The Rise of Vendor-Owned News Sites Underscores the Appetite for Cybersecurity Information

Catalin Cimpanu's jump from ZDNet to The Record points to the wealth of vendor-owned news reporting outlets represented by The Daily Swig, Decipher, Threatpost, and more

(This is a special report from Metacurity available to our free email sign-up subscribers. To gain access to our archives of daily infosec news summaries and premium content, consider becoming a premium subscriber for only $5 per month or less.)

One of the most prolific cybersecurity journalists, Catalin Cimpanu of ZDNet, left the popular CBS-owned tech publication on Friday. Today he joins The Record, a publication backed by the cybersecurity firm Recorded Future. (Catalin’s jump to Recorded Future is occurring the day after the firm issued a report on its startling discovery that a Chinese state-sponsored hacking group dubbed Red Echo introduced malware into Indian power grid control systems, possibly shutting down power in Mumbai.)

Catalin’s decision to become a cybersecurity reporter for The Record highlights an intriguing and unique aspect of the cybersecurity industry, namely, the wealth of vendor-funded and fully-owned journalistic publications and outlets. Several high-profile and heavily trafficked sites owned by cybersecurity companies are looking to directly cover the industry beat in ways that don’t push their products. Unlike other industries (and many other cybersecurity companies), these news-oriented companies aren’t forcing journalists they hire to switch from “hack to flack” but instead allow the reporters to (more or less) continue plying their trade.

Cybersecurity firm PortSwigger has launched The Daily Swig, which features reports from a crew of in-house and freelance journalists.  Duo Security has Decipher, headed by veteran cybersecurity journalists Dennis Fisher and Fahmida Rashid. Despite positioning itself as an independent publication, the information security site Threatpost is owned by Russian cybersecurity firm Kaspersky Lab and employs at least three full-time journalists. (Dennis Fisher and Ryan Naraine, now an editor at large at Security Week, founded Threatpost for Kaspersky).

Rivaling Threatpost as the grandmother of vendor-owned and operated cybersecurity news websites is Naked Security, a formerly bustling news site owned by security firm Sophos that a single journalist, Paul Ducklin, now staffs. Graham Cluley, a former anti-virus programmer turned blogger and podcaster, was a founding member of Naked Security thirteen years ago.

Providing Information, Not Pushing Product, Is the Focus

The Record’s editor Adam Janofsky, who joined Recorded Future after working for the Wall Street Journal and Protocol, said that his employers look to Bloomberg as their model. Bloomberg gained journalistic traction by reporting on its famed data terminals’ primary product, rich and continuously updated financial data.

James Walker, the chief editor of The Daily Swig, said that PortSwigger, maker of the widely used pen testing and vulnerability scanning tool Burp Suite, launched The Daily Swig as part of its effort to give back to the security community with news, free training, and information platforms.  Decipher’s Fisher says that he and Rashid started the site to make it about “informing and educating people about security and not making it as scary as a lot of mainstream tech security coverage can be.”

As one of Threatpost’s founders, Fisher also has insight into its origins and mission. (Threatpost did not respond to requests for an interview.) “The idea was similar – to give people non-product cybersecurity news,” Fisher says. “Even though this was twelve years ago, security was a backwater when it came to coverage for tech publications.  A lot of it was still focused on the big categories like networking and servers and storage.”

Like Threatpost, Sophos didn’t provide anyone for an interview about Naked Security. But Cluley shares the origin of the publication, saying that at Sophos, “we thought, we got so much information, and it’s interesting, why don’t we cut out the middleman. Why do we need newspapers and magazines?” he says. “Why don’t we make ourselves the newspaper?” (Cluley shares more on the origin of Naked Security in the video below).

He tells Metacurity that the publication, once a prominent example of vendor-funded journalism, will likely end up being folded into a Sophos’ analyst publication. “It’s not going to be what it was,” he says. (Check out the video below for more of Cluley’s thoughts on Naked Security’s future).

Greg Otto, who left Cyberscoop, where he as editor-in-chief, became the “Chief Cybercrime Reporter” at Intel 471, a new cybersecurity firm. Although Otto doesn’t technically function as a journalist at Intel 471 in the same way the other vendor-sponsored reporters do, he has insight into how these publications operate.

“The thought process behind a lot of these sites is that we want to be in the conversation,” he says. “The idea is ‘let’s stand up a news outlet where we can show our expertise, and we can gain market share in terms of thought leadership.’”

Can These Publications Really Be Independent?

One big question surrounding journalism directly funded by corporate interests is whether the reporters can maintain editorial independence. The Record’s Janofsky says that Recorded Future has been “very supportive of having this being an editorially independent operation,” But, he adds, “out of my own standard there are things I wouldn’t want to be covered just out of the conflict of interests that might arise because we are financially dependent on Recorded Future.”

The Daily Swig’s Walker says that “for us, being a relatively small editorial team, it’s not a case of anything being ‘off-limits,” per se but more a case of trying to keep focused on our core remit: web security.” Fisher says that although everyone gets some guard rails from their editors and higher-ups, “we have complete editorial control over the site and we’re free to write about what we choose to write about.”

While Kaspersky Lab didn’t respond to a request for an interview, Intel 471’s Otto said, “they swear that they are independent, and I’ve never seen any coverage that Kaspersky would have their thumb on the scales in any regard. But, no, they’re not really independent. They are another arm of Kaspersky.”

Graham Cluley, who currently writes freelance pieces for cybersecurity company blogs, says that security company editorial interference sometimes “goes on a bit.” But fortunately, Cluley has his own outlet where he is free to write whatever he wants. Check out Graham below as he talks about the issue of editorial independence.

Big Appetite for This Kind of News

The cybersecurity sector appears to be alone in spawning so many of these hybrid news reporting outlets. It’s not clear why this profusion of corporate-tied news sites hasn’t taken off in other tech arenas as much, if at all. “My best thought is that cybersecurity is a unique area,” Janofsky says. “A lot of practitioners, their jobs depend on being up-to-date on the news. There is a big appetite for this kind of news. If you get  breached, that could cost millions of dollars.”

Fisher agrees. “The appetite for security content is huge, and it goes across the board to podcasts, to video, to written content, to conferences. There’s plenty of room.”

Cluley echoes both of them. “In the field of cybersecurity, there is new stuff going on every day,” he says. At one point, Sophos had so much traffic that the entire website would go down, and the IT team demanded that the three or so journalists churning out copy let them know when a popular piece was about to appear. “We denialed-of-service” ourselves, he says. Check out Cluley’s comments below on the appetite for cybersecurity news.

A big factor in why cybersecurity companies might lure bona fide journalists into jumping ship to these corporate outlets is the sheer volume of news they have to manage on a day-to-day basis in their traditional journalism jobs. “We’re tired,” Otto says. “That’s the reason I took this job. Working at an independent news shop and having to cover cybersecurity, it’s draining. The news never stops.”

Photo by Markus Winkler on Unsplash