• silicon.com
• Technology
• Security

By silicon.com, 22 September 2004 18:20

The media has this week been blamed for creating a "hype cycle" of "social propaganda" which is confusing the issue of IT security to dangerous levels - drowning out serious messages with 'sexed up' stories predicting the 'end of the world'.

This point was argued well by Jay Heiser, research director at Gartner. Much of what he says is true.

Everybody is entitled to their opinion - and the media is certainly in no position to cry foul when the gaze turns upon its own practices - but we, as part of the media, are also entitled to answer back against elements of that statement which we think are untrue.

The media is guilty to some degree for putting out conflicting messages or overtly bleak predictions about the threat of the latest vulnerabilities.

But it can happen for a number of reasons, some of which should not be mistaken for propaganda.

Any editor who claims they are unaware of the popularity of security stories or their effect to make or break an edition of a day is lying. But any editor worth their salt won't run with a story for short-term gains if the long-term effect is damage to the reputation of their title.

Security stories sell. A virus outbreak makes for good copy. It's one of the reasons we write them. But before that becomes our 'Ratner moment' let us throw in some further explanation and point out that as with all coverage on silicon.com we also believe it is the kind of news which creates a community of readers who will bookmark us and watch out for our emails. As such we'd be foolish to abuse deliberately the trust that relationship requires.

Also while finger-pointing is the done thing let us indulge in some of our own - not to deflect attention but to strike a balance. Publications with no specialist knowledge of the IT industry, such as the national newspapers, and even those who should know better, can easily fall into the cleverly set traps of the vendors - who should not remain blameless in all of this.

As there are good and bad in the media, so there are good and bad in the marketplace.

If Heiser believes this is solely a media game he is wrong. Coming from a vendor background he should be aware that many of his former peers employ marketing departments and PR agencies for their ability to manipulate the media and if enough noise is made about a threat and a publication is trusting, or simple enough to take those claims at face value, then there is a danger that 'hype' will hit the front pages.

But if a known vendor is willing to put its reputation on the line and claim a vulnerability will cost businesses some exorbitant sum then there is arguably a story there. That is the balancing act to bear in mind when approaching any kind of news.

If a vendor is claiming 'patch this now or you will be out of business tomorrow' there is a judgement call to make. We can only talk for ourselves here but we research all such claims and run them by a number of contacts across a number of organisations to assess the seriousness and the probabilities involved.

Even after such research, which also has to be weighed against the need to be timely with such announcements, we can still occasionally make the wrong call - reporting a threat which doesn't amount to anything.

But that is the right way to get a judgement call wrong. We believe it is better we inform our readers of something which doesn't happen than leave them oblivious to something which does. As long as we don't make a habit of it.

In terms of being alerted to the presence of a new threat we are in the hands of the vendors whose technology is the first means of detecting such things. If we waited until readers started telling us, or we saw for ourselves that a virus outbreak has occurred, then we've already failed in our duty to report.

As such we have to make a call as to whose information we trust and whose we regard with suspicion. We're not about to name and shame or even praise but we constantly review the information we take and keep a record of those giving useful leads and warnings. If somebody consistently makes the wrong call then don't expect to see them mentioned on the pages of silicon.com.

There is one vendor in the security market which many publications, including this one, will never talk to or report on, simply because of the ridiculous nature of its claims. There are some media who do take its information - and in truth both vendor and publications are probably falling down the same hole.

However, the bottom line, as argued by Heiser, is that 'the media' should be showing greater responsibility, even simply in the company it keeps and who it talks to.

But to assume the phrase 'the media' covers all publications equally is unfair. There are some publications which are responsible, there are others which aren't. All will make mistakes from time to time but sweeping generalisations are never right, by their very nature.