As cybersecurity reporter at Axios, Sam Sabin uses her years of experience to tackle complex cybersecurity topics and distill them into meaningful, understandable stories for audiences ranging from industry veterans, government officials, venture capitalists and even newbies to the cybersecurity landscape. During the first episode in our two-part RSA Conference series, Sam tells our co-hosts Madison Farabaugh and Steve Bosk how she balances technical nuance with “cyber 101” to develop her twice weekly Codebook newsletters that provide smart brevity for all readers.
For communicators and PR professionals looking to pitch the Codebook newsletter, Sam breaks down the ways she identifies sources, how to best craft a pitch and the importance of explaining how an everyday person is impacted by the security topic at hand.
Axios’ RSAC “Wonder Woman”
Amid the ongoing build up to the RSA Conference, Sam shares how the Axios team is approaching the show this year. In short: Sam will act as Wonder Woman, covering the entire show for the publication. This means her schedule is tight, but she is trying to make time for one-on-one meetings. (Hint: Listen in for specific recommendations on how to pitch her for RSA meetings!)
The key topics she’s keeping her eye out for this year? AI, of course, but also cyber espionage, ransomware, business email compromise scams, fraud and other cyber threats are topics of interest to her audience. Listen now to the full episode as we go Inside the Media Mind of Sam Sabin.
For the readers among us, the full transcript is available here.
Timestamps:
0:48 – Sam’s Start in Journalism
3:30 – Tailoring Codebook to Readers
6:28 – Getting Sources
9:08 – How to Craft a Pitch
12:11 – Sam’s Favorite Stories
16:44 – This Year’s RSA Conference
20:29 – Axios’ RSAC Event
24: 23 – Advice to Cyber Communicators
27:05 – Should RSAC Move?
29:21 – Sam’s Summer Plans (Hint: Taylor Swift)
Looking for more journalist insights? Catch all the episodes of Inside the Media Minds here!
Transcript:
Intro: Welcome to Inside the Media Minds. This is your host, Christine Blake. This show features in depth interviews with tech reporters who share everything from their biggest pet peeves to their favorite stories. From our studio at W2 Communications, let’s go Inside the Media Minds.
Madison Farabaugh (MF): Welcome everyone to this week’s episode of Inside the media minds. I’m your host Madison Farabaugh filling in for Christine Blake while she’s temporarily out, and I’m here with my co-host, Steve Bosk. And we’re super excited to kick off part one of our two part RSA series where we’ll be diving into everything conference from media presence, hot topics, and just ways that cybersecurity organizations can be standing out. So in that vein, we are equally very excited to be welcoming. Our guest is Sam Sabin. She is a cybersecurity reporter at Axios as well as author of the twice weekly Code Book newsletter. So welcome, Sam.
Sam Sabin (SS): Thanks for having me.
MF: Of course. And you know, before we get into the here, and now everyone loves a good origin story. So, Sam, we would love to hear just a little bit about your background and kind of your journey into the journalism space as well as what eventually led you to Axios.
SS: Yeah, totally. So I am. I feel like there are a few different stereotypes of reporters, I am definitely the one that that found journalism in high school and just never looked back. The bug was here and I couldn’t get rid of it. So I have been dabbling in journalism in some way shape or form for many, many years. I went to UNC for undergrad I got my journalism degree, and then started in the D.C. area right after school, D.C. Inno covering local startups and venture capital and a whole variety of different things. I was at the publication when Amazon was picking their second headquarters, which of course is now in Arlington, Virginia. So it was really an exciting time. And ended up from there just kind of weaving in and out of various tech journalism topics. I think for me, I always knew I wanted to cover tech, I did this internship in college out in San Francisco that really informed it that decision and but I knew I wasn’t someone who liked covering products I don’t really like all the flashy business element of it, you’ll never see me out like a Apple conference getting really excited about the Vision Pro.
But I have found in D.C. that I really enjoyed the regulatory process, the the the places where technology intersects where with national security with policy regulation, and things like that, and just the real world, maybe, quote unquote. And so from there, I ended up at Morning Consult covering tech policy for a couple of years and went to Politico covering cybersecurity just writing their daily newsletter, I started the week of Colonial Pipeline. For those who are listening and are familiar with that ransomware attack, it was a big week, and just loved it and I have always admired Axios he was like one of those like dream publications I always wanted to work at and the timing aligned to come here and had the right beat and the right skills that they needed to fill the job. So that’s a very long story. But that’s me in a nutshell.
MF: No, we love to hear though, especially just how you hopped, and it eventually led to a dream job that sounds like and our agency, we’re definitely loyal readers of Axios. So we always look forward to your Code Book newsletter. And I guess, you know, between you have prior newsletter experience as well. So between the Axios newsletter, and then some of your regular reporting, how do you kind of differentiate between the two there? And yeah, just how you pull your sources for each one. Is there a difference?
SS: Yeah, totally. So of course, Axios in and of itself are for those who don’t read it. It’s very differentiated from most publications, it’s smart brevity, it’s bullet points. The format of our stories really challenges me to, to think a lot about the purpose of a story, it is not, it is going to get you the news and what you need to know very quickly in and out. And so for me, that really means I have to think a lot about the audience who I’m writing for, which really ranges for the newsletter. You would think it would be more targeted, right? It’s people who are in the industry or are government officials or venture capitalists or so on and so forth. Those are definitely our audience but we also get a lot of people who are just interested in cybersecurity. I get a lot of reader emails sometimes that are very, cyber 101 I would put it asking me about the dark web and what it is and what it looks like, or how to actually set up your multifactor authentication or password managers things like that. So they’re very engaged, but they don’t know everything. I think that’s very true of a lot of our audience. And so for me, I have to think I really try to differentiate my coverage by breaking down a lot of very technical cybersecurity topics in a way that most people can actually read it, I try not to use a lot of jargon, if I can, I try to talk with sources who are willing to explain things and a very 101 “Please talk to me like, um, five” kind of way. And that can be a little challenging, and a beat that prides itself on being very technical and very knowledgeable about various different aspects of a security stack, or a different computer system or something like that. But that’s really how I think about it. And so that typically means I’m talking with a lot of researchers, I’m talking with a lot of executives, lobbyists, people who are also translators in that realm, right and are skilled at doing that. So that’s kind of how I think about it. The hope is that, like anyone who was just trying to learn about this can actually get their answers from our coverage, versus trying to read it, and maybe a trade publication has a different audience, that it’s going to be more difficult for them to read and follow. So
MF: No, that makes perfect sense. And you mentioned a little bit about your sources, just now. Do you have? And you mentioned talking with researchers and talking with other subject matter experts? Do you have a process for how you get your go to sources? Or does that vary depending on the story?
SS: It’s a little bit of both. I wish I could tell you that I had this like very formulaic process for how I look for new sources, and that I go into it every week. And I think after this story, I’m really going to look for XYZ. But my schedule is chaos, like any other reporter, and it really varied. So for certain stories, the the story idea will actually come from chatting with some of my go to sources, or there are people who I’ve talked to, maybe I met them through a story once and it just really clicked and I found them super helpful. And I just kept going back to them. And now, you know, we have a more secured relationship that way or, you know, it’s it’s from hearings, or it’s from various interviews that that spurred another idea. And so if that’s the situation, then usually I can go back to that person or I have like, you know, there, I was already talking about the source. And so the story was born from there. There are some stories that will do, because the newsletter isn’t daily. It’s not I don’t do a lot of like reactionary next day stories. But there are times where I’m doing a more thoughtful, or I’m trying to do a more thoughtful, that’s the intention feature, maybe a week after the breaking news. And so from there, it’s really helpful to go through my inbox and look at who was responding the next day, right, like who are the companies or the executives who were really excited to talk about the latest ransomware attack or the latest phishing campaign or something like that, that was making big waves, going through those commentaries to see if they kind of fit the angle that I’ve been noodling on and thinking about. So it’s really a variety of sources that I turned to, and it can be a mix of new ones and old ones, and people I’ve just known for years, or maybe someone I’m talking to you for the first time, because I got a really thoughtful pitch at the right time. It’s it’s a little bit of like, magic in terms of what works and what does it rather than, rather than a pure science that has a formula that you can copy every time, which I know can be frustrating for PR folks, but it’s just how it goes. So yeah.
MF: Well, and that’s the goal for PR folks, eventually, is to make make our pitches thoughtful and hopefully as targeted as possible so that it doesn’t it so that it doesn’t seem to you all like it is a mass email. So, you know, in that vein of looking through your inbox and looking through those pitches, what would you what advice would you give to people who are trying to help, whether it’s their own company, whether it’s an SME that they feel would be really beneficial to you? What is that storytelling component that you look for when you’re sifting through your inbox and looking for resources?
SS: Yeah, that is a tricky question, because I feel like the advice that I have can’t always be followed, right. I want to like come from this from the perspective that I understand that especially at an agency, you’re dealing with so many clients, you have so many client needs. You’re you have different outcomes that you’re looking for, or different things that you have to balance. So I want to be as mindful and thoughtful as possible. Because my advice really is just like doing the best job that you can to tailor a pitch to the specific reporter right and a specific publication. I feel like I often get pitches that will want to know their mass, I understand if their mass sometimes mass announcement makes sense. But I feel like I get a lot where people are pitching me exclusives on a product announcement. And I very rarely, if ever, I’m going to cover a product announcement. And that can be a bit frustrating to go back and forth. To highlight that, when it felt like you were reading the newsletter, were able to engage with Axios a bit, you maybe will pick that up. But also I understand the client demands and the hopes there.
So I think doing the best you can to tailor it. I always appreciate pitches that maybe harken back to other stories I’ve covered or that explain a little as to why they think Axios is a good home for this or explains Hey, I saw you wrote on this. If you’re ever working on this topic in the future, I don’t know if you’re still pursuing it. Here’s my client, just FYI. And I think being understanding that I’m not going to be able to respond to every single one of those outreaches. I do I personally, I can’t speak to every reporter but I do personally flag a lot of those emails so that if I’m ever working on a story in the future, you were there, you will come up in my inbox in my folder. But yeah, it’s a bit tricky. I think just like trying to explain the, to us a an axiom is why it matters, right? Why me? Is really the best way to go. Even though I know that can be really hard when you’re emailing like dozens of journalists about the same day, all the time. So you’re being as tailored and specific as possible. Within the confines of your job. That’s what I got
MF: Yeah, I mean, and that shows the skill that we try to practice. So that makes perfect sense. I am curious, you know, in all of your time at Axios and writing the Codebook newsletter, has there been a it could be a few have there been any stories or newsletters that really stand out to you like maybe they just hit at exactly the right time, or maybe one of your sources had a story that was just really impactful and tells that human perspective? Are there any that stand out to you in that way?
SS: Yeah, I think some of those stories are more dependent on the news cycle or different types of storytelling experiences, right. So you know, some of the ones that had the biggest responses are stories that maybe hit at bubbling frustrations about certain technology companies that have to be in the news a lot. And being able to get those background conversations about how it’s how various vendors or customers or government officials are feeling about the repeated incidents targeting that company, or they’ve been stories where I kind of use like a first person narrative, and then weave in sourcing from there. So one that comes to mind. And this is gonna make me sound really paranoid. I just this was the best solution I could think of I love TikTok but I, as a reporter, I’m always nervous about I just don’t know how serious the security ramifications were or are. It’s all kind of hypothetical. But then of course, for me, I do I need to take a chance on the hypothetical. So I did put TikTok on my on a burner phone. And I had like a whole story where I was like talking with various security researchers about their thoughts and like what I should be doing, and i got a lot of responses as well, but it’s still weaved in outside sourcing who were willing to play ball with me and chat with me because TikTok is a very polarizing topic, not just in Congress, but also in the security community. And so it’s stories like that, where we can kind of add an element where people don’t know or are kind of getting a sense that something’s happening or kind of feed that like the central point of ongoing conversation where I think we get the most responses and the most engagement. So I feel like there’s always a conversation about oh, how secure is TikTok? Frankly, I don’t even know I couldn’t even tell you and I think that’s super helpful for them and in saying what the story is about, like responses to various incidents like, oh, this keeps happening a lot of people frustrated. Yes, it turns out they are, even if that’s on background, and I’m always open under those types of conversations, depending on the topic, so, yeah, it’s kind of it’s stuff like that where we just get creative. I wish I could tell you that it was one specific pitch from a company or something. But I think just being willing to think outside the box said, be a little newsy or fun. It’s always. I mean, yeah.
MF: TikTok on a burner phone. I have not heard of that one before.
SS: I did, Kara Swisher did it first. So I just I did it a year later, when it was still happening. I get it. I it’s just a conversation that we have every spring for whatever reason. It
MF: And you would think like cybersecurity. I feel like those stories would be interesting to a wider audience simply because it shows Oh, this, how does this impact me? Well, I mean, I love to talk. So TikTok relates to a lot of people. I’ve had so many friends who also work, you know, on the hill, and they’ve been back and forth about it too, like, do I keep this? Do I not? And yeah, no, this conversations are definitely important.
SS: Totally, totally. And I feel like the aim to bring it to the audience, right? It it really is those pitches where we’re thinking about, okay, how does an everyday person get impacted by this security topic is they’re usually the best pitches for Axios. In particular, right, there’s probably a different home for the product announcements, or new hires or a lot of VC funds or financing things, I need to cover some of that stuff. But for us, it really is if you could boil down to me how this impacts like a normal person, quote, unquote, normal is relative. But that is like, it’s gonna go a long way with us. Yeah.
Steve Bosk (SB): Awesome. That’s terrific, so angry and segue to I think what’s on everyone’s minds were less I can’t believe we’re less than 30 days out from RSA. I guess, what’s, what’s one thing you’re thinking about going into this year’s conference, you know, based on some of your experiences and lessons learned from last year?
SS: Yeah, so for me, everyone’s going to cover this differently. I feel like that’s the theme of every answer I give you. But so for me, I found last year was my first time covering this for Axios, in particular, this will be my second time with them. And it’s just me on the cybersecurity team, or some outlets that send their whole newsroom where they send like two or three reporters, and they can all coordinate, who is going to the one on one meetings or the side roundtable announcements versus who is covering panels and things like that, I kind of have to be like Wonder Woman in a certain way and cover everything and not miss stuff. So for me, it I’m really thinking about the best ways that I can get like the most thoughtful features and analysis stories, the things that kind of hit at the pulse of what the industry really cares about that we haven’t covered yet. Things that hit at even the threat landscape that maybe keep coming up ways that we’re trying to defend against this stuff. And so for that usually translates to me meeting more so one on one or doing roundtable briefings or interviews on the sidelines of RSA versus covering panels. I tried doing that last year. I don’t know why I did that. Because we just don’t write stories based off of panel events. And my newsletter is not daily. So it builds up very quickly. We don’t need to really go to panels to fill up the newsletter. And so I’ve been thinking more so in terms of like broad brushes and trying to sit down with myself I know for comms world being less than 30 days out, it’s like, like daunting. For me, I’m kind of writing easy. I’m like, Oh, we got three weeks the new cycle is gonna change a lot before then let’s see what happened and, and scheduling meetings has been kind of a slower process for me. So that way, I don’t have those last minute shifts and changes. But really been trying to sit down with myself to think about the question that I really want to try and get answered. They’re usually things around, of course, AI, we’re trying to get the concrete stuff down rather than the predictions and the hopes. tarde not everyone has a an answer yet, which is fair, but tricky for me as a reporter. It’s stuff around the threat landscape. We cover a lot of that stuff, cyber espionage, ransomware, business email compromise scams increasingly, and we have a lot of readers who are interested in coverage of scams or fraud, things like that. Yeah, and just trying to figure out who I can meet with who, you know, how much time do I invest in sources who I’ve known for years and seeing them in person and versus meeting new people and figuring out where they fold into that sort of stack. So that’s kind of like how I’m thinking about it. And, frankly, I we’re three weeks out, perhaps I should have this list already. But I’m still finalizing my list of topics to figure out how to dive into this a little bit better. But yeah, RSA
SB: Well, you know, obviously we’re, you know, we pay attention to all things news, we couldn’t help but read through the great story on your organization in the New York Times about how you guys are approaching AI, more event focused stuff, and subscription stuff. And I mean, if you if you’d love to break some news on our podcast about any fun subscription stuff that you’re doing with Codebook, or anything, that’d be awesome. We’re all for it. But I guess you guys are also doing an event at RSA as well as and you know, what? What are you hoping to get out of that? For for the audience?
SS: Yeah, I wish I had some news for you. I do not. I’m kind of also patiently waiting to see where Codebook falls and that exciting news. But it is an approach that our CEO has been talking with us about for for months now. It’s very, Axios is very focused on leaning into the subject matter expertise of our reporters. And that means engaging more in podcast, in events, in a lot of like other media outlets, right to really showcase that Axios is not just out here, writing straight from a press release or just like regurgitating the news that you might see from elsewhere. Because that, potentially, I don’t know where AI is going, but that potentially is how AI could replicate our jobs and things like that. And so for us, yeah, we did an RSA event last year. Axios we didn’t have we had a pause in our cybersecurity coverage. I put it that way. For a few years until I came on on board, just people left there was a pandemic, it was unclear where news is heading, do we need to fill this role, then, you know, Solar Winds tapping Colonial Pipeline happened during that break, and that was very clear, they needed a cybersecurity reporter again.
And so last year was the first year that I was at Axios, during RSA, we did this reception it, we didn’t really do a lot of outreach about it. Some of our receptions are more invite only some of them are more public. Last year, we did more of an invite only to kind of test the waters and it went really well. So this year, we are still figuring out the lineup. I think we just secured the event like a week ago. So it’s been a, we’re hustling, but most news events are this way. So it’s not anything out of the ordinary. And I think the goal is just to further engage with the community, let them know that we’re here, right? We are a resource. We are interested in hearing your stories, you want to be a part of this community more and more. The plan is to have one government speaker, one industry executive, I can’t say for sure who exactly will be on the panel yet, stay tuned. But that is a big part of our strategy. And Axios also adds these events. We do these like salon tech dinners as well. So we’re hosting one of those that that invite only that invite list is pretty much locked down at this point, but we’ll also be doing one of those that that kind of adds to our events lineup, right. So it’s more than just the public receptions that we host. We also do these like salon esque dinners in D.C. and San Francisco, New York on various topics. We’ve done a few on cybersecurity that also just engage like 20 people in a conversation about cyber and different topics. This year’s focus is on small to medium sized businesses. So that will be like a nice hook. So it’s not just all of cyber. I mean, RSA is so much cyber so boiling it down. It’s important, but yeah, that’s the hope it’s just engaging with the community, getting them in, and then building relationships from there.
SB: Yeah, that’s great. And just building on some of the things that we talked about earlier in the podcast and Madison in terms of, you know, how people can approach you and obviously, you know, paying attention. So you’re, we’re X message in terms of, you know, we’re waiting on on, you know, RSA hold on, guys, but, you know, if there’s any advice in the next couple of weeks in terms of how to approach you and what you’re truly looking for, you know, based on what we talked about earlier, you also mentioned the value of roundtable offerings and so forth what’s, you know, one additional piece of advice you’d want to give to cyber communicators.
SS: Yeah, I actually got in trouble for that or got not in trouble. But more so teased a lot for that post because it came after a few different people that email me in March about RSA. And then it very clearly was a little bit sassy on I was on LinkedIn, I’m not on X as much anymore. But woopsies. But I have two bits of advice. One, personally, I have only been slowly scheduling things so far. So I’m not completely booked up yet. I know my inbox is a mess. But I’m following the same philosophy with RSA stuff that I am, with sourcing. So if you have clients going to RSA, send an email, the sooner the better, because I will at some point, really start locking that down in the next week, probably. And it is helpful if you are an agency to just send one email with like a list of who’s going. A lot of people do that already. But some people do not and it is, I think just maybe to keep for them, it helps to keep that thread organized and siloed. But it’s way better for me as a reporter to just have one line of communication, I can just go through that email really quickly. Personally, the way I do it is I flag everything. And then one afternoon, when I realized I’m free, I’m going to sit down, go through the whole schedule, then read all those emails, and then just like put it all together like a master list. So if you have it in one concise place, that is the best thing. The second is I would maybe limit follow ups. This is just a general practice, like maybe two or three. I get so many. And I know that’s common practice. But there are some people who really are calling me who are like follow like up non-stop who have been emailing since January. I get I understand there a demand the different agencies have different policies, but just remembering that we are all human beings. It’s really my biggest. I’ll get back to you when I can. Yeah,
SB: Very good point. Very good point. So no this has been great, I guess, you know, one, one thing, and this is just a final hot take, which is and this goes back to the event strategy, too. I I’m sort of a big believer in why not the RSA Conference moved to different cities each year. It would be great for event strategy too especially, you know, for that as well. But yeah, are there. What are your thoughts on RSA staying, you know, continuing to stay in San Francisco? Or are you a big advocate for maybe seeing it in a different city each year moving forward? Yeah,
SS: Yeah, I actually haven’t given much thought to it. But I do. This is my third in a row. And it is ridiculously expensive to keep going to San Francisco and kind of it’s kind of ridiculous in terms of the fact that I have to like book a hotel in December to make sure I’m getting a good rate, and I’m not like out by an airport somewhere, right? Because everything got booked up so soon. I do love San Francisco. So I feel like I’m 50/50 on it staying, I love having an excuse to go out there. A lot of my team is out there. So it is very nice to be able to have an excuse to go every year. But I personally am also not opposed to it moving around so long as it’s easy for people to get to and maybe even more affordable than then San Francisco now I say this and if they move it to Vegas, I might be kicking and screaming I go there enough in the middle of summer. I don’t need to spend more buy time every year and like dark conference rooms. Going through casinos to get to meetings. Right. So that’s a that’s a unique Black Hat/DEF CON experience that I can’t do it twice a year. I just can’t do it twice.
MF: Well, I might be in Vegas this summer as well. So Sam, if you’re out there, maybe we can meet up.
SS: Yep, I will most likely be there. I have not booked any of my flights or anything. Unless someone tells me No, I’ll be there.
MF: Yeah, I mean, speaking of summer plans, so we’ve got you know, RSA coming up at the start of summer. I know that’s going to be super busy between the travel between the briefings and just all of the meetups there. Are you planning on any rest time after that? Are you going to be taking any breaks and maybe have any fun summer plans coming up that you’re looking forward to?
SS: Oh, yes. I also have fun summer travel is like all based around music. Two of those trips I’m an insane human being are based around Taylor Swift concerts in Europe. So of course if I’m on PTO this summer, there’s a very good chance that because As I went to go see Taylor Swift again, in a European country. I don’t believe that that is happening twice. I just didn’t say it how I did it. I don’t know. They’re not resale tickets either. So it just played the game but it got lucky every time I went to go buy tickets when she announced so yeah, that is that is kind of my life right now. I still want I love traveling. So a lot of it is a lot of discipline travel in between the the conferences and things like that. But yeah,
MF: That is super relatable, but good to have a balanced, you know,
SS: Yes. Totally.
MF: Awesome. Well, Sam, it has been so great having you on our podcast this afternoon. We thank you a lot for your time and also just wish you the best of luck as you’re preparing for RSA this season. So thank you.
SS: Thank you guys.
SB: All right.
MF: And thank you to all of our listeners here at Inside the Media Minds. We will catch you next time.
Outro: Thank you for joining us on today’s episode of Inside the Media Minds. To learn more about our podcast and hear all of our episodes please visit us at W2Comm.com/podcast and follow us on Twitter @MediaMindsShow, and you can subscribe anywhere podcasts are found.