EPISODE 91
Can you trust the Verizon Data Breach Investigations Report (DBIR) to help you run your Cyber Risk Program?

EP 91: Can you trust the Verizon Data Breach Investigations Report (DBIR) to help you run your Cyber Risk Program?

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 26, 2021

Is the Verizon Data Breach Investigations Report (DBIR) trustworthy enough for cyber risk managers to use it to choose new or improved mitigations? Our guest Suzanne Widup, one of the long-time authors of the report, will tell us how the report is made and why you can trust it. Your hosts are Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com, and klgates.com.

Kip Boyle: Jake, hi. What are we going to talk about today?

Jake Bernstein: Hey Kip. So with all of the attention that we've been giving to the Verizon data breach investigations report lately, the question has come up, "Is the DBIR trustworthy enough for cyber risk managers to use it, to choose new or improve mitigations?" Obviously I think it is, but today our guest Suzanne... Widup? I should have asked that question. And this is how you know it's a live radio program, except it's podcasting... is going to walk us through how the DBIR is created each year, so you can see that it is in fact as trustworthy as I believe it to be.

Kip Boyle: Yeah, great. Suzanne, welcome to our podcast. We're so glad that you're here.

Suzanne Widup: Thank you for having me.

Kip Boyle: Yeah, you bet. Absolutely. And we're excited because while we've talked a lot about the DBIR, and we use it a lot, we haven't talked very much, or maybe at all I don't think, with the people behind the scenes who actually create such a useful tool. And so Suzanne we've only recently met you, even though you've been working on something that we've been reading for years, but please, will you introduce yourself to our listeners and tell us a little bit about your background?

Suzanne Widup: Sure. So I'm Suzanne Widup, and my background actually started in IT in Unix system administration. And then I moved into security engineering and got into computer forensics. And then... I know it's kind of leap. And then when I was looking for a job, I was also doing an open source report that was kind of like an open source version of the DBIR. And I applied to Wade Baker, and got the job as one of the co-authors of the report. And the rest is history. That was nine years ago, god.

Kip Boyle: Wow. That's fantastic. So, in another problem space that I work in, I help people get into cybersecurity. And so I think your career path is instructive, right? You started in Unix. So you were just an IT, you were a Unix CIS admin, and then at some point you crossed over. What was that like? What was the impetus for you to cross over into IT security, cybersecurity?

Suzanne Widup: That's actually a funny story. So my brother's company was hacked by a Russian script kitty, and he called me in for help, because it was a Linux box. And so I went in there and the guy hadn't even cleared his history. So we got to see absolutely every keystroke he had done and it was pretty funny. But yeah, that kind of was the security bug that I got. And so I started looking at security from there.

Kip Boyle: So you tried it, you liked it, you stayed

Suzanne Widup: Pretty much, yeah.

Kip Boyle: Okay. Well, you know what, that's how a lot of people get in.

Jake Bernstein: Yeah. And I noticed that you're the founding member of the non-profit Digital Forensics Association, launched over 14 years ago. That's no small thing. So I assume that your motivation for that, to do that, was linked to your love of security.

Suzanne Widup: It was. It was at the time there were organizations that forensics people could join, but they had a barrier to entry saying basically, "You could only work for the prosecution." And I didn't think that was a fair barrier to entry. So I started a nonprofit for people who do forensics.

Kip Boyle: I had no idea that that was a thing. Wow.

Jake Bernstein: Well, that's interesting too, because it's not like forensics is only for the prosecution.

Suzanne Widup: Yes.

Jake Bernstein: That's-

Suzanne Widup: If you're accused of something, you should be able to get people to defend you and prove that you didn't do something you're being accused of. And I just think that's only fair.

Jake Bernstein: Absolutely. And I would say, even more so, the need for forensics has expanded well beyond just criminal prosecution. So I think that and of itself is an important development. So that's interesting. Yeah, that's very interesting. Okay. So let's talk about the trustworthiness of the DBIR. And we want to talk about how the DBIR team gathers, cleans, and qualifies the source data. But before we do, I must ask who gets to come up with all of the amazing cultural references that are sprinkled in the footnotes throughout the DBIR. It is so much fun to read, and that is no accident.

Suzanne Widup: So that is a group effort, absolutely. Although we call David Highlander, our chief snarchitect, cause he is the best at the jokes, hands down.

Kip Boyle: I want that job, I want to be a SN architect.

Jake Bernstein: Okay. Not, I have... this is even better. The chief SN architect. I mean that it does not get bigger. Okay... ladies and gentlemen, that's the episode. We have brought such high quality content with chief snarchitect that that is all that we need to do. Okay. But, but really-

Kip Boyle: And, scene.

Jake Bernstein: ... let's talk about the DBIR... the data, because there's a lot of information in there about that. And I'm curious to know from the inside, what is going on?

Suzanne Widup: So we pretty much have a year round process. We start in right after Halloween, we start bugging our partners and asking them to give us data. And so, as the data comes in, of course, we have to put it all into that same apples to apples format. We use what's called VERIS, the vocabulary for event recording and incident sharing. And we use that to codify all of the data so that it's all in the same format. And when we run our statistics, we actually can make sure that we're doing valid comparison. And so it's the first thing we do is we start getting data in, and if it has missing things, or if there's unclear areas, we will go back to the partner and ask for clarification, and that sort of thing.

Some of these data sets are really, really big from some of the partners. Some of them are very small. We have forensic firms and law firms that give us just a very small number of cases, but they're really high quality. And so it just... the quality of data is going to vary tremendously depending on the source. And it's just an awful lot of going through and looking at the data and coding it up and making sure that we haven't introduced any coding errors and that sort of thing.

Kip Boyle: So how is that done? I mean, somebody in the audience might say, "Oh, well, that must be some kind of AIML kind of a tool set," or something like that, right? Cause I mean, we're talking about massive amounts of data, right? But you're laughing, because no, that's not how you do it. Tell us how you do it.

Suzanne Widup: So we are a tiny team. There are four of us.

Kip Boyle: Wow.

Suzanne Widup: And... yeah, we are actually looking at all of the data. We do have some things that will... sometimes they will give us a narrative, just like a PDF of the case description and everything. And we will go through... we have a web application and we'll go through, and we'll just fill out on the forms and that sort of thing. Sometimes they will give us information in an Excel spreadsheet, and we will go through. And we do have some scripts that will automate the larger data sets when... someone will look at it, make sure that our mapping is correct, because if it's an external actor doing something nefarious, we have something that'll go in to codify that properly, and that sort of thing. And a lot of times it's the action and that sort of thing that you have to sort of focus on.

Jake Bernstein: It sounds a lot like the amount of work that goes into coding documents and litigation, there is no substitute. And ladies and gentlemen, if you didn't already fully appreciate how much work this takes, you're hearing it now. This is an enormous undertaking every year. And I don't want anybody to take for granted what's in that report because it is... I've called it a treasure trove numerous times. It's the quality of the data and the care that goes into it makes it, I think, unique amongst industry reports. And the amount of value that the community as a whole gets from it, it really is... I don't think there's no sufficient thanks to Verizon and your team for putting in that kind of effort. So it's really interesting that that's how... it's manual process for the most part.

Suzanne Widup: Yeah. And every year we work on our tooling to get it less and less manual. And our chief data scientist, Gabriel Bassett, has been in instrumental in that. And so once we get the data into a decent format, then it takes it and it runs reports, and does the steps that make it at least presented in such a way that we can do our analysis easier, because that's the next step after you've done all your data cleansing and all that sort of thing. And our initial report runs will sometimes point out where something has gone amiss in the coding as well. Suddenly you look at it compared to last year and this one thing is huge. It's like, "Is that from one partner?" And you go back and you look at that.

Then it's a matter of once we've applied our filters, we do have quality filters in there. Cause if we have a large number of... we wind up with a fair amount of incidents where you know that there is a DDoS, that's all you know. And so you can't fill in some of the other things, and we're very careful not to make inferences, because if it's not saying this is correct, then we're just not going to put something in there saying that this is what's happening, even though it's more likely, but we just don't go there.

Kip Boyle: Yeah. So you err on the conservative side, you're not going to make too many leaps of faith, or any leaps of faith as far as what data you're putting into the set, or how you are qualifying that data, or that sort of thing. Okay, that's what I'm hearing you say. So now you said, and I really want to focus on this because when I read the report, I get the sense that this is happening, but you guys don't really talk about how the sausage is made too much. I mean, you do a little bit, right? But for example, I didn't know that Halloween is really kind of when you start the... where you kick the ball and you're now starting to, like, "Okay, what's it going to take to produce the next version of the report?" How long do you guys spend cleaning data versus analyzing it? Just give me some idea of what's the allocation of effort there?

Suzanne Widup: So usually we tell our partners that we have to get the data in by the end of the year. And then we will... as we get it, we are cleaning it. But usually there's also some stragglers. So our data set is usually finalized late January, and then we're writing the report, and it's quite an engine to get the report out. Even once we get our draft, our first draft out and give it to the group that does the layout and all the other things that it takes to get it out the door, because if you've ever published anything, you know that the lead time for other groups to do things is usually very high. And so that's what we deal with every year. And then it's all the other collateral and stuff that has to be made as well.

Kip Boyle: Right.

Suzanne Widup: Because those charts don't make themselves.

Kip Boyle: Yeah, that snark doesn't write itself, people.

Suzanne Widup: No it doesn't.

Jake Bernstein: And the charts are second only to the snark in their inventiveness and quality and utility.

Kip Boyle: Yeah. I am a big data visualization person. I love to look at data in a nice visualization. And so who's responsible for the report being so visually oriented, because that I think is another distinctive feature of it.

Suzanne Widup: So yeah, our chief data scientist, Gabriel Bassett, is absolutely responsible for the data visualization crosstalk.

Kip Boyle: And what kind of tools is he using?

Suzanne Widup: It's all written in R. All of our tools are written in R, so it's actually generating the graphics, and then it gets handed off to the layout company to... at this point, they pretty much just give him the specs for how it needs to look as far as the size of space it needs to fill. And he does that... the rest of it and hands it off to them. So it used to be that they did more work in layout, but they just crosstalk

Kip Boyle: So not everybody... I don't know that everybody listening knows what R is. Would you just tell us real quickly, what is R?

Suzanne Widup: R is a statistical language, and it's very good for both doing the statistical runs and actually doing the visualization as well. There's a whole ecosystem around it as a matter of fact.

Kip Boyle: Okay-

Suzanne Widup: For people who are into it.

Kip Boyle: And I think that's a really important thing to note is that when you get the data, you're not just doing some superficial analysis here, you're actually bringing hard statistical science to this data set. Is that fair?

Suzanne Widup: Absolutely, that's absolutely fair. And if you take a look at our methodology section, we go into some serious detail about how we sort of make the sausage and the statistical information around it to sort of give you an idea of how much trust to put into what we're saying. And that's the reason we want to be very transparent so that people can make that decision for themselves. And that's the section that our data scientist... we let him go to town on that, that's his baby every year. And so he gets to go as deep into the statistics as he wants to every year in there.

Kip Boyle: Okay. And there is some experimentation with the visualizations. I remember two or three years ago, there was a whole kind of experiment... I interpreted it as an experiment, in visualizing some of the data. And I remember just getting cross eyed, I'm like, "I don't understand what this is. I'm just going to look at the tables because I don't get this," right? So to me it was a little bit of a failure because I didn't understand it, right? But at the same time I thought, "Well God bless him for being willing to try something new," because maybe it would've been amazing? So I just want to say that.

Jake Bernstein: And there were new style charts this year that actually I thought worked very well, so that experimentation pays off. I love the... I don't even remember the name of it, but they look like bar charts, but then they end with kind of a curve and it kind of shows you... I think those are a really smart way of showing nuance in data that otherwise you don't get with a typical... a lot of just old school standard type of chart. So Suzanne, one of the things

Kip Boyle: You ready to move on? crosstalk

Jake Bernstein: I want to move on to VERIS.

Kip Boyle: Yeah, because VERIS is super important.

Jake Bernstein: VERIS is super important, and VERIS was something that I really, really focused on back when I first discovered the report when I was first getting into security in 2015. Can you just maybe describe... so you said that it means vocabulary for event recording and incident sharing, and that it's really important. Why is that important?

Suzanne Widup: So VERIS uses what we call the four A's, and the A's are the actions, the assets, the actors, and the attributes. And it's really good at taking something like a case narrative and putting it into this very structured format. You can almost think of it as diagramming a sentence when you were a kid, and you've got the subject and the verb and all the other objects and everything crosstalk

Kip Boyle: Does anybody do that anymore? I remember doing that in English class, oh my goodness.

Suzanne Widup: I have no idea if they continue.

Jake Bernstein: Cause it was worthwhile, but I don't know that it's done as often.

Kip Boyle: Curse you Mr. Beasley for making me do that.

Suzanne Widup: So yeah, it's very good at breaking that down into a very structured way. And then it is useful for people to have a common language when they talk about what's going on in a security incident and a data breach, and know that, well, when I say data breach, this is what I mean, it has to be a confirmed compromise of the confidentiality aspect of the data. It can't just be at risk or anything like that. So when we talk to people out that, they're like, "Well what do you mean by data breach?" And it's like, okay. So think about a lost laptop, you can't actually confirm the data was accessed. And so that would be considered just a security incident because it's only at risk. Of course, if it was encrypted, it would not be in our data set, but unencrypted laptops are another matter.

Kip Boyle: And I remember Jake making a point of this. I remember when we did the DBIR, I think it was the first one this year, and you were like, "Okay folks, terms, we need to define terms. This is what-"

Jake Bernstein: It's my favorite thing. This is lawyer's favorite thing is definitions and defining terms.

Kip Boyle: This is Jake's favorite thing to do.

Jake Bernstein: Yeah. Well, it's critical, right? And the thing that I find so fascinating about this is that without VERIS, there really isn't going to be data that you can necessarily analyze, right? You've just got a whole bunch of narratives. And what VERIS really does is allow us to create data sets and go beyond, "Well, I got hacked. Okay, what does that mean?" Come on, there's surely more information that we can glean from people's experiences than you got hacked or I got ransomware. And so that I think is why VERIS is so important? And... My feeling is that VERIS can be used not just in the creation of the report, obviously, but it can be used to really help to understand and build cyber security practices. I don't know if that's slightly off script, but I'm curious, Suzanne, what you look at VERIS doing for not just you as writing the report, but also the community as a whole? And maybe even where it came from?

Suzanne Widup: So VERIS is something that we've tried to pro... we give it away of course, for free. And it's one of those things that we absolutely encourage others to adopt. And there's been governments that have adopted, there's been large organizations that adopted, and it's basically because it is so useful for describing what's going on in your environment, because the first step to knowing that is to start collecting data and measuring it. And if you don't do that, then you're just guessing. And so we have always made an effort to map VERIS to some of the other frameworks that are out there, so that whatever you're used to using, this will help too. This year, we did some work with MITRE and did some mapping there, and it's getting a fair amount of traction and that's hopefully going to be useful.

We also have mapped it to the CIS controls. And so that way if you've got... you look at our report and you see, "Okay, I'm in this industry, I'm most likely to see these kinds of attacks." And then we map the attack patterns into what controls are effective against them, and you've got a real roadmap there. I'm here, this is what I can do to get better. And it starts out with implementation group one, which is the very basics. And then it goes all the way up to the highest level. So that as your security maturity is better, you have still a roadmap on where you want to look at for putting your security spend.

Jake Bernstein: Extremely helpful, very much so. So I think the next thing is to really, and you just really hinted at it, so let's just move into it, which is how do our listeners use the DBIR and VERIS together to inform their cybersecurity program? This, I think is one of the... a lot of people I think will look at... I should say this, some companies put out these industry reports and they're really marketing pieces, right? And I want to make sure I don't... everyone who listens to us should know by now that the DBIR is not in that space. So it is really meant to be a useful tool, and maybe walk us through how do you guys view the DBIR and how it should be used, et cetera.

Suzanne Widup: Well, certainly lot of people use it to direct their security spend, because it does have that sort of roadmap quality of, "I'm here. I need to be where exactly," and it helps them sort of figure that out based on what their industry is. But it's also useful... we've got it broken out by industry, what attacks you're most likely see, you need to start thinking about, "What would that look like in my environment? How would I detect that kind of an attack?" And if you don't know, that's a really good place to start looking. And then finally people say, "Okay, so I've got all that done now, how should I use it?" Well, look at the things you're most likely to be hit with, and start doing your incident response planning and testing based on these different scenarios and what they would look like in your environment.

And it's another way of directing what your activities are and making sure that you're at least going by what you're most likely to see, and being able to block and tackle what that would look like in your environment. I mean, yes, there are certainly these esoteric really high, well, as they like to say, "highly sophisticated attacks," that do happen and are harder to detect. But if you spend all your time trying to find that needle in that haystack, when you've got this whole haystack that's coming at you, maybe you should kind of look at the easier stuff first.

Kip Boyle: It's exciting to look at the edge cases and the zero day exploits and all that stuff. But yeah, you're right. Most of this is just basic cyber hygiene, meat and potatoes, unexciting stuff. And the report, I think, does a nice job of making clear what that is. And I particularly enjoy the industry segmentation that the report provides. And so when I'm talking to customers, that's what I tell them to do is crack open the DBIR, go to your industry and focus on that, because it's a much better way for you to orient yourself to what you should be concerned about out, rather than just reading the newspaper headlines or watching television shows.

Suzanne Widup: Oh God.

Kip Boyle: You know?

Suzanne Widup: I'm sorry, but the way security is portrayed in television shows drives me nuts, especially with my forensic background.

Kip Boyle: Yeah. Well that could be your tag phrase, right? Being driven nuts by television crosstalk

Jake Bernstein: I mean, imagine how amazing a television show would be if it was just the entire episode of someone peering into logs.

Suzanne Widup: Oh yeah, that'd be funny.

Kip Boyle: Oh god, wouldn't that be-

Jake Bernstein: That would be riveting.

Kip Boyle: Well, Suzanne, have you watched Mr. Robot?

Suzanne Widup: I've watched a little bit of it, yeah.

Kip Boyle: Okay. Well, it's very authentic to the hack. It's got other aspects that makes it very dramatic and compelling, and I don't think it's everybody's cup of tea, but I do appreciate the authenticity of the exploits, the technical exploits that they show on there. So whenever the conversation comes up about Hollywood not being very authentic, I'm like, "Well, there's one show that I think does the job."

Suzanne Widup: The one that always the one that always killed me was the NCIS ones where they would share a keyboard, and somehow that would work. It's like, come on.

Jake Bernstein: That's good, yeah.

Kip Boyle: Well, that's great fodder for your meetings, right? When you, when you get together with everybody in the Digital Forensics Association. I would think that'd be a lot of fun, but I don't know.

Jake Bernstein: Also I think the chief snarchitect could probably pull some fun quotes from that.

Suzanne Widup: Oh yeah.

Jake Bernstein: So, I think one of the things that we just briefly touched on that I would like to ask a bit about is there was a fair amount of attention paid to this notion of inequality in the data, right? And how there is something... it was the wealth quotient, I'm forgetting the name of this, the precise term there. But the idea was that it really went to this idea that something like 90% of all activity falls within 3% of the data or the action classes, and the way that it gets broken down. And, I think one of the things that I could see happening is, shall we say, enthusiastic security professionals in companies really intuitively focusing on that long, thin tail, right?

And needing to be convinced that, "Hey, look, yes I know those are high impact. And they're cool and they're scary and they sound impressive, but really, you should be spending your effort on this stuff, even though it's not as exciting, perhaps." And when we talk about the DBIR and the data quality... I want people to understand that when we talk about the data and the quality, we really are talking about it in a scientific way. You have a data scientist doing it, right? This is similar to studies that are often done. No, it's not double blind, like you might do, and in medical science, obviously it can't be, but can you just maybe comment on why you guys focus so much time and energy on gathering and cleaning and qualifying the data? What if you didn't, what if you just like, "Yeah, we'll take everything."

Suzanne Widup: Well, the report actually started because what was out there was just a lot of anecdotes, and you can't really say that a whole bunch of anecdotes is going to be valid for research. You have to actually do things like making sure you cleaned your data and gotten as many errors out as possible, and looked at the quality of the data, and adjust for one partner giving us this a whole bunch of this, and it's going to overshadow everything else that's under there because it's so much. And so that's the kind of thing that we do, we've got these forensic firms and law firms that give us a small amount of really high quality data. And we don't want that overshadowed by something that is just fire hose level.

Kip Boyle: A data dump.

Suzanne Widup: Exactly, and, it's not as high quality, we don't have nearly as many details, but there's a lot of it, right? And so you can say something about the a lot of it, but you need to also say something about all of the other that you've got in there and not have it dominated.

Kip Boyle: Yeah. So this is one of the reasons why we wanted to bring you on the show is because, to Jake's point, there's so many so-called research reports on the internet that are available. And a lot of them just don't have the rigor, right? Most of them just don't have the rigor, you guys have the rigor. And I think that that's something that people who have heard about DBIR, but haven't really cracked into it. Haven't really read it deeply, they may not understand that, they may think that it's just a puff piece for Verizon, and it's not. And so we wanted to bring that forward today.

Suzanne Widup: Well, and I think it's important when looking at any kind of research, look at their methodology section. If they don't have one, that's not a good sign.

Jake Bernstein: Not a good sign. So we're coming up on our time here, but I wanted to end with one more question, which is, and I think it's one of the more common misunderstandings, is that people look at the report and they think that, "Oh, well, this is all of the hacks that happen." And if you could just take a moment and let people know that one, that's not the intent, like you're not... the DBIR is not about cataloging every cyber incident on the planet in a given year. And I think that getting that out there might help people to understand both what it is and isn't.

Suzanne Widup: Well, yeah. And so as a compliment to the DBIR we also have an open source data set, which is taking publicly disclosed data breaches and codifying them the same way, and releasing that for public use. It's called the VERIS community database project. And so between them, we get a fairly good view of what's going on, but there's still going to be a certain amount of breaches that never come to light, that never are disclosed at all. And if you think about it, something like an intellectual property breach probably is not going to ever come to light, unless there's a reason for it, for the company to state it. So assuming it's not a public company, then they may not state it at all. So it's not one of those data points necessarily where there's any kind of regulatory requirement for them to even report it. And so there's going to be a certain percentage of breaches that just never get reported for whatever reason. And we do not say that we have representation of all of them. We have visibility into what our partners can see, and that's largely the limit.

Jake Bernstein: And I think that's a really, really important thing to understand, because I think if you look at the DBIR, and try to start proving negatives, or making yourself feel safer because the numbers aren't very high, that's a huge mistake. That is not what the DBIR is intended to do. And I think kind of confirmation of that is useful to understand that obviously we don't have data on what we don't have data on.

Suzanne Widup: Absolutely. We have people who are like, "Oh, my industry has very low numbers. That must mean we don't have very many breaches." No-

Jake Bernstein: Exactly.

Suzanne Widup: ... that means we don't have visibility into your industry.

Jake Bernstein: And that is crucial.

Suzanne Widup: And we encourage you to lobby your industry sharing groups to be... because we always invite them. We want every industry represented, and we get a lot of data in and if you look at some of the unknown numbers in the industries in particular that could easily sway any of them largely, it's because we don't know who the victim organization is. And so we can't enrich the data or anything and say, "Oh, look it up. This is this industry. This is that..." No, we don't know, they pre-anonymize who the victim is before they share it with us, so we don't know. And so if they don't give us industry, we don't have industry.

Kip Boyle: Yeah. This is a great point, this is a great point. And by the way, Suzanne, I don't know if you... we don't talk about this all the time, but Jake actually has a background in science. So he's not just a litigator, he's actually a scientist.

Jake Bernstein: That's right. That's true, I was a molecular biologist in college.

Suzanne Widup: Wow.

Kip Boyle: Datasets, data.

Suzanne Widup: You've had quite a varied career, haven't you?

Jake Bernstein: You know, I really have, and every so often I pause and think, "Wow, I really have had a kind of a unique path," which is definitely... but you know what? That leads to a lot of different perspectives, which I think is helpful.

Suzanne Widup: Mm-hmm (affirmative) I agree.

Kip Boyle: So Jake is a diverse team of one and I like it. Well, listen, we're just about to the end of our episode, as Jake said, and Suzanne, we're so happy that you were our guest and I thought we should give you an opportunity to tell people how they can find you on the internet, in case you want to talk to them about DBIR, or anything else related to that, or maybe your nonprofit.

Suzanne Widup: Well, you can certainly find us at the DBIR site, which is verizon.com/DBIR. And in the actual report every year, we do include an email for you guys to ask us questions. We can't share the data, that's actually underpinning the DBIR, but we can let you ask us questions and we can give you the results. Which is pretty helpful if you have a question about your industry in particular and how many percentages of this, we can tell you that, because it's not sharing the actual DBIR data.

Kip Boyle: No, that's great. I had no idea you took requests like that. That's... I'm glad you mentioned it. Fantastic. Okay, well that wraps this episode of the Cyber Risk Management Podcast. And today we learned about how the DBIR is created each year, and why it's trustworthy enough for cyber risk managers to use it when they're selecting mitigations to protect their businesses. And we did all that with the help of our guest, Suzanne Widup. Thank you for being here, everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.