Adopting Zero Trust
Adopting Zero Trust
Behind the Scenes of Cybersecurity Media and Reporting
0:00
Current time: 0:00 / Total time: -1:04:53
-1:04:53

Behind the Scenes of Cybersecurity Media and Reporting

Season 3, Episode 15: We gather a panel of journalists, communications, and a researcher to discuss how cybersecurity news and incidents are reported.

Catch this episode on YouTubeAppleSpotify, or AmazonYou can read the show notes here.

In the world of cybersecurity journalism you can broadly split it into four competing forces: reporters, communications teams, researchers, and readers. Each requires one another to accomplish their goals, but at the same time, they all have very different priorities and goals.

  • Journalists have a duty to inform the public about security-related events.

  • Communication teams have a duty to inform the public about related incidents and research, but in a controlled setting.

  • Researchers help provide answers to communication teams and journalists.

  • Readers want to be informed of information that impact them, and their habits shape what kind of reporting is invested in the most.

This week we explore some of these dynamics by bringing together a panel representing comms, journalism, and research to discuss the game of tug-of-war during incident response and incident reporting.

Danny Palmer was a long-standing cybersecurity reporter at ZDNet prior to recently joining DarkTrace, Josh Swarz is the Senior Communications Manager at Microsoft focusing on threat intelligence, our host Neal Dennis is former NSA and has lived many lives around either keeping secrets or uncovering them, and myself (Elliot Volkman) that has been a reporter for two decades and works with Josh on elevating research at Microsoft Threat Intelligence.

Episode TL;DR

  • Cybersecurity communication requires a delicate balance between protecting sensitive information and informing the public.

  • Internal security teams are typically direct, transparent, and cut out fluff.

  • Journalists play a crucial role in translating complex cybersecurity information for the public.

  • Transparency is important, but it must be balanced with responsible disclosure practices.

  • Organizations should develop clear communication protocols for security incidents.

  • Regular, transparent updates to stakeholders can help build trust, and ignoring them allows others to craft the story.

  • Building relationships with journalists can ensure more accurate reporting of cybersecurity issues.

Producer’s Note

We are nearing the end of season 3, which means it’s time to start thinking about 2025. If you have topics you’d like covered or guests you would like to hear from, let us know in the comments. We’ll continue, of course, continue to work on our Zero Trust implementation strategy mini-series, but otherwise, Neal and I are looking forward to coming up with new creative concepts for you.

Understanding Media Dynamics in Cybersecurity

The cybersecurity media landscape is marked by tension between organizations protecting sensitive information and journalists driven to inform the public. During the chat Danny Palmer reflected on the challenges of selecting stories, emphasizing the importance of providing readers with information that educates rather than merely attracts clicks.

Palmer notes that the media industry is constantly shifting, with journalists often pressured to cover trending stories while maintaining nuanced reporting. The goal was always to report on cybersecurity issues that would genuinely benefit readers, not just rehash sensational figures that don't help understand or solve real-world problems.

The practitioner's role in this dynamic is crucial. Josh Swarz added to this by highlighting the delicate balance in communications where transparency is key. He discussed the challenge of informing the public without compromising security operations or inciting unnecessary fear.

The Responsibility of Reporters and Organizations

For Danny, a journalist's role was to sift through pitches, filter out misleading statistics, and focus on stories that truly mattered. As a reporter, engaging deeply with the cybersecurity community meant not just covering breaches but offering insights into how stakeholders could protect themselves.

Conversely, organizations must carefully approach communications. Swarz describes his strategic approach to balancing transparency with managing public disclosures. This involves internal discussions, understanding the implications of disclosure, and ensuring that shared information is both informative and responsible. For example, exposing information too early or with too much information can disrupt active investigations and mitigation efforts. In other cases, added public attention could impact ransomware negotiations.

Communications vs. Journalism: The Fine Line

A prevalent issue in cybersecurity communication is the balance between marketing and genuine information sharing. Organizations can tip this balance unfavorably by using alarming statistics without proper context as marketing hooks. This approach can lead to misinformation and undue fear, a tactic Neal Dennis strongly advises against. He emphasizes the importance of substance over sensationalism, noting that reckless marketing often erodes trust and potential business with analysts.

Product companies must ensure that narratives promoting their solutions don't become alarmist sales pitches. Instead, they should highlight authentic research and provide clear, actionable intelligence for users. Danny typically could sniff out these stats and request more source material before considering using them. Swarz and I functionally do the same with the internal teams to ensure accuracy.

Moving Forward: Encouraging Responsible Disclosure

This episode encourages cybersecurity practitioners and communicators to embrace responsible disclosure. Researchers and reporters should focus on insights that empower the community to act preventively. For those on the business side, storytelling should emphasize actionable results rather than exaggerating risks for competitive advantage.

As our chat reveals, while cybersecurity faces challenges from threats to public perception, diligent and honest communication strategies can significantly enhance the industry's credibility and effectiveness. As responsible members of the cybersecurity community, we must promote a balanced narrative that informs, empowers, and prepares. Or, as our friend DrZeroTrust likes to say: buy the dip, because public companies almost always rebound after an incident.

Regardless of impact, we have one call to action of our audience. If you are a researcher, partner with your communication team to help identify effective ways to share it with those that can use it most or you can always connect with your relevant ISAC.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot V: Hello, and welcome back to Adopting Zero Trust, or AZT. I am Elliot Volkman, your producer, and today, more or less, going to be your host. Neal is doing actual cyber security work today, so we're going to have a little segment that you're probably hearing or heard just before this. But We're going to be deviating a little bit from our typical conversation about cybersecurity strategy, implementation and that many series that we have kicked off and we'll continue in about an episode or two that said, I'm going to introduce you to some pretty well established folks in the world of cybersecurity as it relates to media, journalism and everything in between and the little bit of the shift of dark side.

So that is where I'm going to Kick this over to you, Danny, real quick, so you have been in this space for quite a long time. I have really respected your days in journalism. You have now welcomed the dark side with open arms like Josh and I working specifically on the the cybersecurity vendor tech side.

But, maybe add a little bit of color shed some light on to how you enter the world of cybersecurity and then we'll shift over to Josh. Okay.

Danny Palmer: Sure. Thanks Elliot. Yeah, I, I said I was a cyber security reporter at ZDNet for pushing eight years from about 2016 to 2023 I found my way there through before that I was an enterprise general enterprise tech journalist before that I was writing about the video game industry so yeah shifted across in that path and I ended up covering cyber security because You There was always something, there's always something to cover and it was always, it was really interesting as, as well.

So I spent many years at ZDNet, which at the time was, had a very high focus on cybersecurity and, did loads of different things there, covered lots of major stories, went to loads of events. I think technically. When Log4j happened, I was one of the first reporters to cover it, because it happened on US time.

When I woke up in the UK, it was there, there, all having happened. So it was quite interesting there, having seen how Google decided that I was the authority on, on, on log4j or log4ge, whatever, whatever we're going to say that we ever actually decided what it's called. So yeah, I spent many years there as happens in the media world.

As I'm sure all aware, things are changing all the time. And during my tenure at Zadina, it changed hands to a new owner, which changed the way he wanted to do things. Eventually it there was a lot of redundancies. And we've seen a lot around in the media industry right now. Fortunately I had this role at dark trace of lined up already at the time, which is just lucky coincidence on my part where I have moved into, I've been there about 18 months now.

And one of the key parts of my role is I've established an editorial site for dark race called the inference, which is basically What I was doing at ZDNet, essentially in terms of writing long form features, analyzing and explaining cybersecurity trends. It's interesting because I don't have as much as the pressures as I had at ZD, for example, in terms of you need to get, X amount of stories out.

This week it's very much a long form process and it's it's been good. It's been good. It's been cool actually having there are many people who are, obviously I've known a lot of people from the cybersecurity industry from my time at ZDNet over the years. And It's been cool how a lot of people from there, be they, be they knew me from when I spoke to them for articles or when they did my sort of video and podcast series and that was the thing, how they've been happy to come across as well to this new project speak to me there.

It's it's it's it's been good and it's good to actually have it up and running as well because it it was It'd be it was it took a while to get off the ground But seeing it live and actually running has been really good And I I was actually able to show it off to people at black cat usa this year, which was cool And it was that was my first time as black at usa as well because yeah time as a reporter being based in the uk It meant getting out there was like a tricky a tricky thing.

So yeah, rambling a bit, but that that's my background there

Elliot V: and

dig into that a little bit more because you have both sides of the brain, the fresher aspect of it. I, I don't know, this is my form of journalism today. I don't have those holdbacks that y'all had as under an editorial thumb, which pivots us right over to Josh, who if you can see if you're watching this, but he and I actually work over and support the Microsoft threat intelligence.

Side of the house of a very large organization that has many aspects of security. But as part of that, that means Mr. Josh over here has a lot of visibility into threats, threat actors, shifting landscape, helping tell the story. But I'm going to let you cover a little bit about your background because you did not just walk into the doors of our group.

You have seen some of the largest publications been part of those largest publications. Maybe can I go from there?

Josh Swarz: Yeah, no thanks for having me and I have I have gotten into cybersecurity in a backwards way for sure. I actually start backing up even further. I started my career in politics. And I was working in Florida in the state legislature right out of college. These were during the Obama years.

And while the Democrats were in power in Washington, they certainly weren't in, in Florida. And that kind of was my introduction to, to working with many different types of people. And after politics I. Went back into school into grad school and focused my attention there actually on cyber security is when I wrote my thesis on Chinese cyber economic espionage met folks like General Hayden and other members of the security community.

And, and really dug my teeth into cybersecurity there. And it was actually after school that I then got into PR and storytelling. And it, I opened my career and really focused the first, decade of my career in, in cybersecurity public relations working for a variety of different agencies And a whole host of different cybersecurity companies from startups and Series A, B and C companies, as well as more established companies like Symantec and Verizon and their DBIR, of course, as well as more even more well known companies like Siemens and their industrial cybersecurity group.

And, and. really got to learn the landscape and also learn how to tell the stories to reporters like Danny who, who were on the other side of the aisle, if you will. And so it was, super interesting. Got to touch a whole host of Different aspects as it relates to cyber security.

And, I think it was the background in politics and working with, both sensitive and classified information that kind of got me prepped, I would say to handle this world as well, because it's very similar in many different ways. Most recently before joining Microsoft, I was at a big valley marketing.

It was there that we Worked with again, many different types of cyber security companies, some semantic and they're threatened threat hunter group to really interesting startups that are doing groundbreaking work and Internet security from island and the enterprise browser that they're, they're working on as well as some VCs who are funding the cyber security community and got to see, everything from a high level and, the, the storytelling opportunities are endless.

Here at Microsoft, we touch the, obviously everything. The, the telemetry we have is unparalleled and. I've been here since February. Been recent recent move, but it's been super interesting work talking about some of the biggest threat actors in the world and then finding that balance as well, where, obviously journalists are after everything and, not something that, We can always disclose, but finding that balance to make sure that the story is still something that resonates and gets out there to both customers and, and the industry at large, but also the media is satisfied and, and, feels like they, they've gotten something as well.

So the, the role here as senior communications manager, working with a threat intelligence team. Is really to find that balance and, and also make sure that the right stories are being told to the right audience at the, at the right time.

Elliot V: Yeah, so you nailed the topic of choice here, which is there's probably a few ways that we can do this and I will do my best not to get you in trouble just so that I don't get in trouble looking at this Danny, you're a fair game. I'm going to terrorize you the right proper way. But yeah, so this is primarily going to be a focus and a conversation of the media landscape as it relates to cybersecurity threat actors and since and everything in between.

So I want to maybe highlight a little bit of a challenging and hot button. Approach and Danny, I don't know if you caught this session at black hat, but this is the inspiration for this actual episode. But there was a, I think at least one PR person might've been to like PR comms person.

And then there was a couple of reporters on stage, basically trying to just hash out like the relationships they handle things, especially. With a threat actors knocking on the door reporters and abusing some of that relationship and all that nature. But that was the background for this conversation.

And I have ulterior motives as well, where I've got a bone to pick with the current media landscape of why on earth are we over indexing on. The amount of incidents when it's not, anyways, so we'll go from there, but maybe Danny, I'd love your perspective having, been under that editorial thumb of you've got to move fast.

You got to publish information that gets readership and clicks. But what did that look like from the journalistic perspective from the editorial side? Like, Where was maybe the priority and how were y'all communicated against covering these kind of situations? And then we can pivot a little bit further of dealing with threat actors knocking on your door.

Danny Palmer: Good question. I missed that session actually, as I, I guess with the change in our meetings at the time that was happening, but I had a back at ZD. I had free reign pretty much over what to cover. And I obviously picked out what I thought was interesting. I obviously part of it was thinking what would get traffic to the site, what people wanting to read There was an element of no big breaking stories.

You think, okay, need to cover this. Of these, I guess my biggest example of, this needs to be a thing I need to cover. It was back when obviously WannaCry was a massive, great, big deal for everyone. That was one of the nights I was actually working quite late into the evening.

Sort of, covering, cause it was constantly changing updated story. And then I think it was overnight, a patch went out, so I was just, okay, I spent 10 minutes on Saturday morning. Writing. Okay. Here's a patch for this. No, I saw my role to educate, inform, and provide information on what's going on.

Again, story I wrote in about 10 minutes. Loads of traffic, loads of things like that. Cause it was just like, I wanted it to be out there to the party for the, no, I thought it'd be interesting people, but for the views as well. It's interesting to have when picking what to cover, that was always a challenging thing.

Cause I'm sure you can imagine. I've got pictures from so many different agencies, agencies and companies asking, Oh, do you want to cover this? A lot of the time it's, it was tricky to choose because there's so many interesting things out there to, to, to potentially cover. And I was only sort of one person on, there was obviously a wider team of ZDNet in terms of the cyber security beat.

I was what sort of the sort of for a time sort of the one person in the uk focused on that. And it basically came down to what, yeah, what was gonna be an interesting thing people wanted to hear. We had the idea in the, in the sort of the newsroom of what the story you'd want to tell your friends down the pub about, what, what, what, what, what's an interesting thing that has happened?

Little things. Like obviously phishing attacks are big, major things we're all, we're all aware of. But it was more than that. So you see, you saw something phishing campaigns where there was a particularly interesting spark in that a different thing that would be the, the goer on there.

And I think some of the stories that I really liked covering back at the time, which was sometimes quite difficult to get. When people talking to organizations. Who had suffered from cyber attacks and cyber incidents. Obviously a lot of them don't really want to talk about this at all. I've had times where, and I've called up, I called up companies who are being hit by a ransomware attack.

They go, how'd you know it's ransomware? It's, it's got all the signs of a ransomware attack, let's say. But yeah, some of the. Most interesting stories that I really enjoyed doing were speaking to these people who recovered from attacks because speaking to a, a construction company who suffered a ransomware attack and how they went about recovering from it.

They didn't pay the ransom, anything like that. And it was really, really interesting to get that insight into what's happening,

Josh Swarz: one

Danny Palmer: to tell that story and showcase it to everyone else. Cause the CIO I spoke to basically said, I don't want people going through. What I went through. I want to spread the story and say, make sure you're not ashamed.

Because there is, there's still a bit of a,

Josh Swarz: You

Danny Palmer: companies which really open out what happened. And there's the companies and organizations, which basically what happened. I won't name names, but there's a prominent organization in the UK, which did suffer a. ransomware attack a few years ago, and in their official documentation, they've still never referred to it as a ransomware attack, which is interesting.

The National Cyber Security Center has, they haven't. But yeah, there's always a lot going on to choose from. And then it was always really interesting as well. Cause when I, when I did the video, video and podcast series, it was quite interesting. People started pitching that to me and, it was something that's quite bizarre, looking at the people I was being approached by, all these ex NSA, FBI guys, ex CIA, even being at events having guys from GCHQ or NCSC approaching me, wanting to chat to me, it was really odd.

Really cool, but really odd, when you only think about it.

Elliot V: Yeah, I can imagine there's a lot of interesting characters there. And Josh, I know you definitely have seen your fair share. So I think one thing that I do want to call out is so you are you, you hit a specific item, which is a core piece of this conversation, which is. As a reporter, you have a duty to inform the public about certain things, especially if it's a widespread incident attack or something of that nature.

On the organizational side, they have a duty to not release too much information because there's probably an active situation occurring. An over sharing of information could impact the public. The, the response to it there's obviously other sides, like brand reputation, all that stuff. But which we're not going to touch that with a 10 foot pole for the sake of everyone's sanity.

But Josh, I'd love a little bit of insight from your side. Josh, You and I deal with this quite frequently, but where do you see or strike the balance of the philosophy behind innocent? No specific example, by the way, just when we're getting knocks on the door, not at our current company for the sake of this conversation how, how do you approach that?

Is there a level of transparency? They come to the table, they have certain information. How do you balance that out? While protecting what you have to protect, but also recognizing again that reporters and journalists have to inform the public and tell the story.

Josh Swarz: Yeah.

certainly unique, ultimately, they're sometimes lives at stake that or, governments that have to be dealt with or informed. And obviously, most importantly, especially from an organizational standpoint, you have customers.

That you're trying to protect and notify in a timely manner. And all of that is balanced with the, with the other side, which is, storytelling and letting the media know answers to their questions as well as, informing them, when you're able to and the balance that, that is struck is, is a delicate dance.

I would say that it is always evolving and changing. Oftentimes, you want to ask yourself how will this affect. This group or that group. And also, will it be interesting? And will the media want, what will the media want to know? And so when we're, talking and prepping with our, subject matter experts, oftentimes we try to, go to them and say, look, what is the story?

Let's get the full story out there first and see what, what this is all about. And then oftentimes it's, it's, Trying to focus in on on the key points of information that will resonate with the audience while also protecting the information that needs to be protected. Certainly not something that comes easy to many people and takes practice.

But, the another point that is important to remember here is that, you're dealing with people. Everything here is, it's a person to person business and reporters have a job to do, us folks on the on the PR side of the side, also have a job to do. And the the magic happens where, where the 2 overlap and, you, you try not to view the other as anything but doing their job.

And, and when, dealing with folks like Danny when he was at CD net or, or other reporters, they are, ultimately they're trying to tell a story, but they're trying to gather information as, as they need it. And ultimately, Not coming at the story from a combative or a defensive stance helps know you want to, you want to be open and transparent.

And sometimes the easiest, sometimes the easiest answer is the best answer, which is, I don't know, I, I'm learning this in real time. I, I'm, I'm hearing, things in real time reporters respect, I think, and Danny, feel free to jump in here as well, but I know reporters in my experience have, have always respected, being able to, when we're, When PR professionals are open, transparent and provide information and updates, in a timely, real time fashion versus deflecting and, and sometimes, coming at things from being evasive or, or, or, just flat out, unresponsive the dance goes a lot smoother usually when you are open, transparent and, and, tell them in real time what what you're able to share. They understand especially security reporters. I think they're a unique bunch and they aren't, they get it. They understand that there's things that just can't be shared. So I think it's striking that balance. And in time, you learn where where that line is.

And while it is a dance that happens every day, you just, you take it 1 step at a time.

Danny Palmer: Okay,

by a cyber incident, it was my job to call them and ask what's happening. I also felt bad about it because they've got enough on their plate already without sort of me calling them up, but I wasn't like trying to do a.

You idiots, what's going on here? It's okay, you've got this incident that's happening. Is there anything you can tell me? Just because I, I have a, just, I have a duty as a reporter to, write about this, major incident. And A lot of the times organizations, even if they couldn't tell me information straight away, later on they were, they'd be able to tell me more, especially, when I was hopefully polite on, on the phone and things in those first instances.

And, and I'm also, yeah, very, very aware that there's only so much that can be shared. I I'm aware that, in terms of any incident or cyber attack or threat group, there's information out there, which, cannot be made public because it might put, people, businesses, organizations, sources research at risk which was something that was always on my mind.

There's plenty of times where there was a lot of interesting stories where I'd report on a security company, X, and put out a report on this incident which happened to an unnamed customer. I guess in an ideal world, we wouldn't name the customer, but Usually these stories were very, really interesting.

So an insight how these happened. So years ago, I wrote a story on how a vendor power report, how one of their customers was compromised by one of their employees using a laptop in a coffee shop. And, and basically sort of the, the traffic being intercepted. And that story, it wasn't, it wasn't about who did the attack or who was affected, it was about.

Here's a thing which could happen, which I think was the main thing I was trying to portray when I was writing these articles. Here's a thing which happened, here's why it happened, here's how you can avoid it happening to you. Which was, I always felt was a really important part of what I did to try and put that information out there to say, Hey, don't become the next victim of this.

Which is something that I guess know as, as someone's working for a b it was working for a B2B Tech website, it felt yeah, my duty to, to do that. So my, my, my audience would've been people work in the sector. So I think I was writing for people who had, a bit more technical knowledge than your average human, which was both a blessing and a curse in some ways, because they'd ask, you'd see comments asking for what is this thing that happened in this?

I don't know. I don't, the company hasn't told me what's happened there. I'm sorry. Or, or what the other ones are. Why have you mentioned that this particular operating window was hit, operating system was hit? Because it was the system being used but yeah reading the comments in any any line of journalism probably is a Something best do in moderation.

Josh Swarz: And I'd say that's it. That's a good point that Danny made. Oftentimes the, the simplest thing is the most challenging, right? What we're trying to do is take very complex information that that can be pages long in, in, in both technical detail and oftentimes try to, Really convey that to journalists and their audience within, a few sentences of this is what happened.

This is why it mattered. This is who it affected when possible. This is who it affected. And oftentimes the same approach that Danny took, which was excellent is the same approach that I feel like needs to be done more, which is, this is why it matters to you. The reporter, but ultimately, this is why it matters to your audience.

And this is what they need to know to stay protected because, the news is happening so, so quickly and these attacks are now coming. Every day, every day you hear of a new, new cyber attack and a new breach, and oftentimes, I know. Reporters like Danny are trying to convey how to stay protective, and what their audience can do to both protect their organization and themselves.

And challenging part really is not necessarily, sharing that information that can't be shared because journalists oftentimes know that, it can't be shared. The challenging part oftentimes is, what can be done to protect it. Yourself in the future without obviously being too promotional of the of the vendor that you're representing that that dance and coming at it from a thought leadership standpoint and with facts and point, interesting points of view that's, that's where the that's oftentimes where the magic happens.

Elliot V: So Josh, maybe we pivot a little bit. I want to try not to jump on my personal soap box too much, but I do have a bone to pick with organizations. And I think fortunately you are in a position where this is never going to be a problem because there's endless amount of Intel and research that comes out of your world, there are for the smaller security vendors in particular, they obviously have to do whatever they can to create narratives and stories that will get press pickup And again, this is outside of your world today, but I'm curious how you look through like that lens of risk and impact to the cybersecurity community at large.

So if you're working in a smaller org, you have a new novel incident that has come across your plate, but the probability of it doing anything or the impact as it sits today is incredibly low. How do you, how do you create that balancing act? Because you, you have to represent the organization.

And again, this is not representative of where you are today. But, how do you, work with that? Is that like a, will you push back on internal stakeholders? Or do you try to provide some guidance to the reporters who, at that point, take the story and let it go wild? I'd love to know how you create a balancing act or how you balance some of those, stories.

Josh Swarz: Sure, and, coming from that point of view, oftentimes when you represent smaller cybersecurity vendors or stakeholders, they are just trying to stay in the conversation. And so the balance in that. Shifts quite differently than when you represent, a Verizon writer or an IBM where they obviously are already in the conversation, but then they're trying to protect information or or might not be able to share as much as, as they, as they would like when the balance, when, when working with folks that are in the early series, oftentimes what we try to do, the balancing act takes the form of, point of points of view.

And and, whether that comes from, a bold statement or a CEO that's willing to go out there, if you will or whether that comes in the form of, an interesting stat or survey that they've conducted and have, unique insight into, but, On the flip side of things, you want to also make sure you're always adding value to whatever story that you're working on.

And when working with publications, I know folks like Danny often appreciated when the value add would come in form of in the form of a great quote. And you work very closely with your stakeholders and the internal folks at, name your organization to develop that and to get those quotes out there.

Oftentimes that does not come easy. Obviously, executives are oftentimes think thinking of either product or, are so new. Internal facing that they lose sight of what the larger landscape is caring about. And so when, striking that balance, we would oftentimes at past firms, at least spend time with executives, spend time with the folks on the ground that are also, Directly involved in identifying the threats that they're seeing.

And, instead of probing them on, how this is the biggest value add to name your company they, we would try to probe and poke a little bit on, how this affects the industry, how this affects the larger cybersecurity landscape. And, and by doing that, we would be able to unearth really interesting points of view.

I would say that, is a strategic advantage that some, smaller companies have over larger ones where they're able to share more and be a little bit more open with what they can say versus, when you're, when you're larger when you're working with larger companies, they tend to be a little bit more reserved on on what they can say.

And and then, working with folks like Danny and other journalists that, are telling those stories, they oftentimes appreciated when, we could give them a quote or a data point that no one else would get. And and. Oftentimes that was enough to strike that balance that, you're still delivering the value add.

It's not while not just promoting, straight out, whatever, product or gizmo, that company produced.

Elliot V: or clickbait too.

Josh Swarz: Yeah, all

Elliot V: Yeah. So I, there are a few items that I want to emphasize and bring additional attention and only because I can abuse this as a soapbox moment. And I'm going to make a little clip and put this on LinkedIn to yell at some people, but there's two sides of the coin. That I want to reiterate again So there's our cyber security community and then there's like the humans at large or end users, maybe but in or through that lens of like our cyber security audience We're not looking to create havoc and chaos because if we're looking at a smaller organization They find a smaller Vulnerability or incident, and they want to put a little bit of too much energy behind it and start report pitching on reporters.

What ends up happening is to the cybersecurity world our listeners in particular, they are then going to get emails from their CEOs, their executives. Is this thing important? Do I care about this? Why is this getting coverage? And that is the nightmare that I think is like plaguing the like media landscape for cybersecurity.

But that means internally organizations content creators and whatnot. I think There needs to be a lens of information that needs to be delivered with that if they're going to try to highlight some of these kind of unique vulnerabilities and stuff of that nature. So that was my soapbox moment.

But again, I, I think there is value in highlighting unique and novel. Elements, but there just needs to be this. other piece that comes alongside with showing how much impact this is, how probable it's going to have so that people in the cybersecurity world don't get those emails from executives and board members of why on earth are we not protecting against this?

Is this hitting us or our customers? And then it's the same story every other week in and out. Incidents are a little bit different. They'll just read it and gloss back over it, but it's usually the vulnerabilities, which are Just a concentrating a bit of an issue. So that is my soapbox. I'm now off it, but yeah, I don't know if you have any perspective that you want to add

Josh Swarz: I think, that's from a PR perspective. That's every PR professional's worst nightmare, right? Like, why aren't we in this story? Why, what about this? What about that? And oftentimes, that can lead to, journalists Kind of their, their complaints about, whether we're ambulance chasing or, just promoting for the sake of promoting, that it's a slippery slope because oftentimes, when there are that when there are those types of internal pressure You have a lot of the, especially the junior folks at agencies, under quite a, quite a bit of pressure to deliver something.

And that's when oftentimes that something takes the form of hey, this cybersecurity instance just happened. You want us to comment too? And it doesn't really have any context or, or, anything. That provides value add and everyone becomes miserable. So I would agree with your soapbox analysis there.

But what I would say is again, striking that balance, right? Pushing back from a PR perspective on executives when they ask, why are we not in this? Or, why, what else can we do to, to, get in front of this reporter or that reporter, they're, they're conversations that need to happen up front, and, and why are you doing this?

Who are you trying to reach? What audience are we trying to most specifically target all those pieces of information kind of ladder into the, the generic email of like, why didn't we get the Wall Street Journal? And I think, that. Oftentimes, we'll nip it in the bud because then you can focus your attention on more pressing stories and, and align internally.

Okay these are the things that we want to focus on. These are the stories that we want to promote and oftentimes that will, will lead to a more cordial relationship with reporters. Okay.

Elliot V: for the sake of our listeners, it looks like Danny had a little bit of a connection issue, so unfortunately I'm gonna lose that perspective of our conversation unless he chimes spin chimes back in. So otherwise it's gonna be the Josh and Elliot show for the next few moments and we'll go from there.

But that's Josh, I did want to poke at a couple other items that are tied to the media landscape, so you are privy. Very specifically to a lot of intelligence that the world wants or sometimes needs to know about. And we are constrained realistically on how we're able to do that. So reporters obviously will knock on our doors.

But do you feel like there are other communication channels to activate that information so that there are early warning mechanisms? Or on the flip side, if that's a little bit of a touchy subject is do you feel like there are mechanisms from a comms perspective that you can push internal stakeholders say we should release information sooner because it will help disrupt an attack or something of that nature?

Josh Swarz: Sure. From an intern, from a coms perspective, there are multiple channels, right? PR is obviously 1 of them. And it's, my bread and butter. That's what I eat and breathe. But the media is only really 1 stakeholder in the larger picture. You have social media and, obviously the Both X and LinkedIn are, are two vehicles that, should be used when, when appropriate and, and are instantaneous, you're getting your information out to the world immediately.

Blogs and, and the rise of, blog content, every, working now in the industry over the past 10 years, every company has a blog, whether, whether the value add there is there that's a, that's a kind of a different question. Sometimes they can be a little too inward facing.

And folks like Danny now on the as you call it, dark side are working hard. I know I'm trying to fix that and running blog publications to be more external facing and not about. Product X or not about company News X, but more about point of view on, name your threat or name your nation state threat actor.

And that, I think, has helped a lot to ease the pressure. And make sure that, information is getting out there in a timely fashion, because I know reporters also have tuned into the RSS feeds to many companies, blogs where, for instance, here at Microsoft, when things have gone public, sometimes we will get inbound requests on those blogs before, before we even have a minute to breathe, right?

Like we'll hit the publish button and five seconds later, Danny's replacement is, is, emailing. What about this? What about that? Here, here are a list of questions. And so those vehicles, I, I think have become really important to the, the security community because, in, from a security community point of view and, and strictly from their audience.

I know there are many, chat groups and blogs and websites that are, are visited frequently to make sure that, in critical information that needs to get out to the larger community is out there in a reasonable timeframe versus, what you might read in a Wall Street Journal article, right?

Or what you might see on NBC news. That's more digested information that you know. Has been obviously put out in a timely fashion and shared with reporters when, when able to share, but, might not be as extensively technical simply because the constraints are within the media as well.

It is a 2 sided coin and when oftentimes, you can't go technical with most reporters. That's just simply, a fact because oftentimes those stories can't go into the weeds. They only have so many columns and in, inches and, even on a, a long form feature piece, There's only so much you can say verse when you have an own blog the sky's the limit.

So those are, at least a few different vehicles and channels that I know we certainly keep in mind when, when trying to get critical information out there. And it, it is a balance. Oftentimes, the, the critical and sensitive information can, can be impactful, both from a company perspective, but from a personal perspective, too.

The threat researchers, they're doing, they're doing very, very sensitive work. And oftentimes, the biggest challenge, from a PR standpoint is, sharing their stories and their research, but while also keeping in mind that, details about their personal information as well as about, certain aspects of their work just must, must remain hidden to protect them And it's

Elliot V: The activation channels is like the short answer is where I'm going with this is. I constantly the curse at Reddit and all that, but like people will constantly ask, like, where do you get your thread until, where do you get your updates and information?

And the short answer is where I was going with this is there's two pieces and Neal will yell at me if I don't answer with the second one. So the first is obvious. There's obviously a shift in the media landscape where there's less investment energy and being able to support. critical reporting on cybersecurity issues and elements of that nature.

There are organizations like Scoop News Group who are investing in it further. So I, I love that and I appreciate that. But that means that as cybersecurity community members for us in particular, being able to be champions internally to tell, Our powers that be, we need to be able to tell these stories, be able to provide technical information that expands beyond what is being covered.

That is certainly 1 piece. The other is from the other elements of the members or listeners. You unfortunately have to go to the vendors, the researchers, organizations, and. You can get Feedly or some other RSS feed, read the reader. You can even put up Googlers, whatever you want. But that is the short answer of like today, the media landscape is covering, certain things that get most read.

But if you really want like information, Intel, unfortunately, you just need to get as many resources as you can chuck it into an RSS reader. And that'll, that'll get you part of the way,

I think the 1 thing that I can ask of our listeners, if you are an analyst, you work in the sock, you work with third until whichever meeting that you have. I'm sure you got a comms or a marketing person around go knock on their door when you have an interesting story to tell.

I'm sure they would be giddy or excited when you're like, Hey, I've got this thing. Let's tell the world about it because there's not enough of that really being published because as you had mentioned, there is a D investment. A large swath of media brands. Now, there are obviously some that are doubling down to fill that vacuum.

That's one piece. The last one, which is where Neal would yell at me if I did not highlight this, is there are ISACs and outside of the U. S. in particular, there are certs. There are organizations designed for closed door threat intelligence sharing and even if it's not at that threat intelligence, it could just be IOCs and stuff of that nature.

Join them. I'm pretty sure there's one for almost everything including, Josh, mute yourself in your ears so you don't hear this. For Weed ISAC, there is one of every flavor of industry that is out there,

This is a little bit weird, but we are taking a tiny break in the middle of an episode with the magic of editing to now include Mr. Neal Dennis, who was unavailable for the first half. Also maybe had a little bit of technical difficulties, but again, magic of editing, you would never notice.

I just like to be annoying and that's where we are. So picking up maybe where we were last chatting we have Danny who is over at dark trace, he has been a fantastic voice and reporter in the world of cybersecurity prior to that is since moved over to the dark side and that is where we're going to pick this up.

I apologize in advance. It's likely that we're going to pick back up or talk back over some questions that are already asked, but that's totally fine because now we have a little bit of different perspective.

So let's just jump in. The setting that we're going to lay out is again, this is definitely going to be repeating a little bit of where we are, but the two sides of the coin. So from a reporter or journalism perspective, they have a responsibility and duty to help inform the general public, their readers, to consume information.

Now there's two lines of thinking. There's like the, we need to make money side and we have to be fast and first to report on that information. But On the opposite side, they don't have the level of information, intelligence, and data that comes from within an organization. So an organization's obviously going to be a little bit more tight lipped about it.

There's an investigation in most cases. So let's go from there. Danny, you literally have lived in both sides of this equation primarily on the journalism side, but how do you, how do you balance some of that when you're trying to pull a story out and try to inform the public, now that you're behind the walls, you also have to understand that there's a bit of a brand that you're trying to protect its reputation.

Danny Palmer: Yeah, that's an interesting question. Thanks Elliot. I suppose one of the things for me is I'm fortunate in a way that I don't really deal with sort of news per se, as it is not a thing. I, I do the stuff behind the scenes at Dark Trace. I also do the public facing things for the, the inference.

And I suppose, yeah, one of the things I think that I don't really write about. No, the company itself, as it were. So for example, I, I will write an article about, let's say I write my article about business email compromise. I will have a perspective from someone in the company in there, probably, but I'll also have external perspectives as well.

So is it on your points? I am seeing a lot more. than I used to see. When I was a reporter, I obviously had a good reputation of lots of cybersecurity companies who happily tell me lots of things, but there was always that sort of thing where you get to a certain point and they won't tell you anymore.

Obviously now I'm internal somewhere, I see a lot more and I I have to no one's told me do not share this information or that sort of thing, but I have to make my own decisions and take into spec, what, needs to be out there, what, what, what doesn't.

And obviously, if there's an interesting thing that wants to be out there, I'll, I'll try and push for it. Sometimes I do speak to customers about things, interviews of sort of CISOs and that sort of thing. And we will talk about that. incidents or issues they are, they have had, which can be really enlightening because it's all that way.

It's interesting coming that from a new perspective as well. Cause when I was a reporter, people, even if they were approached to me, I don't know, this is a case study of a company that's, for example, company Y helps this company recover from ransomware attack. Sometimes the CISOs were really open, would tell me everything.

other times you could tell there's a bit of hesitation on, on their part. Whilst now it's I don't so much talk about, yeah, those sort of technical things. I, I really, I won't really speak about, specific things and incidents, but the more general, I'm working on a piece right now, I've spoken to a CISO of a major company, and it covers a lot of different issues, but lots of it is around How they're adapting to things like cloud ai, how they're upskilling people.

It's more of a sort of thought leadership conversation rather than a here's an instant we had and here's how we dealt with it. There are, there, there are examples on the, on the company website where there are the CISO source speak, oh, we, this, the company know detected this email, this stopped that, et cetera, et cetera, et cetera.

But, yeah, it's, it's I'm closer to where the sausage is made, I suppose is how I put it but I can't quite try to try to finish this metaphor here, share the sausage around so much, so to speak.

Elliot V: Yeah, that makes sense to me. And you you're now what I would call a double edged sword only for fully biased perspective of I have the similar of we've been in the shoes as journalists where you're have limited information. But you're able to now understand all that pushback that you got before is exactly what you can apply in the business sense to like, withhold or constrain information until it's ready to be released in whatever format and in the most correct platforms.

So that's where I'm going to shift over to you, Neal. You being in many different shoes, some in some of the more secretive of natures. How, how do you handle some of that information when there's requests for it? Yeah, let's just throw that out. Very open ended. Okay.

Neal: Yeah, I, I don't know how much it remembers outright about where I got my started on the commercial side, but my first non government job was building an Intel offering at a DDoS mitigation company who had a very sizable malware forensics company, just as S and G's. They did it for the fun of it because they had the resources and it was a value prop ad.

So is anything at a company that, where it's not your primary bread and butter, that value prop has to be very public and very forward. So these forensics guys did wonderful things, better than some people I saw at NSA and other facilities. Like these were very top notch guys. My job was to take that data, make heads or tails of it, be the intel analyst with it and connect dots and do all the fun stuff, additional research, pivot, so on and so forth.

But because I was also one of the primary authors of that data. That also meant that when it was published and usually it was tip of the spear type things is usually first to market awareness on a particular thread or very for both secondary stories to the first market stories that were available. So I spent a lot of time in the first 2 years of my non government career talking with reporters.

Talking with various news agencies and all sorts of things. It was a very surreal thing for me to go from being secret squirrel and not having, not needing or being able to discuss my job publicly with anyone to now magically everything's out there. And I have to figure out how much of it is guilty knowledge from my own personal perspective.

And how much of it's actually the research that led me to those assumptions combined with how much of it, once again, can I blatantly put out there in those products and when I'm discussing those products externally. So it was a weird balancing act for me to get started. News reporters will ask you a million questions and first time doing that type of stuff.

I want to give them all the answers. And then second time doing that, I realized I shouldn't have given them all the answers and realize what's going on out here in the private sector and how that impacts things. And I was very fortunate. None of the stuff I ever divulged impacted any ongoing, knowingly ongoing investigations.

And so that that was the perk there, but it morphed into a lot of things. It went from. Engaging reporters and doing all this other fun stuff with them to being a normal content research guy and doing my own thing and purposely reaching out in some cases to contacts. I had because I thought things were critical or important.

So it was all about relationship building. And finding someone who I could have the right boundaries with, who understood the dynamic was, I'm going to give you this nugget and that's all you're getting today and here's why I want to give you this nugget because I'm hoping it's going to get me more nuggets privately kind of stuff.

So that relationship was very key for me. And then, yeah, it's morphed into other weird things since then, but it is a weird world to go from, from all that classified data and then literally the next day be seeing the stuff in the private sector that I'd been tracking for years on the other side of the coin.

Elliot V: Yep, that is, that's a interesting point and it actually is gonna bring this full circle towards the inspiration for this particular episode which is at Black Hat there was essentially a conversation of a similar nature. However of similar minds, at Blackhat, third party or independent researchers, external research, external research, my god, words, hold on, I'm editing myself out because that was real bad. At Blackhat, you also tend to see third party or independent researchers release information, That is of a similar vein of what I think you're just discussing there. It is, you have the capability and insight to pull some information out, but it doesn't directly impact you or your customers. It's a sort of like a nicest way.

And I hate to say is the uglier term is basically a marketing park to be able to. draw attention to your expertise and information at the expense of other people's mishaps.

Neal: Are we still hoping to go talk at Black Hat?

Elliot V: That is the

Neal: I open my mouth.

Elliot V: They do approve all these, if not DEF CON.

Neal: my, my problem with, yeah, Defcon, my, my problem with Black Hat is they, they kowtow to sponsors regardless of the research. And I get it. They got to make money. This was, this happens probably once every handful of years. You get a Lawsuit pending against a particular presenter.

And it's usually, it's usually not a guy who's doing this from the auspice of a company he works at. It's usually as an independent researcher presenting fun stuff. And then Black Hat gets some kind of a pending lawsuit action against them. So then they have to go against the guy and then the guy just goes, fine, I'll present it at DEF CON.

, yeah, that, that's, that's that thin line there of, are you just trying to sensationalize stuff? Is it legitimate or is this things that you are truly, truly worried about? And this is a good platform to get it out on. My personal opinion real quick is if you're waiting to black hat, you're just sensationalizing crap.

And you're just trying to get publicity for publicity's sake. If it's truly matters to you to get it out the door, then you would have already done so, and you would be asking to present your findings as published. At Black Hat instead of waiting to publish at Black Hat.

Elliot V: That's interesting. Actually, Danny, I can pivot over to you because I'm certain you've covered similar situations where either people are trying to hold information or trying to use you as a vehicle to deliver that information. How did you go about navigating those situations?

Danny Palmer: The black hat point's an interesting one. So as you said I covered cybersecurity all year round and suddenly you'd get a million pictures in your inbox about, various things. A lot of it was interesting, but I was only one, one guy. There's only so much I could cover, especially, I was, I didn't actually get to Blackcap USA when I was a reporter based in the UK.

I did actually get to go there this year for the first time, out, with Darktrace, which was really cool. But I always thought, I always told people that if it's a really interesting thing, you can tell me about another time, that isn't around Blackout. Tell me, a few weeks beforehand or a few weeks after, during the event itself.

There's only so much going on. And sorry, what was the question again?

Elliot V: I think it's, that that is good context. I think to align it a little bit further. It's just about how you navigate when. It's very clear or pretty evident that the researcher coming to you is basically just using you as a vehicle for their own self promotion, instead of, helping inform the world in whatever capacity is helpful.

Danny Palmer: Yeah, I, I, I, I see what you're saying now. Yeah, there's always a really interesting ones. You'd say, you'd see something like For example, just a, a, a theoretical example, you'd get some research say, oh, we've discovered that, two thirds of organizations around the world have been hit by a ransomware attack in the last year.

And I look at that stat and go, that's, yeah, that's a sensationalist stat. I think if two thirds of orgs have been hit with ransomware in the last year, society had collapsed by now, I suspect. So there was always this sort of thing where, I guess I had a BS radar going on in my, going on in my head, where I think, as mentioned before, I don't have any sort of technical background or anything, but I've been covering cybersecurity as my sole beat for, by the time I left ZDNet, seven and a half years, and I had a few years covering it, as a more generalist reporter before that.

So I had an inkling of what is, a sort of a reel for inverted commas story and what is just stat peddling, which I've see, you see a lot, I got very heavy in, in on that and seeing, it's sort of like saying, Oh, this is the things happen. We've seen X amount of this thing happen, which is developed by the PR marketing teams rather than guess the researchers them themselves.

And I'd usually find with these reports, even if they had some, bizarre headline grabbing stats at the front. I'd always find, so I did take the time to read these reports and papers and things. There was usually something interesting deep in the middle of the report as well, like something that wasn't flagged.

But say, for example, I remember a really interesting story by a company which sent a big, so it was in their annual report. They had an interesting story about how an organization got Breached because someone, an employee was using their work laptop in a coffee shop where the sort of wifi was compromised, et cetera.

And I thought I was really interested in human story as it were. So I was more interested in the human side of it, rather than here's how it affects you. If you're saying, oh, two thirds of orgs have been hit by ransomware. That's not helping anyone really.

That's just I guess it's that sort of that sort of FUD thing that is the sort of things about where a lot of, it's a weird thing where a lot of cybersecurity marketing in some cases relies on this sort of, the bad guys are coming to get you, watch out while the maybe the researchers and analysts are not so much about that.

Neal: Yeah, I think the bullshit stats is a great call out. There's only a handful of corporations and entities globally that have what I would consider enough insights to make a claim that X is impacting Everyone kind of thing, or a percentage of everyone. And even then those companies are usually very smart to caveat it as, it's from our perspective with this amount of sensor space, which is a good representative data spot for them.

And obviously not to sales pitch people, but Microsoft, CrowdStrike, Google, some of the big companies with their server spaces and other things globally as well. They truly have a sensor grid that is fairly comprehensible and does that. So if they come out and say two thirds. Depending on what it is.

Then I'm more inclined under the auspice of what they're trying to claim the data set is to believe them. But any other company comes out, I don't care who you are. I, I saw a report that very similar to that. They were like 60 some percent of, of entities had had a breach around, the last 18 months or something like that.

And then you go and you read it and it's the Verizon D bears. It's, it's a self reported response. And it had 200 people. Or something ridiculously small Oh good for you. You, you put a Google spreadsheet out there and got a survey response. And two thirds of them responded probably because they were angry with their company.

And now you're saying that's a representative dataset. It's hilarious stuff. And, but you're right. It's sensationalism. When I was writing those products back in the day, when I had to have a really good conversation, heart to heart with marketing, And then my CTO also had to come down and talk to marketing and they were allowed to obviously use those as they should for, for promotions and things like that Hey, look what we wrote, look what we did publish between these channels, spin up news, things, all this other stuff, but they weren't allowed to rewrite any of the taglines or any of the subjects that I'd put out, or that we as a team had reported on in general to do anything whatsoever.

So if we, whatever we put as the impact statement. That impact statement had to stay. And so I was very fortunate with my CTO standing by that to where marketing wasn't allowed to go over the top of that. Oh my God. Look at this new threat after doing X, Y, and Z. They're going to come after you and kill you.

Buy stuff, buy stuff. Very, very lucky in that. It also didn't hurt that I was working at a company that Ultimately had very little ability to, to impact that type of stuff outright on a grand scale. That wasn't their primary product offering. So made things fun. Yeah. Sensationalism is a big deal and learning lessons on how to talk with individuals, reporters who are especially net new to that and give them the right lines and make sure you're not misquoted has always been an issue.

Elliot V: Yeah, I think that's a good point. And speaking from someone who is within the walls, you hear the dogs barking. You probably can't mute. All right.

Neal: cocks go off outside. I have chickens.

Elliot V: Oh, and the baby's crying. This is trifecta. All right. The magic of AI will be at this. All right. I'm editing so many buttons. So speaking very vaguely as someone who has or currently works within one of those large organizations, there's also the wrath of legal teams and researchers who tend to take precedence over any kind of marketing material.

And I can just tell you it lasts like 48 hours. I. Copied and paste a piece of information without context, and I saw that wrath firsthand firsthand. It is an important control mechanism. So I'm just gonna throw that out there. But anyways, to sum up what I think I've heard, and I think it depends on who we're aiming this piece of information at is from a media perspective.

If you're seeing some of that kind of iffy information, maybe ask that organization to speak to the researcher behind it and see just bypass the PR and marketing folks to get the real information.

Neal: I'll tell you what, as a consumer of products if it's, if it's a sensationalized post, at least to a sales pitch, I'm not buying your product. Even if I had it on my list to buy a very blunt, I don't, if that's how we got together, if the sales team is not, if I'm in touch with the sales rep and they're not doing that, or they're not promoting that type of content, then we're, we're still on good grounds.

But if my first, Foray into you as a company is a email outreach, claiming that I'm about to die and my computers are all about to get hacked or that 92 percent of everybody sees this and you're one of them. So buy me now that you're going on a do not call list. And I don't care if you're industry lead or not.

I'm not dealing with that kind of crap. So marketing can ruin it for the sales team who can ruin it for the tech team who can ruin it for everybody else kind of stuff, right? So just getting all those facts straight and making sure that whatever story as a tech producer is the story that actually makes it out to public.

So that way the company looks right in the right light.

Elliot V: I, I would argue that most of our audience from like the security practitioner side would agree to similar terms of that. I think that is a very vocal perspective that we see and one definitely baked in reality and necessary.

Neal: Danny, I got a question for you, sir. Have you ever had to be the guy who, I know you're at a product company now, so you can say no have you ever had to, or been requested to write one of the doom and gloom posts, the, the the world is ending, come talk with us posts. Have you ever had to do crap like that?

Danny Palmer: I can say, I can safely say I haven't, no, and I haven't been asked to do anything like that either. And it's one of the things, I'm not directly in the comms team, but if like for stats, for example, information, they'll ask me, would this fly with you when you're a reporter? And if I say no, it's unlikely to go out.

I think that's part, that's part of the reason I've been brought in as well as to help give that. Perspective where it's not going to be seen as putting information out there, which is not helpful to, to anyone. But no, I haven't, I haven't written the, I'm not on the product side of things, which is an interesting thing.

So obviously I read about and know about products. I'm trying to use the internal resources. Yes. I have not technical background, but I'm trying to get more technical for them having this access. But it's yeah, on the actual sort of thing I write on the inference. One of the key points of it is no product marketing at all.

There's no sort of, dark face products do this, that, or the other. A lot of the pieces even mentioned the company in the thing, obviously say on top of the page, but it's not, for example, customer case study. I'm not talking to an organization. How did this product help you? There's the, marketing and case study team would do that sort of thing.

This is just a, These, we call them innovation conversations. It's just talking to practitioners about what they do, challenges they have, thoughts they have, which is just designed to get those views out there. And hopefully, so it's like, when I was a reporter, If you have sort of experts and practitioners talking and making comments go out there, it's helpful to others in the industry as well.

One of the reasons back at ZDNet when I did used to get these interviews with people who'd been affected by ransomware, for example, the CISO would tell me, I want to get the story out there. I want others to learn from what happened to us, which as I'm sure we're all aware, There's quite a lot of playing cards close to chest in this industry.

And I more, I saw my role back then and now to an extent as well, getting people to talk more openly about these, these things. And it's been quite, obviously the whole project is still fairly new, but it's been quite neat how contacts from my previous roles, and I don't know if anyone knew it, Zedina, I'd be happy to contribute to this even though Scott Knopp got the gravitas and prestige of a, known publication, they've, It sounds weird to say, but they've, they've done this because I've asked them to, because I guess they have some sort of, they have a relationship with me, which is nice to think of and sort of like, yeah, it was weird walking out when I was walking around Black Hat, like people stopping me, like recognizing me from either PR people who I'd been in touch with, or researchers, or just people I knew from online.

It was very odd It's a weird place thinking that, yeah, I was quite well known in like the reporting space. So it's not a big world, cybersecurity reporters, reporting space. It seems to be getting smaller as well, for no reasons I'm sure we're all aware of. But yeah, that was a really interesting thing.

And it's interesting that how, yeah, people are still with this new role. A lot of people, not everyone, but a lot of people are still happy to talk to me and deal with me in, in this way. I but one of the pieces I did at Black Hat was I spoke to DARPA about, their, their sort of cyber, cyber AI sort of protection project.

And that basically came about because in my previous role, one of the last pieces I wrote there was about a DARPA project about securing AI. And that started because they slid into my Twitter DMs. I was on holiday, and DARPA slid into my Twitter DMs. And I thought, okay, DARPA is speaking at Black Hat. How can I get this?

I don't have their contact details anymore because it's in my old inbox. I just did the same, slid into their DMs and did it that way, which was like really neat. And yeah, it's nice to, it's nice to know that, yeah, people are still happy to speak to me of these sorts of things. And hopefully that, that article that helped explain what this contest was, help put information out there. And I I've said, I've mentioned it before, but I have this sort of things of this public service broadcasting ethos in what I do. So inform and educate and hopefully be entertaining narrative reads as well with the thing, the things I'm doing with, with, with what I'm doing now as well.

I have much more freedom, the long form stuff. I don't, I don't, I'm not given word count or anything like that. So she's both a blessing and a curse. When I turn in, here's a 4, 000 word draft of an interview of someone I've spoken to. But yeah, it's cool to think about.

Neal: Awesome. Love it.

Elliot V: And that brings us to the end of this episode, unfortunately but Danny, thank you so much for joining us, giving us your perspective. I know you're fresh in over to the dark side as I would like to refer it.

Neal, thank you as always to come in and bring the practitioner intelligence perspective and a little bit of that. I guess maybe product oriented one, but that's it. So if you want to join the soap box, you want to join this conversation. I feel like there's quite a few media literacy episodes that we can talk about in the future.

We'll go from there. So you let us know anyways, that's it for AZT. We will see you next time.

Announcer: Thank you for joining a Z T an independent series. Your hosts have been Elliot Volkman and Neil Dennis to learn more about zero. Go to adopting zero trust.com. Subscribe to our newsletter or join our slack community viewpoint express during the show did not reflect the brands, employers,

Discussion about this podcast

Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.