Name: Wade Baker
Title and company: Independent consultant and Co-Founder of the Cyentia Institute
Number of years in the information security industry: About 15 years
RSAC: What was your first job in the infosec industry?
Baker: I was an instructor and system/network administrator at a university. They needed someone to take on infosec teaching and administrative responsibilities, and offered to pay for training. I jumped on the opportunity. I still remember going home after a day-long training session excited about the prospect of specializing in infosec. It was thrilling for me in a way that managing user accounts and making routers talk was not. And it still is 15 years later.
RSAC: What does the RSA Conference 2017 theme, “The Power of Opportunity,” mean to you?
Baker: I appreciate the quote on the 2017 RSAC theme announcement page about approaching opportunities with the mindset of a beginner than as an expert. And I think it’s especially apropos to the field of infosec. One the one hand, there’s a lot of innovation and investment in the field. On the other hand, I sometimes ask myself how we have fundamentally changed over the last decade and I have difficulty answering that question. I could go on and on about this, but when a majority of infosec budgets are spent on technologies and practices that have more or less been around for two decades, it kinda goes without saying that some new approaches to old problems could do us a lot of good.
RSAC: What is the #1 trend infosec professionals need to be paying attention to right now?
Baker: I’ve spent most of my career studying threat-related trends, so my answer may surprise some. But I don’t think the trends that will substantially impact the field and practice of infosec for the next five to 10 years will be related to threats. That’s not to say threats won’t continue to advance and adapt and force us to do the same; they will and we will need to as well. But what I see really shaking things up is the increased focus/pressure we’re seeing in the realm of corporate governance and accountability for infosec. We’ve said infosec has had executive and board-level visibility for years, but I don’t really think it’s been a major topic with them until more recently. As long as infosec management and staff sent up a few promises or metrics that things were being handled, they were content with that. And that’s what I think has changed; they are not (and have realized they cannot) be content with a simple “we got that.” And my hope is that the increased focus from the top and pressure to actually prove we’re doing the right things will finally force us to mature.
RSAC: How can the industry balance the opportunities with new and growing technology with keeping our data (and people) secure?
Baker: This is going to sound super cliche, and I’m almost loathe to say it. But it is ever more obvious to me as time and tech rolls on that we must build security in from the beginning rather than trying to tack it on later. Taking it on was hard enough when all we had to worry about was making a virtual wall around a stationary box that had limited functionality and use. It’s absolutely impossible to do that in today’s technological ecosystem where data and access is ubiquitous. Of course, that’s easier said than done, but I sure would like to see evidence that at least the mindset has changed in the new products and services that are hitting the market.
RSAC: You spearheaded Verizon’s annual Data Breach Investigations Report. What’s your favorite part of that experiences?
Baker: If I had to pick only one favorite part about the DBIR, I’d have to say the fact that it was respected so widely across the industry was my favorite part. I feel very fortunate that it was read by so many, but ever-so-much more so that people thought well enough of it to actually pay attention and use it. That was and is immensely gratifying. But there were so many other great aspects of my experience with the DBIR that I could easily keep going…but I’ll follow directions and end it here.
RSAC: You believe improving information security starts with improving security information – can you tell us what you mean by that?
Baker: I’ve always believed that one of the fundamental challenges of securing an organization is that it’s so stinking hard to figure out how best to use limited security resources for maximum security effectiveness. We just don’t have the information at our fingertips needed to support such decisions, and so we tend to rely on gut instinct, expert opinion, news headlines, and peer recommendations to decide what to buy/do/etc. We have a lot of security data, but vastly little of that data becomes quality information that can be reliably used to drive better decisions and practice. I hope that changes one day.