Cyber security media coverage tends to focus on stories about risks and cyber attacks.
Scrolling around for our daily dose of tech news helps keep us informed about current vulnerabilities, attacks, and scam tactics, sure — but sometimes it can be a bit unnerving. That's why it’s important we examine what we read and ask questions as we go.
This week we chatted to Izzi Lithgow, Information Security Communications Pro, about the intricacies of making sense of security news.
“The thing with security incidents is they could happen to anyone: individual, small business, large corporate, or anything in between. That’s not meant as a scare tactic, it’s just the truth.” says Izzi.
"Knowing what’s happening in the security landscape means that when something slightly odd happens, you’ve already got a little bit of knowledge stored away.”
Security communication is different from other communication
The challenge faced by communicators in the security space is that they often need to educate and inform at the same time.
Izzi’s done a lot of communications work in incident response situations — situations where her team has had to address and manage the aftermath of a security breach or cyber attack. She’s found it’s much easier to communicate with people when there’s a level of common understanding. Once that’s in place, you can get straight to your main message.
To illustrate what she means, think of an incident like an earthquake. If you live in an area that has its fair share of them (like Wellington), you can pretty safely assume most locals understand what an earthquake is and how they should react when one happens. This shared understanding provides the platform on which other, more complex communications can be built.
Now compare communicating about an earthquake with communicating about a ransomware or Denial of Service attack. Unless people have experienced these things themselves or are security experts already, you’ll likely need to put in a lot more work to create a common understanding. This is the challenge security communications and reporting is usually up against.
Not everyone is an expert
Izzi points out the situation gets even more complex because the people who write security news stories aren’t necessarily specialists in the area. There are a handful of experts who are the exceptions, but many reporters and writers are in the same position as the rest of us, learning as they go.
There are also cases where people in the cyber security industry influence news stories with the goal of selling products or services. It’s a tough gig for journalists to present a balanced story when their sources have other motives.
Evaluating what you read
We asked Izzi for tips on how to work out whether something you’ve read requires further action or investigation, and when you may need to proceed with a more sceptical mindset.
Izzi recommends that as well as using the same critical thinking skills you’d use when reading any other news article, you think through the following aspects.
Consider who is telling the story
Is it a knowledgeable, informed source like a CERT or a well-known company like Microsoft or Apple talking about an issue in one of their products? If so, it’s probably time to listen!
Is it some random person who you’ve never heard of talking about an issue that no one else is talking about? These are signs to proceed with caution.
Look at who is being interviewed. Are they an expert in your eyes? What makes them an expert? Are they from one of your trusted sources? Read on for more on building up sources you can trust.
Think about what the issue is and what sort of technology it affects
Is it about software or technology that you recognise or use? Or is it a bit of a mystery?
Having a good understanding of the technology you use and how important it is to your business means that when you see something pop up in the news, you’re already able to make some educated guesses.
Trust your instincts
Trusting your gut is a big part of understanding whether something is legit or a bit fishy. Interrogate that feeling — there are often good reasons behind it.
Always keep learning
Reading security news gives you the chance to think about what you would do if what's being written about happened to you or your business.
Izzi suggests asking yourself some questions like: “How would you handle a data breach? How would you represent your side of the story to the public via the media? That’s not to say you need to scare yourself silly by worrying about every security edge case, but if you’re reading something that makes you wonder about how you’d handle something similar, pull on that thread and spend a little time thinking about it.”
Great advice, thanks Izzi!
Developing trusted security news sources
In Understanding Security News (our latest Security Awareness course) we suggest our learners develop their own set of trusted sources of security information — whether that be CERT-type agencies, industry groups and forums, or trusted online news outlets.
“Having a solid foundation is a great start. CERT NZ will give you the basic information that you need. You can also look to international organisations that are similar, the ACSC in Australia, the NCSC in the UK, and CISA in the US,” says Izzi.
Izzi’s pragmatic advice on adding to your trusted sources depends on what you need and your security appetite. She confesses her love for Twitter knows no bounds and says, “It’s a great place for security info even if it’s a trash fire a lot of the time.”
She adds “If you’re really interested in the security industry view, you might follow some security researchers. If you’re interested in awareness raising, there are great folk who talk about their work in that area. I’m really interested in the great work being done by women in security, so I follow a bunch of them.”
The lesson here is you don’t have to know everything about cyber security, or get too caught up on technical details. Instead, find people who make aspects of security news meaningful and relevant for you and stay up to date with what they're saying.
Making sense of it all
Izzi offers some advice that doubles up as a useful life lesson: “Take it all with a grain of salt, whether it’s news, social media, or your friend who works in tech.”
She reiterates that it's always important to think about who’s writing and who’s being quoted, as well as building your trusted sources.
Her final tip is to talk to people about what you read and learn by asking questions. Izzi says, “I’m never going to be the expert on all things security, but I have a bunch of well-read, super brainy friends who are willing to explain stuff to me (thanks pals!), and if they don’t know the answer, they often know someone who does.”
About Izzi Lithgow
As a seasoned communications professional who has focused on cyber security for the last few years, Izzi is one very smart cookie. She’s drawn to the ever-changing nature of cyber security and the unique challenge of combining communication and education in this space.
She says, “I’ve spent my career helping people understand complicated things, because to me there’s nothing more satisfying than taking something technical and complicated and making it meaningful for people.”
Izzi is the founder of Channel Agnostic, a communications consultancy focused on cybersecurity — check out her website to learn more about them and how they can help with your communications needs.
Ready to learn more about understanding security news?
We’re living in an age of information overload. News is all around us — on many platforms, and at varying levels of quality and purpose.
Security news is important and helps us to learn about risks and attacks that our companies may face. But to avoid unnecessary stress, we need to be able to read with an enquiring mind and spot less-than-credible security (and other) news when we see it.
Developing the skills to make sense of security news happens over time. But it's useful to know what to look out for, and to know who you can talk to about stories that worry or concern you.
Our Understanding Security News course can help you get these foundations in place.
What's in the course?
From basic media analysis, to developing your own sources of trusted information, our latest Security Awareness course is all about how to approach and understand security news.
We highlight a few elements to examine when considering how much confidence to put in a news article or piece of information.
Who is this course for?
This course introduces some basic concepts of examining and questioning the cyber security information we read in news articles. With online security being a topic in the mainstream media and the news we digest every day, this course is for everyone.
We love to hear from you
We hope this course encourages you and your team to keep reading tech and security news, and we'd love to hear your feedback. Drop us a line on firstname.lastname@example.org and let us know what you think.