Derek B. Johnson is an award-winning reporter who currently covers cybersecurity, elections, and federal policy for CyberScoop. He’s also frank in his advice about what stories catch his eye and what expert commentary falls flat.
In this Q&A, Derek shares his thoughts on the heart of a good security story, trends he’s watching right now, and how subject matter experts and PR people can be more helpful to journalists.
What makes for a good security story?
The best security stories are the ones that are interesting, impactful and have DETAILS. So many companies want to promote their latest incident response or a really good hacking story but are reluctant to talk about them in anything more than general terms. While this is understandable, details (who is the victim, who is the adversary? How did the attacker gain initial access? What exploited technologies or brands did the victim use?) are what makes any story good, and that is true for cybersecurity stories as well.
I turn down the opportunity to cover really interesting case studies sometimes because the principals are not willing to provide enough to make our readers care. They won’t (and can’t!) get excited by a headline of “Unnamed company X is hacked by unknown actor Y.”
I also regularly tell PR professionals that a “good” story pitch is often one that they would be sharing with others and bringing attention to even if they weren’t being paid to do it. If you can put yourself in that mindset, it becomes a lot easier to understand which pitches will get traction and which won’t.
What major cybersecurity trends or stories are you interested in right now?
Elections, data privacy, anything related to the federal government that is about cyber and hasn’t been covered yet (or widely covered). The security implications of AI tools and the efforts of tech companies, researchers and government to make them less prone to abuse.
What advice do you have for industry experts and others that would help them understand what you need from an interview?
See above. DETAILS!
There is also a propensity for private sector sources, sometimes on the advice of marketing or PR, to try to work in a plug for the company or its tools/technology/products when commenting on a story. Stuff like “Our EDR platform would have caught this attack” or “Companies can mitigate this threat by emphasizing X or investing in technologies Y or Z” when the company’s core business works on X or sells technologies Y or Z.
Nearly 100% of the time, doing this makes the reporter less receptive to using their quote, as well as suspicious that the source is more interested in using the interview to promote their products than offering genuine, vendor and product-agnostic security advice.
What’s the difference between a story that’s a good fit for security media vs one that would run in a business or technology-focused publication? What distinguishes a CyberScoop story from one in any other outlet?
Hmm tough question, as CyberScoop could probably be described as both.
The word “Scoop” is in our name, so that provides some hint! While we publish plenty of non-scoop content, we are always looking to prioritize instances where we can be first or get exclusive coverage.
Beyond that, CyberScoop tries to go deep with its coverage and highlight the thoughts and observations of folks who are directly in the center of an ongoing story or at the very least on the outer edge.
For example, if we’re writing about something happening at the FBI, we would first look to speak with someone directly at the agency. After that, we’d look for former FBI/DOJ personnel who worked on the same or similar issues and know how the internal bureaucracy works, were at the agency relatively recently and can leverage their contacts to provide granular, unique insight on a topic.
We often get pitches for interviews and canned quotes from people who — frankly — are simply not in a position to provide real or valuable insight on a story. Your identity expert may be a great source for some stories, but probably shouldn’t be commenting on the latest ransomware attack when they have no first-hand knowledge or involvement.
If you could change anything about how cybersecurity companies communicate about their products and services, what would you improve?
I think recognizing that we receive dozens if not hundreds of pitches from various people and organizations every day is an important point. If your strategy involves blasting out mass emails that aren’t tailored to a specific outlet or reporter’s beat, or that don’t appear to have much value beyond promoting a client, it’s usually not going to break through with most reporters.
Sometimes a PR person will send me a list of clients and sources along with the topics they specialize in and can provide true expert analysis on. Those are often helpful and align with the kind of source vetting we often use to determine whether someone is worth interviewing for a story.
What books/podcasts/other resources would you recommend to people working in cybersecurity PR and marketing?
Hah I truly have no idea what to recommend here. I’d say picking up any high profile book about the genre from prominent cybersecurity journalists will give you great insights into the kind of angles and questions that we are interested in pursuing. Sorry, wish I had a better answer here!