Jeff Elder covers cybersecurity and AI for Business Insider, and previously worked as a technology reporter for the Wall Street Journal.
He was kind enough to answer questions on everything from what makes for a good cybersecurity story to how companies can elevate their media coverage from the trades into mainstream business and technology publications. Here’s what he had to say.
Mike: What makes for a good security story?
Jeff: A fresh twist on a current trend will always get my attention. When everyone was pitching stories about the security risks of remote work, I really perked up when Microsoft told me the real risks would be in coming back to the office. When everyone was bashing passwords, I really took notice when two Silicon Valley veterans took responsibility for helping to establish them. It’s not enough to offer the same story everyone else is. You need to cut another way.
What major trends or stories in cybersecurity are you interested in right now?
The lasting impacts of COVID on security are interesting to my audience right now, according to our performance metrics. What will the security industry do to replace conferences? Will Zero Trust become the norm much faster than anticipated? Will startups look for earlier exits? Will medium-sized companies become the power players over all-in-one solutions? Our traffic reports show my readers also want to understand cybersecurity – which means explaining a ransomware attack without jargon, or how Russia is targeting U.S. workers and elections in a way that captures the big picture.
How has Covid-19 affected what you cover and how you approach those stories?
I can’t get out to meet with people, walk around a company, or see what threat hunters are looking into. That means I need help capturing a scene – at The Wall Street Journal we used to ask sources to “put us in the room.” Cybersecurity is rich in atmosphere – people forget it’s a cops-and-robbers beat. I need help describing a hacker, the impressive layers of protection around a bank, or the security war rooms of the federal government. Some PR folks seem to grasp that the reader is the important audience – not your company or boss. A company might like its own press release, but that’s meaningless. You wouldn’t release a product you liked building but your customers have no use for. Your narratives are also products of your company.
What separates the most helpful sources from the least helpful sources?
Empathy. There are wonderful PR folks who realize they are a B2B business, and I am their customer. If PR helps me serve my customers, we all win. Many PR folks try to get me to do what their boss wants, and it leads to frustration for all concerned. I can’t and won’t write what your company wants me to say. But if you help me tell an important story, odds are your company will be perceived as relevant and significant.
What’s the difference between a story that’s a good fit for the cybersecurity trade media vs one that would run in mainstream business publications?
I’m rarely interested in the technical specs of an exploit, or how a threat-hunter found and addressed it – unless he or she is willing to explain it to a general audience. Some researchers want attention from their peers, and there’s nothing wrong with that. But it’s not my job to help them get that recognition. I worked in communications at two cybersecurity companies, and I know what comms folks there are up against. The company wants you to sell product, the researchers want recognition – yet no one wants to do anything controversial. But like any news item, a security story must depict conflict in human terms.
What books would you recommend to people working in cybersecurity PR and marketing?
Anything by Michael Lewis, Malcolm Gladwell, and Doris Kearns Goodwin. They are masters at taking what could be dry material and making it compelling and conversational. Security involves espionage, million-dollar crimes, national security, and fascinating criminals. If we let cybersecurity executives and researchers convince us that technical specs and promotional platitudes are the way to approach that, we’re doing it wrong. We don’t put car chases in their code; they shouldn’t put code and jargon in our narratives.