As my long-time readers know, I\u2019m dedicating the rest of my professional career to promoting a data-driven computer security defense. In a nutshell, it\u2019s about using a company\u2019s local data from its own experiences to create a more efficient and effective computer security defense.I\u2019ve been strongly pushing a data-driven defense for nearly a decade, including a whitepaper, book, and multiple presentations including this one. Companies not using their own data to construct better defenses is behind the rash of easy hacking these days. It leads to inefficient and ineffective defenses, which almost certainly allow more hackers and malware to get into a company.Despite the benefits of a data-driven defense, changing a company\u2019s culture to adopt it is hard. The lessons I\u2019ve learned can help ease the effort.Expect pushbackI have been surprised by the amount of pushback I\u2019ve received for saying that we, as an industry, should be better using our own data to drive defensive mitigations. At my last company, I was told that I would probably get fired if I didn\u2019t stop evangelizing a data-driven defense. I had people so against the idea that I can only remember them as professional nemeses. They tried to thwart me at every idea and project.Then one day, my data-driven defense ideas simply became a part of the culture, so well accepted that they drove nearly everything we did. I remember being in a meeting with some of the company\u2019s executives (with my most vocal nemesis present), when the top senior executive told the group, \u201cWe need to follow Roger\u2019s ideas about a data-driven defense more often.\u201d It blew me away. I knew I had finally won over the company\u2019s culture when, a few weeks later, my nemesis introduced me to a new employee as \u201cone of the smartest, persistent guys you\u2019ll ever meet.\u201dI share this personal story to demonstrate that even within my own company I had, for years, a very hard time getting people to see the vision of a data-driven defense. If your company is not already there (and most aren\u2019t), then it takes a fight to get everyone onboard.This is to be expected of any paradigm shift. Paradigm shifts are never readily accepted. If they were, they would be called common sense. Paradigm shifts require that you show people the futility of the status quo and then convince them of the growing need to move to something else. Humans aren\u2019t all that great at changing their minds about how they\u2019ve been doing business for decades.How to quickly sell a data-driven defenseThe quickest way to describe a data-driven computer security defense is to compare it to the insurance industry. Every insurance product makes a financial bet that what people are paying to the insurance company will be more than the resulting payouts the insurance company will make for the covered scenario.Most insurance companies are highly profitable, because they have high-paid actuaries who use data analytics to predict occurrences of covered events. A data-driven defense is simply forcing company\u2019s computer defenses to use more data analytics to better predict real risk and outcomes, just like the insurance company.\u00a0Data-driven defense basicsA data-driven computer security defense is more of a mindset and culture than anything else. If you\u2019re using your own local data to better predict most likely future security events, then you\u2019re doing it. Most companies are using it in limited doses in a few places. I\u2019m arguing that it should be the primary driver across most computer security defense scenarios.A data-driven defense starts first with identifying how your company was most successfully attacked (i.e., the most damage) in the recent past and most likely will be successfully exploited in the future. Threats aren\u2019t malware families or hacker group names, but the root causes of initial exploits (e.g., unpatched software, social engineering, misconfiguration, or password attacks). You\u2019ll never stop a threat if you don\u2019t stop how attackers gain footholds in your organization. Once you understand that, you\u2019ll fear \u201charmless\u201d adware just as much as a malicious backdoor Trojan if they both used the same exploit method to get in.The top threat or threats are then communicated to everyone in the organization so they are not only aware of the top threat(s), but can assist in mitigating them. The organization then analyzes its current threat intelligence, threat detection, and mitigation, for how well they work at defeating those threats. The best mitigations are applied and then evaluated against those top threats to see how well they really do against minimizing them.If applied correctly, a data-driven defense more efficiently minimizes initial breaches and resultant hacker activities. It does this by focusing on objectives that:Improve data collection and analysisCollect better threat intelligenceImprove threat detectionFocus on root causesImprove enterprise communication and coordinationBetter align mitigations to the most critical threatsIncrease accountabilityA common exampleFor many years, the most unpatched and exploited piece of software was Sun\/Oracle Java. Almost every company I accessed had gobs of unpatched Java, and it was often the number one way they were exploited. In fact, Cisco, in its Cisco 2014 Annual Security Report, indicated that unpatched Java\u00a0was responsible for 91 percent of all successful web attacks for its customers. That means all other web exploits combined equaled 9 percent!For reasons I\u2019ll never figure out, instead of working harder to make sure they had less unpatched Java in the future, customers decided they couldn\u2019t fix the problem because of operational concerns and focused on everything else. This was despite the fact that their own data revealed that unpatched Java was the biggest reason they were compromised, and everyone involved in the defense knew it.So, what I did is show them that if they didn\u2019t fix the unpatched Java problem, that even if they fixed every other computer security threat in the company, it didn\u2019t come close to stopping nearly as much badness. Their own data showed that ignoring or accepting the unpatched Java problem was essentially the whole ball of wax concerning their computer security issues. With the data in hand, they were able to approach senior management and request more resources and authority to focus on the biggest issue in their organization. The data allowed them to push back on operational concerns and get the job done. Data provides support and clarity in an extremely uncertain and chaotic world.Do you want to defeat hackers and malware? Use your dataI\u2019m 51 years old and have been doing computer security for more than 30 years. I figure I\u2019ve got about 15 years before I retire. I\u2019ve been writing 52 columns a year on a lot of topics in this space since 2005, but regular readers see me coming back to computer security data analytics topic again and again. There is no better way to improve a company\u2019s computer security defense than to spread this message until it seems like common sense to everyone.If you\u2019re interested in learning more about a data-driven computer security defense, join my free webinar happening March 15. I won\u2019t be selling any products, just a paradigm shift.