The rebellious origins of cybersecurity's wittiest, must-read report
The idea that would become the world’s wittiest cybersecurity report was born in the mind of Wade Baker, then a Security Risk Management consultant at a forgotten firm called Cybertrust. It was the mid-aughts, Baker recalls, when he overheard one of the firm’s incident responders talking about patterns he kept uncovering during breach investigations. That’s when it occurred to Baker that the firm’s investigative arm might have access to the exact information he felt was lacking in the cybersecurity industry. Why not use Cybertrust’s incident responders to collect data on the X’s and O’s of cyber intrusions?
Baker’s original goal was to produce a meat-and-potatoes-style statistical report, the bland but hearty stuff that could actually make a difference in the hands of information security professionals. But in 2007, while Baker’s idea was building momentum within Cybertrust, Verizon stepped in and bought the firm. The acquisition would set the project down a new path.
"At some point the report transitioned and became a Verizon thing, but it didn’t start that way,” said Baker, who left Verizon in 2015. “And I think that that’s important to understanding the nature of the Data Breach Investigations Report (DBIR). It seems so un-Verizon like in its look and feel and tone and all of that. And then it was like, why is my mobile phone company suddenly talking about data breaches?"
Since the first DBIR was published in 2008, the report—which is expected to arrive again on Thursday—has served as a must-read reference guide for information security professionals, delivering top-notch statistical analysis on thousands of cybersecurity incidents each year. But Baker is right to say the DBIR does not read like a typical corporate report. Because it isn’t.
No point going back and forth about it: the 2021 Verizon Breach Data Breach Investigations Report will drop by on May 13th! https://t.co/o8p8fp8Mip
— Verizon DBIR (@VZDBIR) May 11, 2021
For starters, the DBIR mixes an impish sense of humor with genuine literary flair. Each year it welcomes the reader, “pal,” to the “party,” the DBIR. “Butterfly vomit” has graced its pages, so too an extended analogy to golf that snuck into the report two years running. Yet it also excels at the high-art of the epigraph: Who knew that quotes from Pliny the Elder, Henry V, and Yogi Berra could so sensibly set the stage for a report that includes words like “non-exclusively multinomial”?
That’s not all: For several years starting in 2009, the DBIR hid an elaborate cryptogram-cum-treasure hunt inside the report. The competition, which became known as the “cover hunt” because several important clues lay there, sat somewhere between the NSA entrance exam, National Treasure, and a third-grader’s birthday party. At one point it involved a fake web domain for a fake University with fake classes that contestants had to watch to uncover a very real, and very obscure, clue.
How did the DBIR become a genre-defying mix of “pop-culture, meets science fiction, meets dad jokes,” as one former author, Jelle Niemantsverdriet, described it, and a “forum for failed comedians,” as Alex Pinto, the current head of the DBIR team at Verizon, joked?
Setting aside the definition of failure, the answer lies in corporate culture shock, whirlwind writing trips to Washington, D.C., New Orleans, and Amsterdam, and the world’s most rebellious puzzle. Buckle up, pal.
The Early Years
The DBIR may have been born without comedic aspirations, but it matured in a subversive milieu.
The incorporation into Verizon did not come easy for Baker and some of his more independent-minded peers from Cybertrust. They were accustomed to life at a smaller organization, where work flowed along fewer rungs of bureaucracy. Key adjuncts of corporate life, like a 48-hour approval process for tweets or the imposition of Verizon’s taste in graphic design, infringed on the easygoing, collegial style they had grown accustomed to at Cybertrust.
Tensions surrounding corporate oversight and intellectual independence extended into the heart of the DBIR. With state breach notification laws only just coming into effect, Baker recalls, Verizon worried that publishing the first report would incur liability or fan the flames of cybercrime. It did not help that the initial drafts employed a “business casual” tone, as Dave Hylender, one of the authors of the first report, described it.
“A lot of people hated the casual tone. They said, ‘We’re talking about a serious subject here and you’re cracking jokes about it,’” explained Baker. But, he added, “The tone of the report was very intentional. We wanted it to be easier to read. It was also one of our ways of coping and staying sane through all the work. It was like, ‘Hey, let’s see how many jokes we can get by corporate PR?’”
The unique style of the DBIR did not just represent a stamp of authenticity for its authors. It also flowed from the context of the report’s creation.
While many individuals contribute to each DBIR, the responsibility for the first report fell heavily on the shoulders of just three individuals: Baker; Andrew Valentine, who worked on Cybertrust’s incident response team; and Dave Hylender, a college literature major and recent IT convert who Verizon brought on part-time to help with the report.
Because the three individuals did not live or work in the same city, Verizon decided to put them up in a hotel to finalize the first-ever DBIR—a pattern the firm would repeat for the next two years.
The three writing trips Verizon would bankroll—72-hour “sprints” in Washington, D.C., New Orleans, and Amsterdam, as Valentine described them—fostered a productive if unconventional writing environment.
“We’d have a conversation around a table, and we’d just articulate something to each other and write,” recalled Valentine, who said the men, obliged to share a hotel room, would bounce ideas off each other during most waking hours of the day. “It read like three dudes having a conversation” because, well, that’s basically what it was, he said.
A lot of people hated the casual tone. They said, ‘We’re talking about a serious subject here and you’re cracking jokes about it...’ The tone of the report was very intentional. We wanted it to be easier to read.”
— Wade Baker, one of the original authors of the Data Breach Investigations Report
The first reports “came out of the relationship between me, Wade and Andrew,” concurred Hylender, who is the only member of the original DBIR team still at Verizon. “As time went on, we felt a little more free to express our personalities and extend our individuality into the report. A lot of what you read in the report is who I am, and who Wade was.”
One irony of the DBIR is that Verizon never did crack down. In fact, it was Verizon’s enthusiastic embrace of the project that drove the Cybertrust alumni to continue testing the limits of corporate acceptability, according to Valentine.
Soon after the DBIR became a success, Valentine said, Verizon recognized the marketing power of the report and tried to turn “an innocent, presumption-less document into a marketing tool.” The fear that Verizon would sacrifice the report’s authenticity at the altar of corporate PR is what led Baker to create the “cover hunt,” which first appeared in the second DBIR.
“That was a fun way for us to let off some steam after the report was done and I think it helped strengthen the ‘this is created by people like us who get it rather than a marketing department’ aura of the DBIR,” explained Baker.
Like most childhood obsessions, the cover hunt did not survive into adolescence. It was retired in 2015. By that point, Baker and Valentine had both left Verizon.
The DBIR Comes of Age
The DBIR has changed dramatically as it has grown in stature, but it would be a mistake to think the report has lost its edge. While the early DBIRs wielded the cover hunt to rage against the corporate machine, the report’s literary genius did not blossom until 2015. It was then that the report regularly began to break the fourth wall with its readers, to deploy the well-spun epigraph, and to call back to prior reports in mock self-importance. That year, the report’s literary exertions also started to extend beyond the introduction and conclusion, formerly islands of comedic relief in deserts of data analysis.
As it got bigger, the DBIR’s sense of humor got bolder also. One footnote in the 2020 DBIR repeated “cyber” 34 times. A second from 2015 edition makes what may be the greatest DDoS-as-male-enhancement-drug-gone-wrong joke in history. Unfortunately, save a small community of former authors and lonely journalists, it is unclear how many have noticed the evolution.
Success has nonetheless brought adjustments to the way the DBIR gets made, a process now far less improvisational than it used to be.
Whereas the original DBIRs relied on data that Cybertrust and then Verizon had acquired during their incident response work, starting in 2010 external organizations began to submit their own data to Verizon. The DBIR now includes data from 81 different organizations across the globe.
That growth has forced major changes in terms of how the report comes together, according to Alex Pinto, the current head of the DBIR team at Verizon.
For one, the DBIR team has been trimmed from a large roster of rotating authors to five-full time staff members. As the size and complexity of the project has grown, the team now works on a more regular schedule, with analytical, editing, and even joke-writing tasks evenly shared across team members.
“The data science and analysis of the report had to become more professional over time,” explained Pinto, who said the data cleansing and analysis process alone can take anywhere from 3-4 months each year. “The DBIR team is very specialized today. It represents a mix of hardcore data scientists and editors, though everyone needs to very well balanced.”
Regarding the group’s comedic talents, Pinto indicated the current DBIR team has “complete editorial freedom” to say what it wants—a bold statement, but one that seems fair in light of what the DBIR has sent to press in recent years.
Still, it is hard to avoid wondering whether the DBIR team can keep it up forever. Can a report born in corporate rebellion and really succeed within the strictures of scheduled joke-making? Will the weight of an expanding data set crush the mischievous spirit that once animated the DBIR?
Asked about the future of the DBIR, Dave Hylender, the only member of the original DBIR team still at Verizon, said that the report would retain its rigor and originality so long as the authors work hard to keep it that way.
“One of the things I am most proud of is that from the very beginning, we told ourselves we were going to do it right, or we weren’t doing it at all. We weren’t going to let it become shameless marketing or pointless fluff. And we’ve stuck to that,” said Hylender.
Though he is the only veteran of the original DBIR still at Verizon, Hylender dismisses the suggestion that the burden of preserving the report’s voice rests on his shoulders. He said the report represents a team effort—a claim that one does not have to accept on the basis of faith alone.
Any team needs a good captain, and Pinto, the current head of the DBIR, has the exact pedigree any individual invested in the success of the DBIR would hope for. Before he joined Verizon, Pinto won the 2014 edition of the cover hunt.