Alloy logo

May 21, 2020

Anna Ruth Williams



person sitting on couch looking at computer and writing on a notebook

In a recent blog post about how journalists perceive cybersecurity’s PR response to COVID-19, I addressed the fragile relationships that persist between many infosec PR teams and some of the most influential cybersecurity press.

As someone who has worked in tech PR for almost 17 years, I’ve witnessed my fair share of salty reporter-tech company relationships across various industries. However, nothing comes close to the tensions that I’ve observed between cyber press and cybersecurity PR teams over the past six years.

The question is, why?

Cybersecurity media relations is fueling the fire

Media relations plays an enormous role in cybersecurity PR. That should come as no surprise when considering how competitive the industry is, and that companies with technology proven to reduce risk can legitimately scale from startup to acquisition or IPO in as little as five years.

In an effort to stay one step ahead of that competition, many cybersecurity companies utilize media relations to break news, amplify products and shine the spotlight on executives. In truth, there’s nothing wrong with having a robust media strategy (I wouldn’t have a career without it).

But in cybersecurity, the pressure to earn media ahead of the competition has sometimes become so immense that the strategy behind what makes media relations successful is often overlooked. And best practices, like reporter research, article reading and publication assessment, are too frequently sacrificed for expediency in execution.

The result is far too many off-topic pitches landing in cybersecurity reporters’ mailboxes.

Pitching off-topic is hampering cybersecurity PR efforts

Sean Martin and Marco Ciappelli, the co-founders of ITSP Magazine, recently told me that they each receive 25-50 pitches on most days, and over 100 pitches per day in the weeks prior to big conferences, such as RSA or Black Hat. The vast majority of these pitches fall into one of three categories: 1) new product announcements; 2) data/reports/surveys and 3) “expert” interview requests.

There’s just one problem: ITSP Magazine doesn’t write about products or vendor data reports, nor does it conduct the types of interviews being requested. In fact, the publication’s focus is clearly written on its homepage:

“ITSP Magazine is a free online publication that focuses on technology, cybersecurity, privacy, the InfoSec community and the influence that all this has on our everyday lives – as businesses, individuals and the society in which we live.”

And even if a PR pro inadvertently glanced over the mission statement, a simple 90 second scroll through the website would clearly reveal the outlet's editorial focus.

Unfortunately in cybersecurity PR, far too often media relations due diligence does not occur, resulting in off-topic pitches making it into reporters’ inboxes. That’s why, according to Martin, “I throw nearly all of them [pitches] in the trash - none of these fit our content model for our columns.”

For his part, Ciappelli tries to help educate PR pros on ITSP, but far too many don’t heed his message:

“I explain that we do not do product and company placement in our conversation and that there is a paid content column for that. Few reply with a thank you, little start a conversation, most keep sending and I filter them in the junk.”

Pitching cybersecurity media on-topic begins with due diligence

In cybersecurity PR, knowing the topics that media outlets specialize in and what journalists focus their editorial coverage on is essential. Yes, obtaining such information has become more complicated by the increasing number of freelancers, some of whom have disparate beats and editorial autonomy. Nonetheless, getting to know the cyber media landscape inside and out only takes a little time and effort.

When considering where and whom to pitch a story, Alloy’s cybersecurity PR team begins by looking at the five most common buckets that journalists fall into:

  • Current Events - Publications such as Threatpost, SC Magazine, ZDNET, Security Week and Dark Reading focus primarily on covering large-scale attacks, threat identification, vulnerability discovery and data reports.

  • National and Enterprise Security - Media including CyberScoop, Wall St. Journal, New York Times and Vice Motherboard most frequently deliver long-form content related to nation state activity, corporate breaches, and privacy, regulation and governance.

  • Cybersecurity Culture - The aforementioned ITSP Magazine, Wired and Security Ledger focus mostly on stories that transcend cybercrime, hacker profiles, cybersecurity, government, business and society.

  • Education and Professional Development - Outlets such as CSO, Security Intelligence and Bleeping Computer cater most of their articles towards helping educate security professionals on risk reduction and security team optimization.

  • Speeds and Feeds - Publications including eWeek, Solutions Review and Tech Target are in the minority, writing articles about the underlying technology that powers cybersecurity solutions, such as AI, machine learning, deep learning and more.

Admittedly, not every publication or journalist falls neatly into one bucket. There are certainly times when outlets that primarily focus on national security will write about culture or current events. But those are exceptions to the rule. 

It's time for a cybersecurity PR evolution 

At the end of the day, cybersecurity PR pros need journalists much more than journalists need cybersecurity PR pros. That’s why the burden to mend the relationships lies with us, cybersecurity marketers. 

Even amidst the industry’s competitive challenges, it is possible to improve media relations discipline without sacrificing valuable time. Doing so starts by knowing what both publications and journalists do and do not report on, and using that information to craft pitches that are timely, objective, and most importantly, on-topic. 

Added Martin: “The occasional gem that really hits home on the impact something will have on society or the business that enables society - in those rare occasions Marco and I will look at how we can connect the topic (and sometimes the expert, yet sometimes not) to the purpose driving one of our columns.”

With a renewed commitment to media relations strategy and best practices, that “occasional gem” can easily come from your brand. 

To learn more about Alloy’s approach to cybersecurity PR, download our new playbook, The Ten Most Common Cybersecurity Mistakes, at