Information security is a hot topic. It’s also an industry whose significance is accelerating more rapidly than anyone can really keep up with. That goes for the CISOs and IT managers left to stem the rising tide of threats coming in from all directions, and the technologists whose products are supposed to be dealing with the problem.
It’s tremendously difficult to stay on top of where this industry is heading. That’s a precarious position to be in when you consider security’s importance in facilitating the successful operation of the digital economy, and in national defense.
But as security steps, bleary-eyed, into its new-found limelight, there are other concerns, too. Mainstream media has been sniffing round the subject for a few years. Now, in 2015, nary a day goes by without cybersecurity stories in all the major papers. But is the press – mainstream and specialist – representing the industry accurately? Is it spreading too much FUD? Are most journalists even equipped, from a technical standpoint, to convey what a security incident actually involves?
These were some of the issues tackled by a panel at Infosecurity Europe 2015 today. Tom Brewster, security reporter at Forbes, Brian Honan of BH Consulting, and Raphael Satter, AP journalist, all had their say on how the media portrays security – what it gets right, and where it goes wrong.
There were a couple of key takeaways that emphasized the work that both parties – press and security industry – need to do in order for infosec to be better represented across the media, both mainstream and specialist.
Satter and Brewster laid down the broader challenges faced by journalists in reporting. In a digital publishing environment, the pressure of the deadline is greater than ever. News rolls 24/7, and wires, PRs and vendors push out a constant stream of information. Exclusives are rarer. The pressure to be first with a story dictates pushing out content as fast as possible.
But accuracy and haste are rarely comfortable bedfellows. So mistakes get made; ‘facts’ slip through the net without being verified. This can be particularly damaging when it comes to security; after all, stories in the mainstream press might be the only exposure to infosec that a general readership ever gets. Their expectations and understanding around security are therefore heavily reliant on good, accurate reporting.
As ever, then, it’s important to get the facts right first time round. But this isn’t always as straightforward for security reporters as it might be in other fields. Many journalists now writing about security, both for big titles and smaller specialist mags, don’t have a technical background, a point Honan made during the panel discussion. Reporters might not even think to call into question some of the more technical explanations and jargon that underlie breaches and incidents, simply because, to a non-technical journalist, it’s all Greek, anyway.
"Conjecture masked as facts, if not properly checked, could be published far and wide by without validation"
“There are a lot of journalists who will republish whatever vendors tell them; we are fed by vendors. They try to control the narrative. It’s a very easy industry to lie in,” said Brewster.
Conjecture masked as facts, churned out by a vendor, if not properly checked, could be published far and wide by without validation. This is the root of FUD and misinformation. If that story is about, for example, attribution of a nation-state cyber-attack, then that could be especially damaging.
Honan said: “I find the ethics of what some vendors do to get in the press to be very questionable. You actually have a responsibility to the industry and society as a whole that you don’t generate too much FUD. It’s going to be read by people that don’t understand the industry.”
So what is the solution? It works both ways. Journalists have a responsibility to check that the ‘facts’ pushed out by vendors actually stack up. Cross-checking with a host of independent sources is the best way to go about this, the panel agreed. It’s important not to re-use the same sources over and over, though, as then journalists run the risk of falling into the same trap they were trying to avoid in the first place – one-sided stories.
For the security industry, it’s imperative that it works with journalists. But communication, as Honan pointed out, is not always the strong point of the security industry. To get out of this habit of being very inward-looking and esoteric, Honan suggested that more security personnel undertake some basic media training, or even just begin to develop working relationships with journalists, where conversations do not necessarily have to be related to particular story or feature. Having a degree of media-savviness could be crucial, particularly when a breach does happen and the reporters come sniffing.
And finally, there’s the element of secrecy that shrouds a lot of incidents – something that, as Satter pointed out, makes it very difficult, particularly in the mainstream press, to deliver clear and engaging stories. Can this veil of secrecy be broken? Possibly, but there are all sorts of legal and confidentiality issues at stake that make this less than straightforward.
Whichever way you look at it, there’s a lot both sides can do to raise the bar for security reporting, something that will, in the long run, benefit everyone, not forgetting the readers who need to know the risks they face when conducting any sort of activity online.