As much as it feels like 2021 was just 12 extra months tacked onto 2020, there are some cornerstones that I rely on to remind me that 2021 was in fact its very own distinct year. For starters, the Harry Potter and Lord of the Rings film franchises both turned 20 (2001 was a dreamboat of a year). Then there’s Brittney – she’s free! That never could have happened in 2020; it was too much of a dumpster fire of a year. And finally, when I’m struggling to distinguish the past 24 months, I remember all that we at Cyentia Institute accomplished in 2021. It’s a pretty good list.
1. Our team grew by two!
I joined first and then John Sturgis followed a couple of weeks later. Needless to say, we’ve made a huge difference and the rest of the team wake up every day thankful that John and I said yes to the dress. John brings years of data analysis experience, a great sense of humor, and professionalism to the team. I brought this gremlins “nativity” display.
2. We published a lot of research that we’re pretty psyched about.
We continued our work with Cisco on the Security Outcomes Study with the Small and Midsize Business Edition which focuses on how SMBs compare to larger enterprises when it comes to security and what key factors contribute to successful security planning.
We were lucky enough to work with RiskRecon a couple of times this year including a collaboration on Ripples Across the Risk Surface which looks specifically at “ripple events” (multi-party security events). This second edition of the Ripples report bolsters the evidence gathered in our first analysis of not only the risks associated with third-party direct vendors and partners but also the dangers posed to the rest of the supply chain (cue Log4j). Our State of Software Security v11: Open Source Edition, in collaboration with Veracode, provides a unique perspective on the open source libraries in codebases today, how organizations are managing the security of these libraries, and best practices on using open source code securely.
This all tied in nicely with the newest addition to our Information Risk Insights Study series, IRIS Tsunami, in which we identified 50 of the largest (hence “tsunami”) multi-party cyber incidents over the past several years in an effort to understand their causes and consequences from beginning to end. We researched each event to understand who was behind it, what happened, how the after effects propagated through the supply chain, and the financial losses for all parties involved.
We also partnered with Elevate Security to publish our inaugural study on human cybersecurity risk in the workplace, Elevating Human Attack Surface Management. Not only did we highlight key lessons about measuring and managing the human attack surface, we also published our first-ever infographic which is both informative and rad. Speaking of rad, we worked with our friends over at Kenna Security to continue the Prioritization to Prediction series with volume 7, Establishing Defender Advantage. Does releasing exploit code help or harm defenders? We analyzed over 6 billion vulnerabilities affecting 13 million active assets across nearly 500 organizations in order to attack this debate from all angles.
F5 Labs not only signed on to sponsor the Cyentia Cybersecurity Research Library, they also partnered with us to publish The State of the State of Application Exploits in Security Incidents. And no, that’s not a typo. This report is a meta-analysis of several prominent industry reports, each of which covers the state of application security, and is an attempt to stitch together a more complete view of application exploits in security incidents.
And finally, we’re ending the year the way we started it – with the good folks over at Cisco. Security Outcomes Study Vol. 2 was recently published. We asked more than 5,100 IT professionals in 27 countries about their approaches to the five key drivers of cybersecurity program success, uncovered through extensive prior research. Volume 2 provides actionable, data-backed practices that can boost your security.
3. We made a couple of videos for our YouTube channel.
What’s that? You had no idea that we have a YouTube channel? Well, what are you waiting for? Get over there and hit that subscribe button.
4. We launched TWO new data services!
IRIS Risk Retina offers a customizable suite of analytical reports that provide real-world data to support cyber risk quantification. And our Exploit Intelligence Service (EIS) leverages advanced machine learning capabilities to identify and track exploits released on GitHub and other sources. The goal is to provide you with a probable prediction of the likelihood that the GitHub material is an exploit so you can cut down the manual effort of inspecting every repository to reduce your cyber risk and protect your bottom line.
5. We’re looping back to number 1 …
… we’re growing again! But that’s an update for the new year, so stay tuned. We can’t wait to introduce you to our newest team members. Hopefully they aren’t afraid of gremlins. For now, I’ll sign off with a snapshot of the official 2021 Cyentia Institute company portrait. See you in 2022!