DtR Episode 80 - Lies, Damned Lies, and #InfoSec Statistics [Guests: Jay Jacobs, Bob Rudis]

Jay and Bob talk about their new book

A discussion on using data as 'supporting evidence' rather than gut feelings

Do we have actuarial quality data to answer key security questions?

A discussion on "asking the right question", and why it's THE single most important thing to do

Bob attempts to ask security professionals to use data we already have, to be data-driven

Jay tells us why he wouldn't consider "SQL Injection" a "HIGH" risk ranking - and why data challenges what you THINK you know

Quick shout out to Allison Miller on finding the little needles in the big, big haystack

We think about why security as an industry needs to start looking outside of itself to get its data - now

Jay discusses how there is a definite skills shortage in working with large data sets, and doing analysis

I ask whether there is a chicken and egg problem in large-scale data analysis

Bob brings up the "kill chain" and whether we really need real-time data analysis for attacks

Bob makes a pitch for having a "Cyber CDC" ... stop laughing

Jay laments the absolute bonkers problems dealing with information sharing (when you don't have any to share)

Jay urges you to "count and compare"