Steve Ragan has been covering the security industry for longer than some people have been working in it. More than a journalist, Steve is an active participant in the community and is often found at security conferences helping out and exchanging stories – all with a cheeky grin that radiates a youthful playfulness.
- Steve, you've been covering information security / cybersecurity for many years now. What has been some of the biggest changes you've seen in the industry during this time?
There have been a few changes. The first one that stands out to me is the influx of new blood to the industry. People have come in with new ideas and viewpoints, and honestly, I think it's had an impact. I see them at conferences and they're excited, energized and happy to be part of something bigger than themselves. I've also seen us older folk grow up some, which is a good thing.
A few years ago, the concept of a bug bounty was foreign, but now it's commonplace. The debate between Full Disclosure and "responsible" or "coordinated" disclosure, that's another change. I'm a Full Disclosure person – a lot of us were back then – but even I've changed somewhat, as I see the upside for coordinated disclosure on some things, even if I still think the practice overall was originally developed to punish researchers.
Professionally, one of the changes I've seen develop over the years is how we cover security in the media. It's gone from the back pages to headline news, and there is certainly more attention given to software flaws, failed security standards and practices, and the role security plays within an organization.
- As a journalist, you must get pitched like crazy. What things really grab your interest amongst all the noise?
Impact. If the pitch can demonstrate impact, it gets my attention. A good deal of my story development process follows a basic pattern. Pain - what is the pain, why does it exist, where did it come from? Impact - what impact does this pain have on a person or organization? Resolution - what can you do to fix the pain? Pitches that come close to aligning to that will always get a read.
- What aspects of your job do you really enjoy?
Research - I love researching a story and finding the hidden gem of information that will help someone working in a cube or in the back office fix a given problem. Education - I like explaining things to the wider public, those outside of the echo chamber. The bonus for me is that while I'm doing both of those things, I get a chance to learn myself, and interact with experts who are happy to teach.
- When investigating a story, are there any trusted sources you go to, or do you prefer to do research yourself?
I have trusted sources in various markets and areas of security. So, depending on the story, one of them will get a call. If the story requires research, I'll do that myself, but it isn't uncommon for a source to help me out by pointing me in the right direction.
- Every day brings about new breaches. How important do you find it to be first to break a story?
Breaking a story, assuming you mean be the first to cover something, isn't important to me at all. It's nice to be first, but I'd rather be right and have actual information for readers to understand scope and impact. Even if that means I’m the 9th journalist to publish.
Other journalists might feel differently, but security is a very small space still, so trying to chase a story just to be first will wear you down rather quickly. Instead, I focus on the value add, and try and get original ideas or concepts into a story that help in the long term. While everyone is looking at a given story today, I think about those who will be looking tomorrow or next week, what can I write that will assist them as they research?
- There are many bloggers or self-styled security journalists, there are also many non-technology journalists that occasionally cover security. What advice would you give them to improve their stories?
This is a hard question to answer. No two journalists will cover a story the same way, and we all have our own methods. But if I had to offer advice in general, it’s to understand the basics of a topic first, and then work to discover how those basics apply to the current story and go from there. The only problem is, I'm one of the few security journalists that actually worked 9 to 5 in the security industry. So even that bit of advice is unfair to the generalist who was assigned a security topic.
Instead, I think the better advice is to look towards acknowledged experts before writing and get their take. Try not to lean on vendor pitches as a definitive take on a topic. This isn't because they're clueless, they're not, it's because they'll often have that view because they have a product or service that can align to it. Finally, again, take your time. Not everything needs to be a scoop, exclusive, or breaking news. Some things are worth fleshing out, even if you are 5th or 6th to a given news cycle.
- Which security writers do you follow / admire the most?
I think all journalists read Krebs, but most of us have been reading Brian since he was at the Washington Post. I read everyone over at Motherboard, Ars Technica, Cyberscoop News, all the mainstream pubs. If anyone reading this wants a list of reporters to follow, just ping me on Twitter, and I'll hook it up.
- How can people get in touch with you?
My main social account is Twitter, that's where I'm most active. But I'm on IRC, Slack, LinkedIn, and a few other places. Just look for SteveD3.