InfoSex Sells: The Disconnect Between News Priorities and Cyber Security Defense Priorities

July 27, 2011 | Posted by: Michelle Schafer

Perhaps more than any other IT discipline, computer security is a news-driven business. Security professionals turn to the media for information on the latest threats; company executives often worry about the latest breaches. An organization’s ability to defend itself may depend on its ability to find out quickly about a new attack; in security, breaking news rules.

But does the judgment of the media always match up with the priorities of the security professional? As two professionals who study the news closely – one from the public relations side, one from the journalistic side – we agree that the answer is no. In this blog – and in our forthcoming panel, “InfoSex Sells: The Impact of the Media and Public Opinion on Security” at BSides Las Vegas next week – we’ll be discussing the way in which media may skew security priorities and create problems for security professionals.  And we’re soliciting the help of two other experts – Mary Catherine (MC) Petermann, who runs PR and corporate communications at Barracuda Networks, and Mike Mimoso, Editorial Director for Information Security/SearchSecurity.com – to give varied and interesting points of view on this topic.

On the news side, journalists are typically taught to seek out unique, important, and immediate stories for their audience. In security, these requirements often draw reporters to threats that are new (think zero-day exploits), that affect the most users (malware and spam), or that are different from previous attacks (Stuxnet, Project Aurora). All of these are considered “hot news,” because they are timely or because they could potentially affect large numbers of users.

On the security professionals’ side, however, a different picture is painted. In the recent listing of the Top 25 Most Dangerous Software Errors, the SANS Institute and Mitre Corp. described the top three threats as SQL injection, buffer overflows, and operating system injection attacks. These types of exploits are as old as the hills – and not particularly sexy from a news perspective – and are seldom written about. The security audience is clearly being underserved by the media in some areas, while perhaps being overserved – and overhyped – in others.

From a PR professionals’ point of view, the problem is that there are so many factors that influence a security reporter’s decision on what to write about and how to play it. Unlike other areas of IT, the security industry is highly influenced by a core group of “rock stars” called security researchers. The most well-known of these can create a wave of news all by themselves, by revealing a few vulnerabilities that might lead to security breaches. Similarly, a Twitter message, placed at the right time by an influencer in the security industry, can create a wave of reaction, both in the media and among security professionals.

Mainstream media, too, play a part in security priorities.  While a security industry trade publication might write about a nasty threat that’s emerging on the horizon, that story may never be seen by top executives. When “60 Minutes” did its story on Conficker last year, however, you can bet there were CEOs all over the world calling their IT security people, asking them what was being done and how fast. That’s a case where a mainstream news story may change the priorities of the security team – whether the threat is real and imminent or not.

Journalists’ priorities – and the many sources that influence them – don’t necessarily match well with the security team’s priorities. Some stories may be overhyped, causing executives and security teams to place them too high on the task list. Other threats may be underhyped – or not written about at all – because they don’t have the “sex appeal” to draw in large numbers of readers. In both cases, the security professional is left with an inaccurate picture of the problem – and frequently, a skewed notion as to what to do about it.

In our BSides talk next week, we’ll take a closer look at some of the disconnects between news priorities and security priorities, as well as how the news is created in the security industry. We hope that by showing attendees the news process – and the many factors that influence it – we will give security professionals a filter for reading the news, and a realistic view of what news stories should (and shouldn’t) change their agendas.

If you’re at BSides Las Vegas, please stop by and join the discussion on Thursday, Aug. 4 at 1:30pm PT. If not, we hope you’ll take a look at the recordings of our session that will be available after the event. If you’re a security professional, your view of what’s news may never be quite the same.

--By Michelle Schafer, Security Practice Director, Merritt Group & Tim Wilson, Editor, Dark Reading