On this special live episode of Inside the Media Minds recorded at the RSAC Conference 2026, co-hosts Christine Blake and Madison Farabaugh sat down with Jessica Lyons, Cybersecurity Editor at The Register. With more than 20 years of experience in journalism and over a decade covering cybersecurity, Jessica offered a candid look into how she approaches reporting in one of the industry’s most fast-moving and noisy moments of the year.
Jessica’s path into cybersecurity wasn’t exactly planned, in fact, she fell into the beat when no one else wanted it. But what started as a chance quickly became a long-term passion as she discovered the “natural narrative” of cybersecurity. “You have the bad guys who are trying to break into the networks, and you have the defenders who are trying to keep them out,” Jessica explained. “There’s espionage, there’s intrigue, there’s heist. So it seemed like a pretty exciting field to me.”
Breaking Through AI-Dominated Narratives at RSA
For the RSAC Conference, Jessica made one thing clear: the industry is all-in on agentic AI. From large-scale panels to hallway conversations, agentic AI dominated the narrative. However, Jessica remains equally focused on what’s underneath all the AI noise. She explained that real-world developments like high-profile breaches and geopolitical tensions that play out in cyberspace ultimately shape her coverage more than any single buzzword.
When preparing for RSAC, Jessica’s process starts months in advance. Beginning as early as January, she builds out a detailed plan, mapping keynotes, identifying must-meet sources and piecing together a schedule that balances reporting with relationship-building. That reality makes pitching during or leading up to RSAC particularly challenging. With a flood of announcements hitting at once, even strong stories risk getting buried.
Cutting through the noise for Jessica isn’t about louder messaging, it’s about relevance and timing. “I like it when people reach out to me and say, ‘What type of people are you looking to speak with?’ Because it’s not always going to be the same every year,” she explained.
While many companies cluster announcements around RSA, Jessica pointed to the days following the conference as a more strategic window when reporters have time to step back and engage more thoughtfully. In a week defined by noise, the most effective outreach isn’t reactive. It’s intentional, well-timed and rooted in what reporters actually need.
The Rise of the CISO and CIO
Over the course of her career, Jessica has seen cybersecurity evolve from a niche technical function into a core business priority, and nowhere is that shift more visible to her than in the increased responsibilities facing today’s Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs).
What were once behind-the-scenes roles are now firmly embedded in executive leadership. This reflects a broader understanding that cybersecurity is no longer just an IT issue– it’s a business, operational and even geopolitical concern. As threats become more complex and far-reaching, and as AI becomes embedded in business models, organizations are relying on CISOs and CIOs not just to protect systems, but to help guide overall strategy.
“I think it’s great to see the elevation of the CISO and CIO role,” Jessica added. “That’s a really positive turn for the industry. It should be a C-suite position.”
For Jessica, this shift influences how she approaches sourcing and storytelling. She actively seeks out voices in these roles, along with other deeply technical experts, because they offer a more grounded, firsthand perspective on the challenges organizations are facing. At the same time, she noted that the industry itself has matured alongside these roles. There is greater collaboration between public and private sectors, more openness in sharing information and a growing recognition that cybersecurity requires collective effort.
To hear more from Jessica about her RSA experience, industry trends, and what she predicts for next year, listen to the full episode of Inside the Media Minds or read the complete transcript.
Timestamps
0:20 – Christine and Madison’s Podcast Preview
2:40 – How Jessica got into Cyber Reporting
4:08 – First Impressions of RSA 2026
5:44 – Jessica’s Focus at This Year’s Conference
8:10 – Offensive Cybersecurity & The U.S.
9:07 – Assembling the RSA Schedule Puzzle
10:07 – Tips for Conference Pitching
13:40 – Cutting Through the Noise
16:43 – Under-the-Radar RSA Themes
18:53 – Predictions for Next Year’s Conference
20:10 – Industry Changes
21:37 – The Evolution of Industry Professionalism
24:27 – Dealing with AI Slop
25:37 – Keeping Cybersecurity News Fresh
27:43 – Proactive vs. Reactive Coverage
Transcript
Christine Blake (CB): Welcome to Inside the Media Minds. We are your co-hosts, Christine Blake
Madison Farabaugh (MF): and Madison Farabaugh.
CB: This show features in-depth interviews with tech reporters who share everything from their biggest pet peeves to their favorite stories.
MF: From our studio here at W2 Communications, let’s go inside the media minds.
CB: Hey everyone. We have a very special episode today. Madison and I had the privilege of podcasting live from our CYBERTACOS event at RSA in San Francisco. We actually had Jessica Lyons, who is The Register’s cybersecurity editor, as our guest. She leads coverage of topics ranging from government to best practices for defenders. She has more than 20 years of experience in publishing with roles ranging from news editor to managing editor. It was really great to chat with her in real life, in front of a live audience, and hear more about what she’s covering at the RSA Conference. We got really good first hand insight from her. Madison, what did you find most valuable from this conversation?
MF: Yeah, well, first of all, the energy with having a live audience was definitely unmatched. And we had lots of great listener questions for people who were actually there in front of Jessica. So that was very exciting. And then, like you said, I think there are a lot of great insights in this episode. I particularly enjoyed hearing Jessica’s perspective on the evolution of the CISO and the CIO role and how they should be included in the C suite. And then she also had a lot of great insights when it comes to dialogue between the public and private sectors. She even mentioned a little bit about how she navigates, you know, AI slop when dealing with so many pitches coming in from the cybersecurity community. So lots of great stuff in this episode.
CB: Oh, yes. So we hope everyone enjoys this episode that we recorded live.
Hello. We’re gonna start our next podcast of the evening, the Inside the Media Minds podcast on the CyberWire Network. My name is Christine Blake. I’m one of the co-hosts.
MF: And then I’m Madison Farabaugh, the other co-host.
CB: Yeah. And on our podcast, we interview cybersecurity reporters who are covering the cybersecurity industry. So we are thrilled to have Jessica Lyons here, The Register’s cybersecurity editor. So we’re excited to hear from you, Jessica. We’re going to learn about your journey to The Register and your experience at RSA this week.
Jessica Lyons (JL): Thank you. Good to be here.
CB: Yeah. So to get started, Jessica, we’d love to hear about your background. How did you get to be the cybersecurity editor at The Register?
JL: Well, it’s kind of funny. I literally fell into the job. I mean, not the job at The Register, but I fell into covering cybersecurity. The publication I was at before The Register, we were dividing up beats, and nobody wanted cyber. And I was the newbie, and it sounded really fun to me. And I thought, “Well, why wouldn’t you want cyber?” It’s this natural narrative to a lot of the stories. You have the bad guys who are trying to break into the networks, and you have the defenders who are trying to keep them out. There’s espionage, there’s intrigue, there’s heist.
So it seemed like a pretty exciting field to me, and since nobody else wanted it, I got stuck with it, and I fell in love with it and really enjoyed covering cyber that, you know, that’s been my beat for, gosh, I guess, about a dozen years now. So I’ve been with The Register going on, it’s been four years, actually. Just recently had my four year anniversary and am incredibly happy now to be covering cyber full time at The Register. It’s a great spot.
CB: Yeah. That’s great. And we love reading your coverage of the cybersecurity industry. And here at the RSA Conference, I know we’re just kicking off here, but tell us about your experience. What are some of the vibes you’re getting this, this conference so far?
JL: I think this probably isn’t going to be a surprise to anybody, but it’s all agentic AI all the time. Groundbreaking, but it’s, you know, I haven’t been to the expo floor yet, but I’m assuming that is going to hold true there as well. It’s come up in all the conversations. Gosh, I forget it was something I believe, like 72 of the panels, it’s either agentic AI or AI agents are being discussed.
So it’s, it’s all the discussions happening, even just walking along all the buildings and all of the windows now that have been transformed into signs and advertisements, it’s all about ‘don’t let your AI agents run wild. Just let them run,’ so I feel like it’s just everybody’s talking about it, everybody’s talking about the security risks, how to secure it, and where we go from here. So that’s kind of been my, my biggest thing. Also, I’m noticing this year, it’s not really RSA related, but it seems like there’s a lot more Waymos on the street this year. So I’m not sure-
CB: We took one here.
MF: Christine and I have taken some thrilling Waymos this week.
JL: It is kind of fun. Yeah. So those are, those are my two big takeaways so far. I’m sure is that we that there will be a lot more still early on, but that’s what I’m seeing right now.
MF: So whether it’s AI related or based on another topic, is there anything that you specifically are looking to dive into this week, or any type of experts that you’re looking to speak to?
JL: Oh yeah, there’s a lot, both. I mean, I think as far as topical news, the Trivy compromise is super interesting, and that’s going to be, see how that plays out as the week and even beyond progresses, and hear what people have to say about that. I think that the ramifications of that are going to continue, and as we hear about the full scope of that compromise and everyone affected. I today, I one of the my pilots from today actually was hearing Rob Joyce, the former NSA cyber boss. It was interesting because, when I interviewed him last year, he said AI is soon going to be able to develop exploit code. And then his talk today was about how we’re there already, and that’s happening right now.
I think with everybody at RSA, it’s really fun, because I get to see all these people in person that I just normally talk to on the phone or over email. And even just a difference in person versus on the phone, people tend to let their guard down a little bit more. You have this more, more personable conversation. You don’t quite have the guards up the walls up that you do even over the phone. So it’s nice to have that face time with people. I spoke with Jenny Easterly today. That was a big highlight for me, to be able to interview her about her new role.
And then I think also, another topic that is interesting to talk to people about this week is how the conflict is playing out in the Middle East. The cyber aspect of that is, I don’t know if unique is the right word, but just watching how cyber is taking center stage as a battlefield, along with the more traditional battlefields that we see in a conflict. So that’s something too that I’ve been discussing with people. And curious to hear what people see is as new or interesting or unique or little bit looking into a crystal ball, but how they expect things to play out.
MF: And we’ve been seeing a lot of coverage lately, too, about the topic of offensive cybersecurity as well. Has there been anything surprising on that front, whether it’s related to the current conflict or other aspects of cybersecurity?
JL: Not yet. I think that one thing everybody has been really quick to point out is that this isn’t saying that we’re going to start seeing companies hack back, but at the same time, the U.S. is going to take a much more proactive position. So and I, and from what I’ve heard, most people, not most people, everybody I’ve spoken to is is pretty on board with that, and sees that as what we should be doing when we are finding spies from China, from Russia, from Iran in our networks, that has a good deterrent effect if we’re going to take a more proactive approach.
CB: So you mentioned that you went to a panel, you’ve met with some people already. As a reporter, do you get a lot from sessions, keynotes, or do you find you get more from those one-on-one conversations and briefings that you set up?
JL: It’s, it’s kind of a mixed bag. I’d say for the most part, the one-on-one conversations are where I find the most value, and even just making that connection with someone, even if it’s not something that I’m necessarily going to write about this week at RSA, just having that connection, having that face time, knowing what this person is passionate about, and knowing somebody that I can reach out to for future stories. That’s always really beneficial. At the same time with the keynotes and the panels, it’s, it’s a good opportunity to hear from people who I don’t just talk to every week on a, you know, on a regular basis, and hear what’s top of mind for them. So it’s, it’s both.
CB: And our audience is a lot of PR, marketing folks, a lot of you in the room here. A lot of us wonder, how do you prepare, like, how many weeks out from the show? I know you get a lot of pitches, how do you prepare for that and handle all that?
JL: I mean, it feels like it starts pretty much as soon as the new year starts, really in January, and just kind of slowly figuring out, okay, what does the agenda look like? What are the keynotes and the panels that I absolutely need to cover, who is going to be there as a speaker? So maybe in addition to their session, I can get some one-on-one time with that person who will have a presence there, and just slowly trying to build it out. And it’s such a puzzle trying to fit all of this together and be able to attend all the talks and be able to talk with all the people, and there’s never enough time. And every single year I tell myself, ‘Okay, I’m going to leave more time because I need to actually write stories too.’ I can’t just spend all day talking with people, and then it always ends up being incredibly booked and incredibly busy, but, but it’s worth it. It’s good.
MF: So to gather a bit more valuable insights for our audience, what do you think vendors or PR professionals, what do they get wrong when they pitch you ahead of conferences like this? Or what would you appreciate more of?
JL: I like seeing, I like it when people reach out to me and say, “What type of people are you looking to speak with?” Because that’s not, it’s not always going to be the same every year. So depending on what’s happening in the world, what’s happening news wise, I might be looking to speak with different people than I would next year or the year before, the year after. So I like that just, “Hey, who, who would you like to talk to? What types of people? What roles would you like to talk to?” It’s nice also just to see a list after that point. “Okay, here’s who I have who fits that bill. Here’s what they can talk to. Any of these people fit what you’re looking for.”
And then, and I feel bad, because I know that there’s a lot of people who still do that, and then I still don’t, I’m not able to talk with all of their sources that they have. So I also think it’s, it’s not, it’s not you, it’s me. I’m very kind. Yeah, it’s, it’s not. I mean, I wish, I wish there was more time, because I’m sure that any of the people that you’re pitching me have fascinating stories and really good insights to tell me. I think one thing it’s that actually, as far as one thing that people do get wrong, I like to talk to the CISOs. I like to talk to more technical folks, the threat intelligence in general. I’m not interested in talking to your product manager, that’s not what I tend to cover. I like to in general, again, this is, you know, really, really broad scripts, but people who have a background in military or FBI, I like having that kind of perspective come in as well.
CB: Yeah, that makes sense. Yeah. I think another thing we often wonder, how can vendors cut through all the noise? There’s so many announcements going out this week. Some are product related, some are research related. It’s such a noisy time. How can vendors either cut through that noise or time their announcements appropriately around the conference to make to make it through?
JL: Right, that’s a tough one, because there is just so much. And it makes sense, if you’re a vendor, this is a great time to announce a new product. So it makes sense that you would do that. I think it, that’s more tailored to the organization and the reporter that you’re pitching. I think then just a blanket ‘here’s how you can do it’ and cut through the noise. I think that that really varies based on what publication you’re pitching, what the person’s interests and what they typically cover. Because when it comes down to it, there’s, yeah, there’s so much being announced here, and really in the whole couple weeks leading up to RSA. And sometimes, if it is a little bit like, you know, the week last week, is a really slow flow news week, because everybody’s holding everything until RSA and so this also tends to be a week when things can fall through the cracks, if it’s not something that’s incredibly new or incredibly innovative that we haven’t seen before,
MF: Something else we’ve been discussing with clients as well as fellow reporters as well, is the idea of kind of a quiet period following RSA. Do you typically find that as a reporter? Because I know there’s always a flood of research reports announcements ahead of time, during the conference, but is that something you find valuable is when people try to set up, whether it’s post conference conversations or briefings or giving you that preview of research, you know, the week after RSA? When’s a good time to reach out to you for that?
JL: That is a good time to reach out. But I take a couple of days off. I think a lot of people take a couple of days off just because you need to slow down a bit after just all the, all the hustle of RSA, but definitely that week, and then even just the week after, I think, as opposed to the week before, you do have more time just to focus specifically on this person and this particular issue now, versus ‘okay, I have an interview with the source. I also am still scrambling to figure out my schedule at RSA, and all the embargoes that are coming out, and which one I’m going to cover which one I’m not.’ So it is, it is kind of a nice chance, you typically, I typically, have had a chance to take a breath and go into these with a little bit more broad focus. I’m not just so tailored on RSA anymore, so I think that is a good point.
CB: And then we talked about AI being a hot topic, of course, talked about geopolitical conflicts. What else do you think is going to be like another big thing coming on? Is anything surprising under the radar, maybe?
JL: I think that one issue that I’ve had some interesting discussions about is voice phishing and not I don’t know if it’s too under the radar, but I think it just is, still continues to surprise me that it is so effective when you see things like the newer AI focused attacks, that just picking up the phone and pretending to be an employee that gets you through a lot of times when you’re–
CB: Crazy.
JL: Yeah. And of course, AI does help with that too because it helps make learning about the company, that reconnaissance, a lot quicker. It also can, in some cases, provide scripts on the fly. So if the help desk says this, I can say this as an attacker. So that’s not to say it’s completely void of AI or any newer technologies, but I think that just how some of these seemingly old school types of attacks are still really effective, I think that’s something that continues to be a topic of RSA, and then I mean the boring, just the not boring, but just the basic security hygiene, I mean, that’s always an issue. It’s always going to be an issue, and it’s it’s really hard to avoid that, even though maybe it’s not as fun and exciting to talk about as some of the more AI tinted stories that we tell and hear about.
CB: I mean, you said you’ve been covering cybersecurity for 12 years, right? Like, so is cybersecurity hygiene, you’ve still been covering that like you, right? It’s still been such a huge theme throughout your career.
JL: Right, right, right, definitely. I mean, it’s not if, if that was all taken care of, we wouldn’t have anything to write about. So I think that’s not going away anytime soon, which is unfortunate, but, yeah, yeah. Something, something to keep in mind.
MF: Do you have any predictions? Obviously, AI, very big theme this year. Do you have any predictions for what, you know, next year’s RSA might cover?
JL: I mean, I think it will probably be more AI. I’m curious to see how that evolves, because the models are becoming so much better and so much faster, just exponentially in the last three to six months. So looking out a year from now, it’s kind of mind boggling and really curious to see where we are and how much that technology has advanced. So I think that will continue to be a topic, but I’m not sure what it’ll look like. It’ll be it’ll be fun to watch.
CB: Yeah. So one of my favorite parts of our podcast is our listener question segment, and we’re excited to have so many listeners here today. So does anyone have any questions for Jessica? Anybody? Yes, Dave Bittner has a question.
Audience Member 1 (AM 1): In the 12 years you’ve been at The Register, what are some of the things that you’ve seen really change over those years in terms of types of things that you’re covering and the things people are talking about?
JL: You know, it’s interesting. I don’t know if it’s, if it’s things have changed, but it’s almost a new slant on an existing problem. I think a lot of looking at the, the threat techniques are still the same. It’s still, we’re still talking about phishing, we’re still talking about things like that, but now it’ll have an AI angle to it, or, you know, SaaS, it’ll have here now. Instead of just breaking into into your on prem environments, now we’re breaking into the cloud environments. That’s obviously a big one that we’ve seen. And so I think it’s, it’s interesting to see how the attackers are able to change their business models as the technology industry also is is changing, and whatever the buzzy new technology is. Right now, it’s obviously AI how they like to focus on that too, like, like all the rest of us, and play around with that. Does that answer your question?
AM1: To follow up just in terms of the industry itself.
JL: Yeah.
AM 1: What are your insights on the evolution of the level of professionalism in the industry itself?
JL: Yeah, I think, I think that’s a big one. I think that it really has grown up over the last 12 years in a good way, I think, I mean. I think that it’s not, I think there’s a lot more professionalism. It still tends to be largely male-dominated, but we’ve seen a lot more women, which is good and needed, and so that’s been something that I’ve been happy to see over my time.
I think that also it’s it’s more recognized as this is something that affects all of the company. It’s not just like, ‘here’s the security people in their little room doing their thing, we’re not exactly sure what,’ but it’s, it affects everything. I think it’s great to see the elevation of the CISO and CIO role. That’s, that’s a really positive for the industry, as it should be. It should be a C suite position.
And just this, and even with the with the dialogue, I know one, one thing that actually, I think we’re missing this this year at RSA is the lack of the federal government speakers who were supposed to speak, and then everybody decided not to in January, but in general, I think it’s also been really encouraging to see over the years the increased dialogue between the public and private and that’s something that’s obviously needed. The private sector has access to a ton of great information, and and there doesn’t seem to be as much as of the proprietary ownership, and “I’m not going to talk to you, I’m not going to try to help you.” Even within the, you know, the private sector itself, just seeing companies working together more. So I think, yeah, there’s, there has been a level of maturity which is really positive.
CB: Yeah, go ahead, I’m gonna repeat the question to the mic, okay.
Audience Member 2: When you are getting sources in the industry, how do you hedge against, to be honest, like kind of an AI slop responses? I find, you know, I participate in these, and I see my peers also quoted in these articles, and it’s like and ‘so and so from this vendor reinforced what like this person’s’ and you know that’s happening because they’re all kind of prompting the same question. How do you deal with that now? Because that used to be like, a rich source of information.
CB: I’m going to repeat into the mic because we’re recording. So how do you deal with the difference between the AI responses versus the human responses? And kind of get through to what that is?
JL: Right. I mean, I like to think that I’m able to tell the difference. Maybe I’m not. I think that’s also why it’s nice to jump on a phone call with somebody, because you can tell a difference between a conversational response to your question versus something that has been heavily edited and sent through legal and sent through marketing and approved and anything off the bat, anything with certain jargony terms I try to just not use, on principle, but again, I think one way is just to talk to people.
CB: Yeah, go ahead.
Audience Member 3: So from a reporting aspect, how do you keep the context of cybersecurity fresh if we know that even the technology shift, a lot of methodology and with threat access, work tends to be kind of the same old hat?
CB: Yeah, how do you keep the cybersecurity perspective fresh when the attacks seem to be the same old thing that has been happening for a while?
JL: Yeah, that’s a really good question. I think that there’s, there’s always the timeliness element that’s important to any type of news story. But I feel like in cybersecurity, there’s always something new. There’s always someone who is being attacked, and I think getting into the details of that, even if it is, it was through a phishing email. I think the getting really into the specifics, you know, what was the lure? How did they do this? Who did they talk to? I think those individual details make it, make the story stand out a bit more than just it’s same old hack that we’ve been seeing for years.
If you can show, show the details, and then I think also it’s important to show the human effect. And it’s not just this threat actor stole how many gigabytes of data, but these were people’s, these were cancer victims’ photos that they were using chemotherapy. I mean showing because I think we do have a tendency to kind of get numb, because we do see attacks every single day. And everybody, at this point, knows what ransomware is. Everybody knows that people are being extorted for a lot of money after their data is stolen. But showing the human element, I think, is one way to make make this more pressing and and just give it more impact.
CB: Great question. Any other question? Oh, yeah, in the back.
Audience Member 4: How many or how much of the stories that you’re covering are based on planned research topics of interest, versus things that are reactive to events?
CB : That’s a great question. How much of your coverage is planned and proactive versus the reactive coverage.
JL: I think that a lot of it starts with the reactive coverage, and these are the quick hit daily news stories that we write every day. But then, taking a step back from that and letting that show some patterns or some trends that are coming up a lot and that I would like to dive into a little bit more and figure out, “Why are these things, what’s going on with this?” I’d say, so, those are, those are the, you know, the more planned versus a reactive. Those are the ones that, personally, I like doing. I think those are more fun. Those the more analytical, the more feature-y stories.
And as far as the balance of those two, it kind of depends on what is going on in the news cycle. If there’s a ton of news happening, then those are going to get pushed to the back burner, and they’re likely to take me quite a while longer to finally write. I’ll be slowly doing interviews for quite a while, and then I’ll finally have time to write it when, when the news cycle slows down. But at the same time, it’s good to always have a couple of those on the back burner. So if there is a slow news cycle, then I can go back to those. And sometimes it’s even just a matter of knowing someone who’s a great interview, and I know if I talk to them, they’re going to spark off a lot of different ideas and give me a ton of potential future stories to look into. So, but I mean, as far as a balance, it’s probably, you know, 25 are the more, 25% probably the longer, the more planned, the more analytical feature stories, and then 75% breaking news, daily stories.
CB: Yeah, great question. All right, guys. Well, thank you so much for listening. Thank you Jessica for coming on and talking to us. We are the Inside the Media Minds podcast, and we are monthly on the CyberWire Network. Madison.
MF: Thank you all for listening. Hope everybody has a great rest of RSA.
CB: Yeah, and enjoy CYBERTACOS.
Thank you for listening to today’s episode of Inside the Media Minds. To learn more about our podcast and to hear from some of our past guests, please visit us at W2Comm.com.
MF: You can also subscribe anywhere podcasts are found.