Guest Post by Greg Young
Cybersecurity is often about connecting dots, and sometimes the rationale for those connections isn’t immediately obvious. I can remember when folks argued that privacy was not related to security, but those dots are clearly connected today. So why are we talking about connecting the dots between cybersecurity and media literacy? Being ‘literate’ means having the ability to both read and write. So ‘media literacy for cybersecurity’ is a two-way street, meaning that being media literate involves understanding both the consumption and contribution of news and information related to cybersecurity.
This type of media literacy involves asking questions like “Is this fake news?”, “Is this email a hoax or scam?” or “Is this a real article about an attack or is it just a repeated myth?” In the past weeks, there has been controversy concerning the validity of a story about computer hardware being tampered with via the supply chain. If the story is true, this is a significant call to action. But the concerns over the accuracy of the story have kept most organizations from acting. Just today, during a group call, we were discussing a publicized attack and the first question we asked was “Do we know if this is even real?”
Media Literacy for Cybersecurity
Cybersecurity is interesting because the news items can be so compelling. It’s the nature of an industry based on knowing about attacks to digital systems and information and defending against them. With so many sources of news and media, it’s important to understand if a story related to cybersecurity is sponsored by a vendor. If it is, it’s crucial to determine how the content is moderated or edited, or if it’s a full-blown advertisement. I’m cautious of “top product” lists unless there is a clear methodology and it isn’t just an ad masquerading as an article (sometimes known as an advertorial). I was just speaking with a colleague this week about the assertion that a large security vendor made years back at an RSA Conference that “in four years there will only be four security companies.” This opinion (clearly a bad one) was misguidedly treated as fact.
Another media issue to be aware of is when a state or lobby organization backs news or articles and it is positioned as neutral reporting. Recognize when there is an axe to grind, and when that position is truly being assessed and reported on without bias. Attribution is a tricky issue in the world of cybersecurity and can often conceal someone’s true intentions. It’s important to ask ourselves what someone else could benefit from angling the news this way.
What can we do?
The good news is that the cybersecurity mediascape has matured and there are many ‘known’ reporters and writers who do their due diligence to understand the facts and report on them without bias. We encourage the public to get to know who these voices and sources are, and to trust and follow them closely. As in many other areas of journalism, reporters can change publications quite often, so it’s important that we all understand the difference between a source publication and the reporters behind it. It’s like following a sports team versus the athletes themselves.
Being media literate in the world of cybersecurity means knowing the credible journalists covering the stories about this industry. They are the ones who are very concerned about separating fact from opinion, disclosing any conflicts or biases, and helping readers and viewers understand what is being directed to them. They uncover the truth and say no to fear, uncertainty and doubt.
During Media Literacy Week, take a moment to ponder the importance of the media in this industry, and be a bit more involved in how you assess and access the news and information created because of it.
Greg’s focus is on enterprise class security. Greg is keen on sharing the reality of security in larger organizations, and how business can be done securely in those environments. As a Research Vice President with Gartner for 13 years Greg advised thousands of companies and governments on how to better secure themselves, evaluated and advised hundreds of security vendors, and has seen those same technologies successfully used, abused, put on a shelf, or pushed into a deep hole and never to be spoken of again. At Gartner he led research for network security, threat trends, data center security, cloud netsec and microsegmentation. He authored more than 20 Magic Quadrants for firewall, IPS, WAF, and UTM, and was Conference Chair for 4 Security Summits. He headed several large security consulting practices, was CISO for the Department of Communications, and was Chief Security Architect for a security product company. He was a commissioned officer in the military police and counter-intelligence branch working as a Certifier/Accreditor at the national authority, and received the Confederation Medal from the Governor General of Canada for his work with smart card security. Greg was named in the “12 Most Powerful Security Companies” and as one of “100 Most Powerful Voices In Worldwide Security”. Greg too often mentions he was an extra in 2 episodes of Airwolf. Favorite Quote: “Knowledge is of no value unless you put it into practice” – Anton Chekov Chat with Greg on Twitter via @OrangeKlaxon and on LinkedIn