cyber risk. As

a result, the FFIEC advocates for CISOs reporting to “the board, a board

committee or senior management.” Moves like the FFIEC’s to shift CISO

reporting structures will hasten changes in, and expectations for, the role.

THE CHANGING ROLE OF THE CISO

With cyber risk becoming a business issue, other stakeholders, including risk and

compliance leaders, are getting more involved. Indeed, today’s dynamic risk and

regulatory landscape is also changing their roles, along with the role of auditors

and other professionals served by the RSA Archer® business. The involvement of

risk and compliance professionals in cybersecurity could potentially set up a

power struggle between CISOs and chief risk officers, but a better outcome

would see a strong partnership between these two leaders who possess

complementary skill sets and who very much need each other to create a holistic

picture of cyber risk. Our position at the juncture of cybersecurity and risk

management gives us an ideal platform for bringing these two stakeholders

together and for championing the concept of business-driven security.

7

In light of these trends, we need a brand voice that speaks to cybersecurity as a business

risk, that resonates with an expanding array of executive stakeholders, and that helps to

educate and elevate our core audience of security leaders.

Ultimately, our external communications need to demonstrate that we understand the

business-, technology- and security issues our customers face as well as—if not better

than—they do. We need to speak the language their boards of directors and executive

teams use, and do it convincingly. We want our communications to prompt them to think of

us as thought leaders and trusted advisors capable of guiding them through their thorniest

challenges.

The clear, confident, compelling voice will have the added benefit of differentiating us from

competitors in both the cybersecurity and GRC markets. Many companies in the

cybersecurity space, including Carbon Black, LogRhythm, Endgame and FireEye, focus on

the technical and tactical aspects of their products, particularly in their web copy. What’s

more, they continue to rely on FUD marketing techniques and employ militaristic language

to describe their capabilities. Just as our new brand identity makes a clean break from FUD

marketing, so too should our brand voice.

In the GRC arena, competitors like ServiceNow and MetricStream have strong, business-

oriented messaging. ServiceNow in particular has a slick website with clear, succinct

messaging. The quality of the copy on MetricStream's website has taken a dip in recent

months, so with this verbal style guide combined with our broader campaign efforts, we

have an opportunity to widen our edge on MetricStream and close in on ServiceNow and

other competitors in this space.

BOTTOM LINE

8

BRAND VOICE

9

Our communications are an essential vehicle for

generating leads and building trust with business

decision-makers, technology decision-makers, the

media, the research analyst community and other

parties. In many cases, our written

communications represent the first interaction

these stakeholders have with us as a company. If

we don’t draw them in immediately with a clear,

compelling, positive and polished message, there

may be no getting them back.

BRAND VOICE

10

Our audience doesn’t have time to figure out what we mean or what we’re trying

to say. If they can’t understand our ideas or the benefits of our products, they’re

not going to continue reading—whether it’s web copy, a white paper or a press

release.

White papers and other content assets we use to support our lead generation

efforts are a particularly important example because one poorly written piece of

content could have a chilling effect on our ability to generate leads. Imagine a

prospective customer clicks on an RSA banner ad and comes to a registration

page for one of our white papers. The prospect fills out the form, downloads the

white paper and begins reading—only to feel confused and disoriented after the

first paragraph. The prospect stops reading and doesn't pay attention to any of

our other, subsequent marketing efforts. We've lost that lead.

Unclear communications reflect poorly on our brand and lead people to question

the quality of our products and services. Our credibility as a company is very

much tied to the quality and clarity of our communications.

Bottom line: A clear voice is easy to understand. It uses straightforward

language and short sentences to communicate complex ideas or technical

topics. With so much impenetrable writing in the marketplace, clarity can help to

differentiate and elevate RSA. Clarity is table stakes.

CLEAR

11

Example 1

An Unclear Sentence vs. a Clear Sentence

Unclear: The primary objective of the RSA

Cyber Risk Appetite survey is to understand

the behaviors and practices of organizations

in regard to cyber risk.

Clear: The RSA Cyber Risk Appetite survey

gauges organizations’ attitudes toward cyber

risk and reveals the measures they’re taking

to address it.

CLEAR: EXAMPLES

Example 2

Clear Enough vs. Crystal Clear

Clear Enough: Effectively managing risk is

critical for the success of every organization.

In fact, understanding which risks are worth

taking is one of the most important facets of

business today. Avoiding certain risks is smart

business. But playing it too safe is a sure way

to let the competition outpace you.

Unfortunately, the complexity of business, the

speed at which new risks emerge, and the

volatility of risk are all dramatically increasing.

This makes it very difficult for organizations to

adequately prepare for or respond to risk.

Crystal Clear: Today, every organization’s

success hinges on its ability to manage risk.

Understanding which risks are worth taking—

and conversely, knowing which ones to

avoid—separates winners from losers in every

industry. And yet the complexity of business,

the speed at which new risks emerge, and the

volatility of risk make it increasingly difficult for

organizations to plan and respond.

Example 3

Art Fontaine’s Blog, Threat Hunting and

the Cloud: A Dynamic Tension

Art took an incredibly complex topic—cloud

security—and made it incredibly easy to

understand. Note his use of short sentences.

Note the rhythm of his sentences.

To communicate clearly, follow these

basic guidelines:

Say what you mean. Take the time to

think about what you’re really trying to

say. See the above examples of unclear

vs. clear sentences.

▪ Avoid jargon, buzzwords, vague

words and unnecessary words.

▪ Use short, tight sentences.

▪ Be specific. Offer salient

examples.

▪ Choose your words carefully.

12

Our copy must convince customers they will be in good, sure hands with

RSA. So we need to demonstrate our own confidence and inspire the

confidence of others, preferably without constantly using the words

“confident” and “confidence” in our copy, which gets tedious for readers.

How do we do that? Through our subject matter expertise and our writing

style:

▪ We must be subject matter experts in our respective domains. We

must know what we’re talking about, and we must be able to

express our thoughts using clear, straightforward language. I can’t

underscore the importance of domain knowledge. Without it, our

communications are devoid of substance and utterly unconvincing.

▪ Writing style speaks to three elements: 1) the rhythm of

sentences—how they sound when we read them aloud; 2) the

length of sentences—how we combine long and short; and 3) the

words we choose. Weak writing doesn’t inspire confidence.

Muscular writing does.

Subject-matter expertise and style work hand in hand. You can’t have one

without the other. A white paper written by a subject matter expert who

can’t compose a lucid sentence will be a train wreck. The same goes for

a white paper produced by a writer with no knowledge of our subject

matter.

Note that while we want to convey our own confidence, we want to be

subtle about it. We don’t need to beat our chests.

CONFIDENT

Also note that the attribute “Confident” gives us wide latitude to express a

range of related traits that further reinforce our voice and what we stand

for as a company. For example, through the attribute of confidence, we

project:

▪ Positivity – We speak to possibilities. Rather than focusing on

doomsday scenarios, we show our stakeholders how our solutions

can help organizations improve their performance, and ultimately,

thrive amid risk and uncertainty.

▪ Experience – We’ve seen it all. We’ve been around a long time,

pioneered PKI and two-factor authentication, and weathered many

storms. This gives us authority in our space. Now, we don’t always

need to explicitly invoke our three decades’ worth of experience,

and we never want to come off as authoritative or parochial, but

there are subtle ways we can express our experience to inspire trust

and confidence.

▪ Innovation – RSA has been an innovator since the company was

founded in 1982. To this day, we're redefining what it means to be a

SIEM, transforming the notion of secure access, pioneering identity

assurance, and so much more.

13

Example 1

RSA Boilerplate

RSA® Business-Driven

Security™ solutions uniquely

link business context with

security incidents to help

organizations manage digital

risk and protect what matters

most. With award-winning

cybersecurity solutions from

RSA, a Dell Technologies

business, organizations can

detect and respond to

advanced attacks; manage

user identities and access;

and reduce business risk,

fraud and cybercrime. RSA

solutions protect millions of

users around the world and

help more than 90 percent of

Fortune 500 companies take

command of their security

posture and thrive in an

uncertain, high-risk world.

CONFIDENT: EXAMPLES

Example 2

RSA SecurID® Suite “Reimagine

Your Identity Strategy” Campaign

Copy

PREPARE YOUR BUSINESS FOR

TAKEOFF

Imagination. Ambition. Fearlessness.

They’re the jet fuel that launches

businesses to new heights. Your

identity strategy should be the engine

that keeps your business—and your

users—soaring.

Reimagine your identity strategy with

RSA SecurID® Suite, the industry’s

most advanced identity and access

assurance solution that helps

minimize risk and accelerate

business. With RSA SecurID Suite,

you’re free to explore a world of

limitless possibility.

Tips for communicating confidence:

▪ Use the active voice instead of the passive voice. Don’t know what that is?

Here’s an example:

− Passive voice: The suite was used to identify the malware used in a new pair of

attacks. (The passive voice doesn’t identify the actor or subject in a sentence.)

− Active voice: RSA Research used the suite to identify the malware in a new pair of

attacks.

▪ Use specific, powerful, emotive words, especially active verbs.

▪ Keep the rhythm of your sentences in mind.

▪ In general, across all forms of content, try to limit your use of long,

complex sentences. Long sentences are sometimes unavoidable in our

technical trade, but make them the exception rather than the rule because

they can easily tire and confuse readers. For web copy, social copy and

marketing/demand gen copy, keep sentences short and punchy.

▪ Avoid using military terminology and analogies. Because the U.S.

cybersecurity industry has such deep roots in the military, and because so

many ex-military officers now work in the cybersecurity industry, we’ve

appropriated much of their language (e.g., references to battlefield,

adversaries, theater of war, etc.) Sometimes this language is unavoidable

(like when we’re actually talking about cyber warfare between nation

states), but in general, it smacks of FUD and feels dated. What’s more,

militaristic language may have the effect of alienating certain groups in the

cybersecurity industry at a time when RSA is deeply committed to making

it more inclusive.

14

We want our communications to compel readers to take some kind of action,

whether to open an email, register for content, request a sales meeting,

interview an RSA executive, or simply, continue reading.

Compelling writing tells a story with speed, brevity, and at times, flourishes of

tasteful humor. It addresses the issues our stakeholders care about most, and

puts the business value and benefits of RSA solutions front and center.

Compelling writing doesn’t get mired in onerous or pedantic detail, and it cuts

to the chase without sacrificing essential background or context.

COMPELLING

15

Example 1

Opening Paragraphs of the Reimagine Your Identity Strategy E-Book

Remember when you were a kid? A cardboard box was a rocket ship ready

to blast off to the moon. Intricate castles emerged from the sand. And just

about anything—from blankets to tree branches—could become a secret

fort.

What if imagination and creativity flowed as freely in your business?

Unhindered by fear or insecurity, you’d have the courage, ambition and

hope to reach new users, deploy new technologies and grow your business

faster. You could conquer the world (or at least the marketplace).

Your identity strategy should be the wings that keep your business—and

your users—soaring.

Reimagine your identity strategy with the RSA SecurID® Suite, the

industry’s most advanced identity and access assurance solution that helps

minimize risk and accelerate business. With the RSA SecurID Suite, you’re

free to explore a world of limitless possibility.

COMPELLING: EXAMPLES

Example 2

Leadspace Copy for Networking Monitoring & Forensics on RSA.com

NETWORK MONITORING & FORENSICS

RSA NetWitness® Logs & Packets

How quickly can you detect a cyber attack? When the clock is ticking, you

want a network monitoring tool that illuminates suspicious activity across

your network and captures detailed data about potential incidents to speed

forensic investigations. With RSA NetWitness Logs and Packets you get

award-winning technology:

▪ Frost & Sullivan 2016 Global Network Security Forensics Enabling

Technology Leadership Award.

▪ Best SIEM – 2015 & 2016 – American Security Today Homeland

Security Award.

16

▪ Consider the rhetorical question. Pose rhetorical questions that hit on core issues for our audience,

but don’t overuse this device.

▪ Create urgency. Note that creating a sense of urgency around a topic is different from peddling in fear,

uncertainty and doubt. There’s an inherent urgency to our subject matter. It’s OK to play this up, but be

judicious about it.

▪ Think about tone. Tone is critical to making a point and connecting with your audience, and it’s

essential to positioning RSA as a trusted advisor. The tone you employ may differ depending on the

topic you need to address and the format in which you need to address it (e.g., social post vs. blog vs.

press release vs. e-book). The tone of the Reimagine Your Identity Strategy e-book, for example, is

inviting and conversational and reflects the tone of the broader Reimagine Your Identity Strategy

campaign. In contrast, the tone of the RSA NetWitness Suite “Can Your SIEM Do This?” campaign is

punchy and direct. Content writer Mary Summerall uses humor to great effect in her writing to connect

with the audience and to inject some levity into the otherwise serious business of managing risk. The

humor she uses demonstrates our understanding of our subject matter and our ability to make light of it

(when appropriate), just as audience does from time to time.

▪ Use facts and data. Whenever possible, use facts to make or substantiate a point. Look to research

RSA has conducted first. Avoid research from direct competitors. Data may also come from

government sources, credible media outlets and industry groups. Always cite your sources, either in-

line with a hyperlink or with a footnote or endnote. Don’t overuse numbers or statistics.

▪ Omit unnecessary words. Strong writing is concise. Every word in a sentence must have a purpose.

If it doesn’t, delete it.

▪ Focus on business value and benefits. Articulate the value of our products in clear terms.

TIPS FOR COMPELLING WRITING

17

COPY STYLE GUIDE

18

The copy style covers the nuts and bolts of proper spelling,

punctuation, usage and formatting. Here you'll find guidance on

how to spell cyber- words, when to use the serial (Oxford) comma,

when to use the &, when to use hyphens, how to format endnotes

and more. Please follow this guide closely to ensure quality and

consistency across all RSA communications.

This bespoke style guide was created in consultation with the AP Stylebook, The Chicago

Manual of Style, The Elements of Style and other reputable sources.

Creating a comprehensive style and usage guide that covers every issue a writer, editor or

proofreader may encounter is no small task, and surely, there are entries missing from this

document. If you see something missing or have questions about a style issue, please

contact brand@rsa.com.

COPY STYLE GUIDE

19

AM and PM (for time, all caps, no periods.)

among (not amongst)

antimalware (all one word, for SEO and because the AP Stylebook

offers conflicting guidance on anti- terms like this.)

antispam (all one word, for SEO and because the AP Stylebook offers

conflicting guidance on anti- terms like this.)

antivirus (all one word, for SEO and because the AP Stylebook offers

conflicting guidance on anti- terms like this.)

boardroom (one word, always lowercase, per AP Stylebook and

Webster’s New World Dictionary.)

board of directors (always lowercase, per AP Stylebook.)

business-driven security: The guidance on business-driven security

has evolved significantly since RSA legal first established it in February

2017 and continues to mature. Please refer to the following guidelines

when trying to determine if/when to capitalize business-driven security

and when/how to use the trademark symbols. Do not base your decision

upon what you see online or in existing collateral as much of that is now

out of date.

1) If you're writing a white paper, e-book, blog or similar type of content

and you're referring to business-driven security as a general concept or

approach to managing cybersecurity in a sentence, write business-driven

security using all lowercase letters and without the trademark symbol.

Example:

GUIDELINES FOR SPELLING

Business-driven security is a way of breaking the silos of security and

business risk, and aligning business initiatives with security from the

onset. Organizations that embrace a business-driven security

approach position themselves to establish visibility across systems,

use analytics to drive insight, orchestrate response and gain the

contextual intelligence to put security details in business context.

2) When using business-driven security as a branded phrase in the

context of RSA products/services/solutions, use the following

typographical treatment with appropriate trademarks, regardless of where

it appears (print/digital ads, e-book, white paper, web, etc.):

RSA® Business-Driven Security™ solutions

Note the capitalization of the B, D and S in the above. Also note that

"RSA®" must immediately precede "Business-Driven Security™" and that

a noun, such as solutions, must follow "Business-Driven Security™" to

apply the trademark symbol properly. The noun is always all lowercase in

running text; in a headline, it would be initial capped (e.g.,

RSA® Business-Driven Security™ Solutions).

On subsequent references to RSA Business-Driven Security solutions,

you can omit the trademark symbols, but continue to capitalize the B, D

and S. To protect our trademark around this term, as much as possible,

try to use "Business-Driven Security" as an adjective, in the context of

RSA products/services/solutions.

20

3) When using business-driven security in creative for print or digital ads,

use BUSINESS-DRIVEN SECURITY (all caps) when it appears in

headlines or as part of the RSA® BUSINESS-DRIVEN SECURITY™

lockup. As long as we have the trademark symbol (™) in the lockup at

the top or bottom of the ad, it's not needed in the headline or payoff

copy.

4) Never abbreviate business-driven security as "BDS" in any

communications, internal or external. BDS more commonly refers to

Boycott, Divestment and Sanctions, a fiercely anti-Israel activist group.

5) Exceptions to the above rules: Currently, there are only two exceptions

to the above guidelines:

Conference signs and PowerPoint template - It is OK to use

"Business-Driven Security™" without RSA® before it and "solutions" after

it on conference signs and as part of the branding on the PowerPoint

template.

Dateline in press releases - It is OK to separate "RSA" from "Business-

Driven Security solutions" in the dateline of press releases. Example:

Bedford, MA — April 5, 2018 — RSA, a global cybersecurity leader

delivering Business-Driven Security™ solutions to help manage

digital risk, announced today…

cloud (always lowercase when referring to clouds in the sky or cloud

computing.)

crowdsource (one word, per AP Stylebook.)

GUIDELINES FOR SPELLING

crowdsourced (one word, per AP Stylebook.)

crowdsourcing (one word, per AP Stylebook.)

cyber attack (two words, even though the AP Stylebook spells it as one word, because

we’ve always spelled it as two words, it’s better for SEO and it appears to be the

industry standard. LogRhythm, FireEye and Rapid7 spell it as two words.)

cybercrime (one word, per AP Stylebook.)

cybercriminal (one word, per AP Stylebook.)

cyber risk (two words, per AP Stylebook and because it looks weird when combined.)

cybersecurity (one word, per AP Stylebook.)

cyber threat (two words)

decision-maker (hyphenated, per AP Stylebook.)

decision-making (hyphenated, per AP Stylebook.)

e.g. (latin for exempli gratia and means for example.)

e-book (hyphenated, with the b in book lowercase, per AP Stylebook and Webster’s

New World dictionary. This is a departure from the way we’ve written e-book in the past,

but it avoids awkward and unnecessary capitalization.)

email (no hyphen, all lowercase, per AP Stylebook.)

21

end user (two words when used as a noun, per AP Stylebook. Also OK to just

say “user.”)

end-user (hyphenated, per AP Stylebook, when used as an adjective, e.g., end-

user computing.)

enterprise-wide (hyphenated)

ET (for eastern time zone, not EST or EDT.)

healthcare (one word)

i.e. (Latin for id est and means in other words.)

internet (lowercase, per AP Stylebook)

internet of things (lowercase, per AP Stylebook; do not put internet of things in

quotation marks, as the AP Stylebook instructs.)

IoT (abbreviation for internet of things and a good term for SEO)

jump start (two words, no hyphen; this goes against AP Stylebook, but

punctuation always looks weird in headlines, and this word gets used frequently

enough in headlines.)

kick off (two words when used as a verb, per AP Stylebook.)

kick start (two words, no hyphen; this goes against AP Stylebook, but

punctuation always looks weird in headlines, and this word gets used often

enough in headlines.)

GUIDELINES FOR SPELLING

login (one word, when used as a noun or adjective)

log in (two words, when used as a verb)

mobile (use this word, not mobility, when talking about smartphones, tablets, wearables and

other small, portable computing devices.)

mobility (refers to cars, bikes, wheelchairs and other things we use to move around.)

multi-factor authentication (hyphenate multi-factor because it’s used as a compound

modifier; does not make a difference for SEO.)

OK, OK’d, OK’ing, Oks (not ok or okay, per AP Stylebook.)

on premises (two words when used as an adverb, e.g., The solution runs on premises.)

on-premises (hyphenate when used as a compound modifier, e.g., RSA supports cloud-

based and on-premises systems.)

percent (one word; spell out when used in a sentence, per AP Stylebook. Use the symbol

(%) in tables, pie charts, bar charts and infographics. For tweets and other super-short form

social content, feel free to use %.

PT (for Pacific time zone)

RSA 1) We refer to the company as RSA, not as RSA Security. 2) Never use RSA in the

possessive form, e.g., RSA’s SecurWorld Partner Program. Instead, rewrite as The RSA

SecurWorld Partner Program.

RSA® Business-Driven Security™ solutions/architecture/strategy: See page 19 for

"business-driven security" for details.

22

RSA® Adaptive Authentication

RSA® Adaptive Authentication for eCommerce

RSA Archer® IT & Security Risk Management

RSA Archer® Enterprise & Operational Risk Management

RSA Archer® Regulatory & Corporate Compliance Management

RSA Archer® Suite

RSA® FraudAction™

RSA® FraudAction™ 360

RSA® FraudAction™ Cyber Intelligence

RSA® Fraud & Risk Intelligence Suite

RSA® Identity Governance and Lifecycle (note that the legal name of the product

does not feature an &, but use & in place of “and” when RSA Identity Governance

and Lifecycle appears in a headline.)

RSA NetWitness® Endpoint

RSA NetWitness® Logs

RSA NetWitness® Packets

RSA NetWitness® NetWitness UEBA

RSA NetWitness® Orchestrator

GUIDELINES FOR SPELLING

RSA NetWitness® Platform

RSA® Risk & Cybersecurity Practice

RSA SecurID® Suite

RSA SecurID® Access

RSA® Web Threat Detection

siloed (per Webster’s New World Dictionary)

silos (not, siloes, per Webster's New World Dictionary)

technology-centric (hyphenated)

third party, third parties (no hyphen when used as a standalone noun, e.g., We

conduct rigorous due diligence on every third party.)

third-party (hyphenate when used as a compound modifier, e.g., third-party risk, third-

party vendor.)

two-factor authentication (hyphenate two-factor because it’s used as a compound

modifier; does not make a difference for SEO.)

web (lowercase, per AP Stylebook.)

website (lowercase, per AP Stylebook.)

well (hyphenate as part of a compound modifier, e.g., well-deserved.)

white paper (two words, per AP Stylebook.)

Wi-Fi (hyphenated, capitalize W and F, per AP Stylebook.)

23

abbreviations and acronyms – Use well-known abbreviations like ERP, CRM,

SaaS and ISO without spelling out. Spell out lesser known terms on first reference

and include the abbreviation in parentheses. Always spell out abbreviations when

it matters for SEO. (e.g., write “identity and access management” instead of using

“IAM” throughout your document; the same goes for “governance, risk and

compliance” instead of “GRC” and “enterprise risk management” instead of

“ERM.”)

business-driven security - See the guidelines for this term in the Spelling

section.

capitalization – Capitalize proper names but avoid unnecessary capitalization in

sentences. Resist the urge to capitalize random words in a sentence. Technical

and business terms are often erroneously capitalized in sentences.

company names – Use full names when we refer to other companies on first

reference in a white paper (e.g., Gartner Inc., Forrester Research Inc., Microsoft

Corp., etc.) It demonstrates respect. Note that we don't use a comma between the

company name and Inc. or Corp.

composition titles – Put titles of blogs, e-books, white papers, etc. in italics when

used in a sentence. Example: Download our guide, The 3 Keys to Faster Threat

Response, to get the details. Do not put quotes around titles of blogs, e-books,

white papers, etc. when used in a sentence. In headlines, our titles should be

written in all caps and put in bold, per our visual branding guidelines.

days of the week – Spell them out in running text. Abbreviate only when

necessary to save space in a social post.

GUIDELINES FOR USAGE

Dr. vs. Ph.D. – The AP Stylebook recommends saying a person holds a doctorate in X

subject. However, we always use “Dr.” with Zully even though he is not a medical

doctor. Use whatever the individual holding the Ph.D. prefers.

email addresses - Write them in all lowercase--e.g., brand@rsa.com.

endnotes – Follow the various formatting guidelines from The Chicago Manual of

Style. When citing a specific blog entry or a report or news article published online,

hyperlink the title of the report/blog/article in your citation. Example: Arthur

Fontaine, Threat Hunting and the Cloud – A Dynamic Tension (July 18, 2017).

footnotes - We don't use footnotes. Follow the guidance for endnotes.

fractions – Spell out when fractions are less than one (e.g., one-half, two-thirds), use

numerals when greater than one.

months of the year – When a month is used with a specific date, abbreviate only Jan.,

Feb., Aug., Sept., Oct., Nov. and Dec. Otherwise, spell out all months when using them

alone or with a year only (e.g., January 1972). Use numerals or abbreviations as they

make sense for social media, but remember that Europeans put the month second in

numerical abbreviations (e.g., 11/2/2017 for February 11, 2017.)

numbers/numerals – In general, spell out numbers one through nine. Use figures for

10 and above and whenever preceding a unit of measure or referring to ages of people,

animals, events or things. Use numerals in tables.

phone numbers – Use periods, not dashes or parentheses, to separate numbers in

the series. Don’t use a “+” or a “1” before the area code. (e.g., 800.599.0140)

24

Possessive use of RSA – Never use RSA in the possessive, e.g., RSA’s customers or RSA’s

SecurWorld Partner Program. Instead, rewrite as RSA customers… or The RSA SecurWorld

Partner Program…

RSA - Refer to the company simply as "RSA" (not as RSA Security) in interviews with the media

or when indentifying an employee in an article (e.g., "...says Zulfikar Ramzan, CTO of RSA.")

subheads – Use title case. Only capitalize the first letter of the important words in a subhead;

don’t capitalize small words like the, a, in, etc.

trademarks and service marks – Use the appropriate trademark(s) upon first reference to an

RSA product or other trademarked term/name in text, even if those trademarks have previously

appeared in a title or logo. No need to repeat trademark usage after the first reference to the

product or company name. When referring to another company’s products, look up their

trademark guidelines and apply them as required. We should make every effort to acknowledge

other companies’ trademarks and service marks as a sign of respect for their intellectual

property.

urls - When writing out the web address for the RSA website in a print or digital ad or in a call to

action at the end of a blog, white paper or other content piece, use all lowercase and do not use

"https://" or "www." Just write it as: rsa.com. Use shortened URLs for campaign landing pages

(e.g., rsa.com/reimagine). The link community website should be written as: community.rsa.com

or community.rsa.com/training.

GUIDELINES FOR USAGE

25

& - Use this symbol in product names (e.g., RSA NetWitness® Logs &

Packets, RSA Archer® Enterprise & Operational Risk Management) and in

headlines unless use of the & will undermine SEO.

% - Use this symbol to refer to percentages in infographics, pie charts and

bar graphs. Feel free to use the symbol when referring to percentages in

tweets and in other social posts with character count limits. When referring

to percentages in running text (e.g., in a sentence in a white paper or blog),

spell out percent.

bulleted lists – No punctuation at the end of a bullet that’s a simple phrase.

For bullets that are declarative or imperative sentences, put a period at the

end of each.

commas – Avoid using a comma before “and” in a simple series. Only use a

comma before “and” in a complex series or to clarify the meaning of a

sentence. Never put a comma after the words and, but or yet when they

begin a sentence, unless they’re followed by a dependent clause (e.g., Yet,

when I have time, I like to drink tea.)

em dash – Use the em dash (—), not the en dash (–), and note there are

no spaces around the em dash.

endnotes - Follow the various formatting guidelines from The Chicago

Manual of Style. When citing a specific blog entry, report or news article

publishing online, hyperlink the title of the report/blog/article in your citation.

Example: Arthur Fontaine, Threat Hunting and the Cloud - A Dynamic

Tension (July 18, 2017).

GUIDELINES FOR PUNCTUATION & FORMATTING

exhibit/figure titles – Follow this format:

Figure 1: Biometric Authentication Adoption By Industry

Figure 2: Use of Two-Factor and Multi-Factor Authentication

hyphen – Per the AP Stylebook: In general, the fewer the hyphens, the

better. Use them to avoid ambiguity or to avoid combining too many vowels

or consonants (e.g., socio-economic, pre-emptive, shell-like).

punctuation within quotation marks – Per the AP Stylebook, the period

and the comma always go within quotation marks.

Questions?

Contact brand@rsa.com for help.

rsa.com/brand