Threatpost has established itself as a must-read security outlet, covering breaking news, analyzing trends, and diving deeper via podcasts and virtual town halls. 

At the head of those efforts is editor in chief Tom Spring, who has been in the game for all the world-changing tech and security stories of the past 30 years. What catches the eye of this veteran editor? 

Tom was kind enough to tell us that, plus a whole lot more in a Q&A with solid advice for everyone in cybersecurity PR and marketing. 

Mike: What makes for a good security story?

Tom: The best articles are high-impact reports on news events, emerging trends, and the most important issues facing the Threatpost readership. Another way to look at it is, knowing your audience is paramount when it comes to delivering the best possible article on any relevant topic. Our audience demands topical stories chock full of actionable information in the context of cybersecurity news of the hour, day, week, month, or quarter.  

Hallmarks of a great Threatpost cybersecurity article include breaking news coverage, news, and analysis that include respected voices within the infosec community. And of course, an article that is cogent and free of Fear Uncertainty and Doubt (FUD) – something that is sadly too often part of the cybersecurity news hype cycle.    

What major trends or stories in cybersecurity are you interested in right now?

The river of cybersecurity trends rages – always changing and evolving. Cybersecurity is perpetually at “the most pivotal” moment ever. This is both BS and true at the same time. Today, the SolarWinds and Microsoft Exchange attacks and the persistent wave of ransomware assaults facing business are each the byproducts of the industry’s inability to get its arms around a massive business and operational shift toward a reliance on software. That includes endpoint, on-prem, and cloud (SaaX) software challenges that must not be ignored.

The common thread in all of the above is the human factor. That includes both cybercriminals and cyber-defenders. Human decision-making is behind every single successfully thwarted attack. Even the application of artificial intelligence and machine learning involves a person or team carefully considering parameters.

How humans fail or succeed in the struggle to address cybersecurity issues is not only the most interesting story to explore, but also the most important. The invention of the “wheel” had zero impact on humanity until humans capitalized on its proper application. Software patching feels like that “wheel,” however not perfectly round – yet.

How has Covid-19 affected what you cover and how you approach those stories?

Hardly at all. Sure, the cybersecurity implications of the shift to a work-from-home trend has changed what we cover. A lack of cybersecurity conferences – boutique or mega shows – has been a significant and unfortunate byproduct of the global pandemic. But, we have not stopped practicing top-notch journalism and finding new ways to help our readership empower themselves.

Logistically, Threatpost has upped its game when it comes to storytelling and adding more media rich formats to tell stories. For starters, we supplemented our in-depth reporting on cybersecurity topics with new formats, such as virtual town halls, that emphasize audience participation. Video-based storytelling and reporting (using videoconferencing tools) is also supplementing some of our traditional news-article coverage of the industry.

You didn’t ask, but COVID-19 has also shifted perceptions of what the cybersecurity community is. I find it fascinating that the pandemic is fueling the need for cybersecurity solutions as businesses become virtualized and remote workforces grow reliant on digital business productivity tools. The pandemic has grown the cybersecurity industry logarithmically, but at the same time exposes the tight-knit village of cybersecurity defenders working toward a mutual goal.

What separates the most helpful sources from the least helpful sources?

The cybersecurity PR machine can be daunting, especially when it is only self-serving. Sources, whether they be PR pushed or organically discovered, need to understand the reporter’s audience and goals. A VIP CEO who offers 10,000-foot analysis of a breaking-news security story will be little help to a reporter seeking specifics best gathered from a cybersecurity foot soldier. The best sources do not assume what a publication wants. They ask, “what level of detail do you want?” and come to the interview prepared.  

What’s the difference between a story that’s a good fit for the cybersecurity trade media vs one that would run in mainstream business publications?

James Carville famously coined the phrase “it’s the economy, stupid.” The Threatpost update is “It’s YOUR audience, stupid.” Threatpost’s singular focus is to deliver breaking news and in-depth reporting on topics of consequence to cybersecurity professionals. For us, it’s less about trying to pander to a business, trade, or consumer audience and more about delivering unique and fresh insights to cybersecurity professionals and stakeholders. Overthinking it beyond that isn’t productive.  

What books would you recommend to people working in cybersecurity PR and marketing?

Marshall McLuhan’s theories on communications blow my mind. Even though his groundbreaking book “The Medium is the Massage: An Inventory of Effects” was written in 1967, the main takeaways are just as relevant today as they were in the heady days of the late ‘60s. 

For something more contemporary, Michelle Alexander’s “The New Jim Crow: Mass Incarceration in the Age of Colorblindness.” The hope is, anyone reading Alexander’s book would walk away with a newfound respect for great journalism and hopefully also for those of us who toil away at trying to make a difference every day.