FAIR Institute Board Member Wade Baker started the Verizon Data Breach Investigations Report (DBIR), the granddaddy of cybersecurity incident reporting, and still the leading source of hard data on the threat landscape. He recently co-founded the Cyentia Institute, a private research firm that carries on in the research tradition of the DBIR—and started teaching as a professor at Virginia Tech’s College of Business where he’s creating a business-oriented cybersecurity program with a major focus on FAIR.
What’s the state today of publicly available data on cybersecurity incidents?
There is a lot more data publicly available than when I started the Verizon DBIR over 10 years ago. But I think that the available data is not always of high quality—there’s a lot of data points that are sharply contrasting. The challenge now is how do I wrap my arms around five or 10 points that may not be in alignment and how do I make sense of all that.
What would make the data scene better?
I would love to see a place where incidents are collected and anonymized and made available for study. However, I think we could just get better at normalizing the data, if that’s the right word.
For instance, we recently wrote a blog series on ransomware for the Cyentia Institute, where we were taking publicly available information on the prevalence of ransomware and tried to put it in FAIR lingo. Lots of people report that “Wow! There’s been a tremendous increase in ransomware families!”. To them, that mean that ransomware frequency or likelihood was going up. But it really doesn’t mean that. If the number of ransomware detections go up, that’s more like contact frequencies going up, in the FAIR model.
Hear Wade Baker speak at FAIR Conference 2017 in Dallas, October 16 and 17. Get the conference details.
What do you think is the value of FAIR, particularly in today’s environment?
The primary value, even short of any of the calculating portions of FAIR, is just thinking through a problem in risk-oriented terms. That’s where I see most people go off track right from the start. They don’t even know what a risk is; some people are talking about a threat, some people are talking about an impact, some people are talking about an application. So imposing a framework on those conversations is hugely helpful.
Then, once you get that, the second step is: How do we measure and assess these things in a logical way? That’s the second big value.
Tell us about the Cyentia Institute. How did it get started and what is its role?
It’s an effort to do the kinds of collaborative research we did at Verizon in an independent fashion. My partner is Jay Jacobs, who was at Verizon and worked on the Data Breach Report with me. The Cyentia Institute is a research firm. We want to take on interesting projects, especially more data-driven ones, and publish research. We pay for it through sponsorships.
You recently did a “Cyber Balance Sheet” study on communication between CISOs and Boards. What were the key findings there?
That idea was to get at how do security leaders think about measuring their programs, and communicating risk to the board, and vice versa what are the perspectives of board members. The interviews yielded fascinating results.
Some of the findings that stick out in my mind are just the very different ways of thinking. You’ve got security leaders who are often very technical, you’ve got board members who are aware of cybersecurity but it’s certainly not their thing and they have varying degrees of awareness and tolerance for it.
Some are just “I don’t care, I just want to know things are OK and I’m not going to get in trouble.” Others view it more as a core aspect of the business.
I came away from the study thinking that the onus is on the CISOs to explain themselves better.
I didn’t find a lot of board members that were highly prescriptive: “I want the reporting exactly this way.” So CISOs have some leeway in what they want to present. Board members did have reactions to “I like what I’m seeing” or “I don’t like what I’m seeing”. There’s a perpetual refinement going on, and that’s the state that we are in.
Risk reporting is a major component of what they want, though they didn’t have a good sense of what that would look like. They still view cyber as something distinct from the rest of the risks they are dealing with and they’re not sure how to bunch all that together. That’s a clear issue where I think a lot of education is needed. It will become more and more important as losses continue, as regulation increases.
What’s the bottom line advice for CISOs?
The bottom line for CISOs now is fairly mundane. If I were a CISO making my first board report, the first thing I would do is check what they’re expecting to see. Start there and then begin to bridge that into a more rigorous reporting of risk, to move toward a more legit accounting of the risks inherent to the business.
What’s coming up next from Cyentia?
We’re looking at analysts within security operations centers, what makes them more effective, and how can we free them from low value activities – clicking through “clear that ticket, clear that ticket”—and let them do things humans really need to do.
Another thing we have going on that’s very relevant to FAIR: We launched the Cyentia Library with 300 different reports to help with cybersecurity data collection and we use several FAIR tags and categories as part of the organization.
When you’re not running surveys of security professionals, what do you do for fun?
A lot of my extracurricular activity is with my family. I have five kids ranging from six months to 11 years old. There’s a bunch of them and they keep me busy in a good way.