Can You Hear Me Now?
Debix [link to http://www.debix.com/research/index.php no longer works], Verizon [link to http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report/ no longer works], the ID Theft Research Center and the Department of Justice have all released really interesting reports in the last few days, and what makes them interesting is their data about what’s going wrong in security.
This is new. We don’t have equivalents of the National Crime Victimization Surveys for cyberspace. We don’t have FBI compiled crime statistics. What we have are lost of people with lots of opinions, making lots of noise. It can be hard to get your message heard over the noise.
Tufte talks about credibility as one important outcome of good visualization. How showing your data effectively can make your case for you. In security, we haven’t shown our work very often. That’s why in the New School, Andrew and I made gather and analyze good data two of our key closing points. Some people have suggested they wanted more specifics, and I’m now glad that we didn’t. This outpouring of data makes this a tremendously exciting time to be in security.
Sharing data gets your voice out there. Verizon has just catapulted themselves into position as a player who can shape security.
That’s because of their willingness to provide data. I was going to say give away, but they’re really not giving the data away. They’re trading it for respect and credibility.
Verizon, we can hear you now. We can also hear Debix, the ITRC and the DoJ. Because they’re buying credibility with their data.
(Disclaimer: I’m a Debix shareholder, and I reviewed a draft of their report.)
[Update: Verizon’s report is getting lots of commentary. Interesting bits from Rich Bejtlich, Chris Wysopal, the Hoff or Slashdot.]
Good post at Freedom to Tinker on the benefits of releasing underlying data: http://www.freedom-to-tinker.com/?p=1300
It’s cool that Verizon did what they did.