With global cyber-attacks again seizing headlines, I’ve been thinking about how cybersecurity coverage has evolved over the years. In the last 12 months alone, the topic “cybersecurity” fluctuated wildly in our Top Conversations in Tech – ranging from the #9 spot to #16. We’ve seen the coverage of the topic spike every time there is a major attack or breach, and then level off as the public’s attention turns elsewhere.
Clearly, this remains one of the big technology stories of our era – and that’s not likely to change as the threat has only increased over the years.
Just consider the recent spate of breaches ranging from the SolarWinds attack that penetrated over 100 companies and 9 federal agencies, to the attack against a Florida water treatment plant that almost poisoned an entire city. To learn more about what it has been like to cover all of this from a journalist’s perspective, I sat down with Robert Hackett, senior writer and tech editor at Fortune and CyberWire editor, John Petrik. Here’s what they had to say:
Q: How has covering cybersecurity changed over the past 5 years?
RH: Scale. Massive, sprawling hacks now take center stage. Whereas Snowden’s leaks and Sony Pictures’ infiltration were the top stories five or so years ago, now it’s the world’s dependence on complex, interconnected systems that is causing the most mayhem. A shift started happening around the time that the WannaCry and NotPetya cyberattacks spread like wildfire in 2017, and the trend has only accelerated since. Most recently, ginormo-breaches linked to SolarWinds and Microsoft Exchange are demonstrating the magnitude of the problem (and our collective vulnerability). Speaking personally, also, my coverage of cybersecurity has changed because my beat has expanded in recent years. I also cover tech and business broadly, markets, fintech, cryptocurrency, quantum computing, science, etc.
JP: Today, there has been a growing willingness on the part of government agencies to speak with the media about cybersecurity. Over the last year, obviously, we’ve all had to deal with sources far more remotely than we have in the past. For example, a lot of the coverage we once would have given to, and derived from events, has dried up.
Q: What would you say are the biggest cybersecurity trends to watch for in 2021?
RH: The biggest cybersecurity story right now, at least from an American perspective, is the U.S.’s recovery from recent major state-sponsored hacks spearheaded by Russia, China, et al.
JP: We’re watching what appears to be a shift from malware distribution to credential harvesting and social engineering. This seems to be going on with both state actors and ordinary criminals. One thing we hope doesn’t happen, but to which some signs have been pointing, is active cyber-sabotage of critical infrastructure. Attacks on electrical power grids would be particularly dangerous. Other hot topics this year include SASE as an architecture and zero trust as an approach. And maybe not this year but coming up soon, we expect to see more on 5G, quantum computing, machine learning (which is actually becoming an evergreen of sorts), and connected car security.
Q: As someone who engages with communications teams every day, what advice would you give to someone trying to work with you on a story? Has that advice evolved at all over the past 5 years?
RH: Like most journalists, I receive thousands of e-mail each week. Often, I have fractions of a second to review each one. So, my perennial advice for PR people is: Keep it brief. Also, when pitching a story, approach it from the perspective of a journalist rather than as a marketer. Ask yourself, what is the headline here? Does it warrant coverage? If no, how could some tidbit fit into a broader story, limning some larger trend? Lastly, keep in mind that relationship development is a slow burn.
JP: a. Don’t waste the editor’s time. Most of the rest of the advice flows from this. Know something about the publication you’re pitching. Don’t pitch them stories that are outside their interests. We are a cybersecurity news service, and we’re often pitched ordinary IT stories, which is perhaps understandable, and also stories about online gambling, which shows the media outreach person isn’t really paying attention, and even stories about the big opportunities that await us in the cannabis industry, which are just baffling. If an outlet doesn’t run sponsored content, don’t pester them about it. If all their copy is staff-written, don’t try to push contributed content on them.
b. In your pitch, get to the point. Tell the editor immediately what you’re offering. For example: “Tomorrow the Apogee Company will release its new network monitoring solution,” or “The Max Ordinate Company’s researchers have identified a new Krasnovian threat actor,” are much better than, “Have you ever wondered how enterprises can keep up with the threat? As Sun Tsu said, ‘know thyself and know thine enemy and thou will triumph in a thousand battles!! Since the beginning of the Internet people have wondered how they can keep track of the packets moving around their networks. Have I piqued your interest?”
Never begin an email with “My name is…” Presumably they’ll see your name in the signature block. This is as amateurish as writing in all caps.
c. Have something to say, not just something to sell.Don’t pitch what amounts to an ad. If you want advertising, then by all means buy advertising. But if you’re pitching a story, have something to say as opposed to just something to sell,
d. Use a PR firm.Finally, by all means pick a PR firm, and pick a good one. Some firms don’t do media relations well, some don’t know your industry, and some will hand you over to a rookie or an intern as soon as they’ve won your business. Media outlets get to know PR firms, and they’ll pay more attention to communications from the ones they’ve come to trust and respect. We certainly do.
Q: What topics do you think you’ll focus on the most this year?
RH: The gnarly effects of misinformation and content moderation, the decentralization enabled by new cryptographic technologies, the regulatory tug-of-war over privacy, and the ever-simmering struggle between global superpowers.
JP: We’ll be watching trends in threat actors, their goals and objectives, and their TTPs. We also expect to be paying attention to the security implications of the shift to the cloud.