TRANSCRIPT
Gary: Content is king, or so they say. I’ve seen so many tech companies that love their products and their technology so much that they create tons of content demonstrating all the things their products can do.
The thing is, nobody cares what your products do. They care what your products do for them.
Product content that succeeds tells the listener, the viewer, the reader why the product matters to me. It tells me why I will be better as a result of using it. It tells me how the product will solve my problems long before it tells me what its features are.
Companies I’ve worked with often create thought leadership content as a way to demonstrate credibility in the spaces in which they operate. They’ll use this content to generate awareness of the company in their brand and demand generation campaigns, not discussing product at all, but rather sharing their knowledge of the challenges that the product resolves. I found huge success in generating data driven thought leadership content that not only demonstrates subject matter expertise, but that leverages proprietary content collected in the course of customer’s usage of the product to showcase industry trends.
While not being explicitly salesy, these assets, and the derivative content generated from them, serve to empower the customer facing people in a go to market organization to tell a story whose problem their product solves. It’s a thrill for me to be joined in this podcast by two distinguished veterans in data driven content creation.
We’ve collaborated on three data driven reports Veracode’s, State of Software Security, and we’ll dive into their experience creating compelling content for their clients’ audience.
Wade Baker and Jay Jacobs, of the data driven cybersecurity research firm Cyentia Institute.
2:29
Gary: Gents, thanks for joining me today. Could you tell us a little bit about yourselves and about Cyentia Institute?
Wade: Absolutely. I’ll jump on that one. Wade Baker. So Cyentia Institute’s a data science and research firm. We work a lot with organizations, mainly vendors, to analyze their data sets. Usually these data sets are collected by whatever product or service that they’re offering.
And our job is to find interesting nuggets. What kind of insights do their audiences want to know from that data? it’s not a salesy thing. I want to caveat that, you know, we never talk about products or do any kind of sales in the content that we write. But what we’re trying to do is, all right, this is a data set that is probably very difficult for any single organization to acquire.
You know, because we work with some vendors that have hundreds of customers and years of data.
What can that tell you about how to manage security better and what kind of valuable insights can we provide? And we’re usually writing some report or multiple reports, lots of other derivative content and things like that. But that’s what Cyentia Institute does.
I’m a little bit more on the writing and data storytelling side. And Jay, is a master data scientist, so I’ll let you take it from there.
3:51
Jay: Yeah, I don’t know what I can add to that. I think you’ve covered pretty much everything. and I think Wade is a little bit underselling his contribution to the whole thing, because that storytelling becomes such a key ingredient and such a driver for the data analysis and visualizations that we end up producing.
Gary: Wade, I think you were the person that wrote the first Verizon data breach investigation report, and that that was released in 2008. What were you thinking?
Wade: Well, that was a fun time. Just to give other people credit, there were three original authors: me, Andrew Valentine, who was a forensic investigator at the time, and then David Hylender, who still leads the Verizon Data Breach Report.
So he’s like the legacy member of that team. So the three of us wrote it. to be fair, it was my original idea. And I got the idea. Honestly, I was doing a lot of risk assessment. Cyber risk assessment at the time, as part of Cyber Trust, this was pre Verizon in those days. And I was listening to Bryan Sartin, who at that time ran the investigative, response, IR services, external facing at Cyber Trust. And he was telling stories, you know, he was well, we did this one investigation and this happened and then these things, and now we’re seeing an upswing and this kind of activity and all of that.
And I was just fascinated and thinking, you know, this is the kind of data that I have wanted for so long in doing risk assessments. How can I get this? And I went up and talked to him afterward and I said, you know, do you think it would be possible that I could go through, like your case reports or whatever it is, where your data is after all of these investigations, and extract bits of useful information and analyze it.
At that point, we of course, were not thinking, oh, we’re going to create this report that, you know, spans 15 years. And, you know, everybody reads it and stuff. I was just thinking interesting data. And so we did it. And then, you know, we had five years of data at the time. we published that first one and Verizon bought Cyber Trust, you know, before it was published, I think we had already begun analysis.
It just had such interesting findings that we decided to publish that report.
Gary: What were the goals? You know, the objectives. Was it just here’s some great data we can talk about? Or beyond that, what were you looking to achieve with the report?
Wade: So, there were multiple goals.
I think the DBIR team had the goal of putting excellent quality, credible information out there for decision makers and security practitioners.
And that was a driving goal from Verizon’s case. I mean, I got to give them credit. You know, they initially weren’t all that interested. Once that thing went out, I used to do some tests and, you know, the DBIR was related to some, you know, 80, 90%, search traffic and hits for Verizon and security. I mean, at that time, nobody really knew that Verizon did anything in security.
That’s your phone company, right? Why are they doing this report on security? But it was huge for them. And they recognized that and then invested. And we grew the team and had resources to be able to produce it and sustain that. And so from their perspective, they embraced the fact that it was an excellent piece of collateral for them and opened conversations for marketing and sales.
We got to know those teams. And, and so for them, that was their goal is, hey, let’s, let’s, let’s use this for thought leadership and demonstrate that Verizon is a player in the cybersecurity world.
Jay: And I want to add to that Wade, because there’s another element there that I think you glossed over a little bit, but I know you and I have talked about, but there’s an element of curiosity.
And basically, like we produced what we were curious about understanding. and I think that really showed because, like, we weren’t just trying to create something that’ll get clicks. We weren’t trying to create something that’ll get sales meeting set up. Like we were trying to create an answer to a question that we ourselves had and like, wait, I came from risk analysis and trying to understand how do we put in the right security controls?
What are they? How much do we put it in? And we had all of these questions about like, hey, do we prefer internal versus external threat attacks?
And we were just curious. And I think that that curiosity really helped drive what we looked at and what the stories that we found in the data, in the stories we told in the reports.
08:38
Gary: It’s really interesting. It reminds me of a comment I heard at RSA last year from Chris Wysopal, who talked about the hacker mentality. The hacker mentality is wanting to understand how things work. And you mentioned Wade that you got like 15 years of data. Now, how do you keep it from being the same old, same old as you go into each successive iteration of, of this or any other similar report?
Wade: Well, we were always able to study something new because we had new data and new contributors and new perspectives coming in. Having said that, there’s still, how do we study something new? And we just I mean, we had a table event, whole team, every single year. And we were like, what are we going to do this time?
You know, we don’t. We did that last time. What are people going to find really cool? And sometimes we pegged that off. Hey we got this question a bunch after the last one. Let’s take it up.
Jay, do you remember I remember is the new being always a conversation.
Jay: Yeah. And part of that like you mentioned in that annual discussion where we sit around the table, we actually came armed with visuals, you know, like we didn’t just sit around and be like, what do you want to talk about?
Wade: It was like we had a bunch of analysis on the data done by that meeting, and we were looking at, you know, exploratory analysis of the data and sometimes like to your point Wade we would be answering questions that came up last time or during the year, you know, we’d have eureka moments in the shower that we’d quickly write down and be like, oh, I want to look at this.
Jay: You know, that’s how the patterns came out in the breach data was like, oh, I bet they’re patterns. How do we find them? And I think we spent a couple of months in the fall of that year trying to find these patterns. but we would go, we’re going to these meetings with a whole lot of things that hopefully would just be little triggers for eureka moments as we’re talking around the table and just that interaction two, you know, like the interaction of someone saying, what if blah, and someone goes that makes me think of this, you know? And so we’d have that sort of creativity bubble come up with things.
Wade: And if I could just add one other, one other thing, I mean, fast forwarding to the present, leaving the DBIR, were Gary, have we done three, State of Software Security with you?
10:50
Gary: We worked. I mean, I worked with you guys on three of them, I think Veracode’s done about 14.
Wade: Yeah, 14 or 15 and I think we’ve worked on six or something with Veracode. So you know, that one is a long running report.
Once they get successful, it does get to be a challenge to say, hey, what’s going to be new? What are we going to focus on? Why are people going to read this one? And we had those conversations with you. You know, where we sit around and everybody has ideas.
Gary: Yeah. We had that this past year.
Right. And I think, in years prior we focused a lot on, remediation on scanning and best practices amongst those people who were users. But for this past one, I think we had that issue, which is how do we make this report something different? And one of the things that I learned in other companies had been in which, I’d worked in the e-commerce fraud protection space and we did a report about what were fraudsters doing right at any given time.
We had the advantage there that fraudsters were always trying different things. So every year the report focused on what was happening.
Wade: It’s convenient when there is.
Gary: So the fraudsters were always doing different things and we got to report about what we had seen from their activities. But one of the things I learned is I couldn’t walk up to a data scientist and say, what does the data tell us?
Because their response was, well, you need to have a question and we can tell you whether the data answers that question. And how did we approach that? In the most recent very code report? Because I know, you know, in the end, we took a very different tack to where we had been in prior reports, and I thought there was an incredibly valuable and excellent report this past year.
Jay: Yeah. So I think the interesting thing is we often do a lot of exploratory analysis. That’s always one of our first steps. And sometimes, you know, like if we talk about the process that we go through, there’s actually probably ten different processes that we go through, depending on where we’re starting from. So sometimes we do have a research question.
Right? And we say, hey, we want to know. Or do developers react this way in large applications and large companies versus smaller, you know, do we see that being a factor? You know, those types of research questions? We may start with those, but sometimes we’re starting with a chunk of data and someone’s like “write a report.” And so we’ll do anyway.
We do an exploratory analysis. And part of the reason is to build our intuition about the data, but also just to see what questions pop out, you know, like maybe we’re looking at remediation time and we’ve got another variable about to have they built it into their API as a part of their CICD pipeline. and so we want to look at what is the effect.
And we found that because we’re looking at the data and we saw that, hey, there’s you know we see remediation efforts. And then over here we have this other data about API usage. Let’s bring those together and see what happens. You know, and a lot of it is just that exploratory. Let’s throw the spaghetti against the wall and see what sticks.
You know, and so there’s a lot of that sort of trial and error early on that may help generate some of those stories.
Gary: And then I’m sure you work with other vendors like their code, who have products that they want to sell, and they want to use the report as a way to build both brand awareness, but give their salespeople a story that they can tell around the data.
How do you pull that together without making it a product driven report?
Wade: It’s a balance. You know, this is one of our sort of challenges as a company, because on the one hand, we’re doing real analysis and research and trying to develop understanding. On the other hand, I’ll just be frank about it. You know, marketing is paying the bills and they have some goal in mind for that piece of content.
And, you know, we like to say that these don’t have to be in contention. They’re definitely sort of tugging in different directions. But generally we’ve been able to get them going on the same path. And sometimes it requires us spending time with, with marketing and sales, you know, to coach them on. All right. Let’s talk through these findings.
Let’s, let’s, you know, present them in different ways. You know, let’s have a section in the report that is highly analytical and maybe hard to sell from. But then let’s make sure we have at least some places in there. That’s, that’s that you can really take and, and use for, for your purposes that really put on display. You know, whatever the value proposition is.
And, and, you know, there’s all kinds of ways that we try to do that. One is data visualization. Jay is wonderful with that. And trying to get something that kind of tells a story another way is the way we write reports, like we tend to write them in an engaging manner to make them fun to read is another way that I think you can kind of pull people in and equip them to go and tell that story rather than just be like, this, is that and read the chart.
Move on. You know that that doesn’t equip people to go out there and really own that material and talk about it.
16:01
Gary: Yeah, I mean, you did a great job in the reports that I’ve worked with you guys on with, you know, you’re going to tell us, here’s the questions we think we can answer. You’re going to walk us through the answers and then talk about what are the key takeaways and what are the best practices and how should how can the reader take advantage of this.
And again, it’s without being product specific, but it largely aligns with the vendor’s objectives. and I think we did a great job of that in the most recent report that was released at the beginning of this year. And I think you’re spot on, wait on the data visualization because, Jay, when you shared the visualization that became the basis of the report, my eyes went really, really wide.
And I was like, oh my God, here’s the story that we have to tell. And can you shed some light on that for our viewers?
Jay: Absolutely. Yeah. So the key thing to to think about when we’re creating visualizations, we try to balance three things. And this is actually was codified on a site called Junk Charts.
Junk Charts. And it’s called the Trifecta Checkup. And basically at the top of these three triangle corners, you’ve got what is the research question. Right. And that’s important. Like if you get an engaging research question, you’re already 80% of the way there. And then the next question is what does the data say? And so that’s where statistics and data analysis comes into play.
You want to be able to oftentimes data is mumbling and slurring and like it’s not telling a perfect picture. So you really need to get in and understand what is that data actually saying. But that third part is what does the visualization say? And you want all three of these to line up. You want the visualization to match what the data is saying.
You want both of those to match up to the research question. You want all of that to align. And then the other thing with visualization, there’s so many different intricacies and the way that the human brain processes information. The quickest path to processing information is visual. you can absorb so much material visually. And so trying to create, you know, finding these stories in the data and then looking at that and saying, how do I best put this into a visualization that is going to answer that question kind of represent what’s in the data.
And I think we really nailed it on the particular one you’re talking about. Gary.
Gary: Yeah, that was awesome. And it really shifted the way that we thought about time to remediate and, and mechanisms that people were using to scan because it was a completely we took the topic in a very different direction, which is how are people allowing security debt to build up, and then how should they address that?
What guidance would you give vendors that they should keep in mind when they start the process of ideation for such a report?
Wade: So first of all, I’ll start even before that. I am biased, of course, but my almost exclusive and universal experience has been that the audience that we care about, security practitioners vastly prefer data driven reports and research to other stuff.
So, you know, I think the fact that you want to do this and you’re undertaking this endeavor is a good one. security people are skeptical and it’s hard to get them to believe. But if you show them the data and they think you’re treating it well and actually, you know, walking them through it and providing valuable findings, you earn their respect and, you know, kind of win hearts and minds is what I always try to say we’re doing.
So, you know, it’s the right goal. You know, once you start down that process, I think a lot of people wonder, all right, where do we start? You know, and that question is partially I mean, hey, you’re doing a data driven report. So what data do you have, you know, is one of the key ingredients.
And we sometimes will show customers as we’re talking through things in this Venn diagram. And one is what data do you have. What does your audience want to know? And kind of where do you have expertise. and, and then you kind of can think where, where are your, where are your competitors doing these things?
And if you can kind of imagine there’s over there’s sometimes where your data overlaps significantly with your competitors. And so you that’s a different approach. Then if you’ve got very unique data that no one else has. Right. And so I think doing that sort of assessment in the beginning will help you find, because the ideal is there’s some, some place where the industry has these burning questions that your data can help address.
And there’s some subset of those questions that your competitors’ data can’t answer well. And you have expertise. And that’s what you want to target. Like whatever that little area is. You can own that space in terms of really developing thought leadership, you know. And so targeting that and figuring out what that is, is challenging. But it’s critically important.
21:20
Gary: What kind of feedback do you get? I imagine you’re talking about what the practitioners want. I would expect the feedback that you get is this is what we want. This is awesome for whomever you write the reports.
Wade: Yeah, we try to monitor what people are saying. I kind of miss the days when people did a little bit more, blogging and other things about, about stuff.
But we do monitor for that because we want to know, hey, is this useful? Is this interesting? Do you have questions? I’m even interested in when people, you know, argue. Oh, this is a ridiculous finding because at least they’re reading it and engaging with it. And that’s a place where we can jump in.
And over half the time, it turns out, you know, there was a misunderstanding and they become fans just by engaging and kind of walking through and not being, well, you’re dumb, you know that that kind of response that’s not going to help anybody.
Gary: I remember back the first fair code state of software security report that I worked on with you guys.
When it came out, we got an email from one of the analysts, I think it was from IDC, who said that he looked forward to receiving these reports like he used to look forward to getting the Sears catalog when he was a kid. And then do you interact within the analysts and the media on your reports as well?
And what kind of questions did they ask that might be different than what the practitioners ask
Wade: Both of those camps, by the way, are our groups that we try to appeal to. So yeah, one audience is definitely security practitioners. Analysts. We’ve developed excellent relationships through research, with analysts and and even better, like several of our customers will get us on the, you know, joint call with them as they’re talking to whoever their analyst is in their space.
And, we’ll go through that with them. And I love that because they start incorporating that material. You know, if we find interesting stuff that helps them out, then you’ll see that again when they write. And it’s proven effective for both the vendor that we’re working with. But just I think the community in general. the analyst.
Media, you know, Jay and I used to joke about, you know, what what’s new is the, you know, the media are always looking for a story. So with them, I, you know, I usually just ask the question, hey, what do you what are you writing these days? You know, is there any particular angle you’re looking for?
Anything. And I just sort of think through the findings and say we have something, you know, let’s focus on that first.
Jay: To add to that, I think it’s, you use the word angle when it came to the media. And I think that’s a very apt way to describe what they’re always looking for. They’re always looking for that one angle.
They don’t really want to talk about the threat landscape as a whole. They want the one little nugget that will create that headline that people click on.
There are some reporters that will do more in-depth things, but typically those are the people that we get to know. And actually when they go on from to other things or whatever like that, they keep in touch. So but pretty much the reporters want an angle.
24:26
Gary: And it’s the right approach? And, you know, a little lesson here for some of the vendors who are watching this. You know, I love the you start by asking them a question, what are you writing about these days as opposed to just pitching? Here’s what I want you to know.
Yeah. And by doing that, you’re going to get their interest. You’re going to answer their question, and then they’re going to publish what you want them to talk about. Right. It’s putting it in their point of view. I think that’s so important for any kind of content is think about the reader, not about what we want to achieve.
Jay: Right. Indeed.
Gary: Okay, so now I’m at the place where I put you all on the spot. I like three takeaways. What are the best practices that our viewers should consider when they’re going down the path of creating a data driven report?
Jay: I think one of the key things is don’t go in with a product mentality.
You do want to focus on that thought leadership. You do want to focus on what, you know, like what you said in the introduction about you don’t really want to focus on the product. You want to focus on the solution.
And you really want to focus on what is going to help the end user. And that’s what this research is going to do as well.
It’s going to focus on, you know, what are the actual things that someone is going to care about and I guarantee they don’t care about your product. They care about the solution that your product offers. and so that I think is one of the first takeaways to go after is to, to just shift that mentality from, we’re not here to push a product, we’re here to push our thought leadership, to push our expertise.
And that expertise is going to be in the data.
Wade: I’ll add another takeaway. Find a champion to lead this research for you. whether that’s internal or external. But you really need someone who is passionate about it, can own it and really drive it forward. And make it excellent because it’s very difficult to do this kind of work, you know, with 10% of your time, for someone who doesn’t really care about it, like that’s it’d be nice, but, you know, it’s you got to find that champion.
So, figuring out who that is is going to be important.
Jay: Yeah. And for a third one to add to that, as your as people think about this, if they’ve never done this type of research before, you’re already underestimating what it takes. As Wade said, you need that champion because this is a rather detailed process. You could go in and grab a security person from your team and have them look at the data and try to produce something in Excel.
And you, you know, you’re pasting some things in there and you get that quality. But if you really want to speak with integrity, speak like you know what’s in the data, you’ve got a research question and the visuals line all those up. Then you need to really invest some time and energy and have that leader and be prepared to put the time in, because it does take a lot of research and a lot of storytelling goes into this.
Gary: And when done well, the results really show up, right? Because the report itself, you build a brand for the report, you know, and come back to the Verizon Data Breach Investigation Report. It’s its own thing. And it’s. Yeah. and that’s pretty awesome to be a part of that, to have created that. And the value that people take from it, you know, as it continues to go on.
Wade Baker, Jay Jacobs of Cyentia Institute, thank you so much for joining me on this podcast. it’s really important and it’s really valuable, to create thought leadership that, that’s not product focused, that just delivers value for the readers and takeaways for them that enables them to move forward and put great into their businesses.
So for those of you watching, please subscribe to the podcast What Great looks Like on YouTube and on Spotify. like, comment, share and tune in for the next episode where we’ll talk about how Demand Gen and how marketing practitioners can work with this kind of content and leverage it to grow their businesses and just add that greatness into the work that they’re doing.
So thanks very much, guys. And, until next time, everybody.
SPEAKERS
Gary Schwartz
Wade Baker
Jay Jacobs
Data-Driven Content
In this episode of What Great Looks Like, I’m joined by Wade Baker and Jay Jacobs of Cyentia Institute, an organization that performs data-driven cybersecurity research, to discuss the value that data-driven content can provide to your brand awareness and to your demand generation program.
Wade and Jay have a long background in this research, and in fact they were among the original authors of the first Verizon Data Breach Investigation Report (DBIR), written in 2008.
I had the pleasure of collaborating with Wade, Jay and the Cyentia team to produce three consecutive Veracode State of Software Security (SoSS) Reports, delivering content that was eagerly anticipated by analysts and media alike, as well as to our customer base. The SoSS reports were the largest generators of new business pipeline during the time I was at Veracode, and they contributed tremendously to the understanding of how companies prioritize the remediation of security flaws in their code, and how security flaws accumulate over time to create critical security debt that, if not pared down, adds significant risk to enterprises.
In this podcast episode, Wade and Jay share with us the thinking behind the creation of such reports, and they take us behind the curtain as they describe the genesis of the renowned Verizon DBIR report. They emphasize the importance of writing these reports in a product-agnostic way, while understanding that companies do write them to generate interest in their products and services.
In the What Great Looks Like podcast series we talk to leaders who exhibit the best practices that create an efficient and effective GTM (go-to-market) organization that’s collaborative, and who maximize Sales Velocity for their businesses.
Subscribe to the “What Great Looks Like” YouTube channel at https://youtube.com/@what-great-looks-like to get notifications when new episodes drop. Check out all of our podcasts at https://what-great-looks-like.com/blogs/.
And feel free to contact me directly at gary@what-great-looks-like.com if you’d like to learn more about ways to optimize your business’s Sales Velocity.