Finding news stories in security

What makes security such an interesting topic? 

Anthony Caruana, Co-CEO of Media-Wize and a tech journalist in his own right, joins us to talk about finding stories in security.

You write a lot for security publications, but where do you get your security news from?

I’m a bit old school. I still rely on my RSS feed to pump out a lot of content. I read multiple newsletters every morning as well. Typically the first thing I do each morning is I read a bunch of newspapers and newsletters that come through just to see what’s big in the nerdy, techy security side of things, as well as what’s big for consumers and in the general news. Sometimes things pop up there that are interesting.

I also monitor Twitter. There are particular people who I know and trust that aren’t sensationalist or ambulance chasers – they are looking at the real stuff.

Can you share some insights about the life of a cybersecurity journalist?

I’ve had some really amazing experiences along the way, particularly when I’ve travelled overseas. When you go to large security conferences like the RSA Conference in San Francisco, where there are literally 50,000 security professionals all in one place, you get to find out a lot of stuff – not just from the formal conference, but once they’re somewhat lubricated at 2am and start talking about stuff.

I remember once I had this amazing conversation with a diplomat who had worked in Leningrad during the ’70s. He was describing how they exfiltrated data out of the country and he was talking about how they were effectively stealing memory chips out of IBM typewriters. They were actually getting data from those things and would send it across the phone network unencrypted to their comrades on the other side of the ocean. He then told me about what it was like being followed 24/7 – he actually knew the surveillance team that were following him around while he was living in Leningrad. He became friends with the guys surveilling him.

One of the challenges in this industry is that there’s so much cybersecurity content. How do you look for the right news, and what is it about certain stories that makes them engaging in a valuable, meaningful way?

I have a friend who was a cadet at one of the major daily newspapers in Australia. He went through the entire process of being a cadet and now is a technology reporter, because that’s his passion. When he was working as a cadet, they had a rule for when they reported on car accidents: if three people died, that was the front page of the paper. If two died, it was page three. If one died, it was filler on some other page where they had a couple of spare inches. It was literally about finding the most sensational story to make the front page.

That’s the news business. The bigger the story, the closer to the front page it is, because that’s where the eyeballs go. People buy the paper or they click on a link because of the story.

I’m not intentionally trying to put Optus in the spotlight, but they’re obviously the big breach at the moment, so it’s front-of-consciousness for a lot of people. The initial breach was the front page – that was the three-person car accident, and it was a terrible incident and a tragedy that happened. There’s a whole bunch of reasons why it shouldn’t have happened and people are rightfully very angry about it. But what’s more interesting now is, “What did we learn from it? What do we actually know? What did Optus learn from it? And what can we do about it?”

That becomes the more valuable story in the long run. So, for example, I would imagine that there are at least 10 million Australians today who are more conscious of monitoring their credit rating than they ever have been in their life. That’s a good outcome. If the media can work to educate people to do that, we’ve learned something. It’s actually an amazing outcome if you think about what bureaucracies and governments are like.

When it comes to incident response, are you seeing any trends from companies that are doing the right thing?

If you want the gold standard on how to do communications, in respect to the comms part of your incident response, look at the Australian Red Cross Blood  Service. Their CEO was the spokesperson – and I don’t necessarily recommend every organisation uses their CEO as their spokesperson – but they had a single point of contact who delivered the message. They were apologetic. They owned the problem, even though it was a third-party service provider who was actually the direct cause of the issue. They owned it.

They laid off the emotive terms with the language they used. They didn’t say things like “sophisticated attack” and they didn’t use a lot of adjectives. Never use terms like those, please. You got attacked. It’s just a fact. “We were breached.” Just stick to that. Issuing a press release is not a good way to handle things. Issuing a communication to all the directly affected people is the right response.

My business partner Kathryn and I, at Media-Wize, we had to do incident-response comms for a large retailer that was breached a couple of years ago, and they didn’t have a plan at the time. They said, “Well, what do we have to do?” We told them they had customer and supplier data that had been hit, so there were interested parties, including shareholders, who were potentially going to be implicated in things. We wrote the emails and even the letters that went out, because they were compromised to the point where they might not have been able to access the email addresses of the affected parties – that’s how badly their systems had been hit.

You need to know exactly who you’re going to talk to, how you’re going to talk to them, and then what you are going to say to them.

Want more insight into the world of cybersecurity, digital identity, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey CEO Blair Crawford. Listen via Apple Podcasts, Spotify or your favourite podcast app.