Yes. The World Needs More Security Predictions

Wednesday, February 17, 2016

Dan Lohrmann


These days, predictions seem to be almost as popular as New Year’s resolutions.

There were many hot topics that got plenty of predictions over the recent holiday season, including the ongoing battles against terrorists and who should win the college football bowl games.

Of course, since this is an election year here in the US, there was (and continues to be) plenty of discussion on who will be named the Democrat and Republican nominees for the office of the President of the United States.

Even now, we are hearing predictions about whether or not President Obama will nominate a candidate to replace Supreme Court Justice Antonin Scalia, who passed away suddenly on February 13. 

However, if you think only experts are out there sharing their viewpoints, just take a look around you.

Over the holidays, you only needed to flip through a few cable channels to hear analysis on how current events will impact the year to come. From influential prognosticators, to the man on the street who traveled to New York to see the ball drop on New Year’s Eve, everyone is ready to offer their views on what this year will bring us.

Not surprising, cybersecurity was one of the biggest concerns. With the surging growth in cyberspace, new technologies, Wi-Fi, apps, robots, drones, terrorists with social media accounts, the Internet of Things (IoT) and nation-state hacking, online data security has become the Achilles’ heel of the Internet. A growing number of people want to know about new apps available for their smartphones and their data in the cloud – along with the upcoming security implications.

We Need More Security Predictions

At Security Mentor, we are always monitoring and keeping our fingers on the pulse of the security prediction market. For more than a decade, I personally have been participating in this discussion and there is no doubt the breadth and depth of security predictions continues to grow. For reference, I chronicled a large number of recent security industry and media cybersecurity predictions into this summary blog: The Top 16 Security Predictions for 2016.

While some of these predicted security events have already happened, we need to keep in mind that the “thought leaders” who make some of these predictions often forecast that smaller incidents will happen on a broader scale. For example, power outages caused by hacking that affect a few houses is certainly different than an entire region losing power from hacking. 

So, are all of these predictions a good thing? Or are they bad for us?

Let me be perfectly clear about this: I believe more security predictions can be a good thing, if you know why this trend is happening and how to benefit from the research, analysis and insights from others.

Why more security predictions?

1) I think this security prediction trend both reflects and affects society. It is a sign of security industry growth, maturity and future prospects of the cybersecurity industry as a whole.

More cyber predictions is a sign that many more in professional technology fields as well as non-technical readers and end users are interested in the suite of topics I listed above. They care more about cybersecurity, data breaches, technology and the growing IoT market – even if they don’t use those words.

Advice: Go with it, whether you like it or not. The security industry did not invent this global train that predicts the future, and we are far from the lead engine. In fact, we are closer to the caboose, but get on board the train before it leaves the station. People have been making predictions for thousands of years, and it’s not going away anytime soon. 

This trend also affects society in that security budgets, government legislation, company priorities and more are impacted by societal opinions. Better security can result if the majority is well-informed about risks and security trends and demands action on the privacy of data. 

2) Online and offline life are merging as never before. With technology affecting more areas of life and crossing multiple domains, security predictions are bleeding into other areas of interest, and other areas of interest are bleeding into security. For example, national defense now includes the cyber domain, along with air, water, sea, sky and land. Therefore, defense predictions will include cyber components. Other areas, like transportation and healthcare, are similarly affected.

But are security predictions really “Hocus-pocus?” My daughter, who is an elementary education major in college, brought up an interesting point when discussing this topic. She said that the scientific method begins and ends with hypothesis. Even children learn by making educated guesses, even if the guess is wrong. Teachers encourage predictions in all subject areas as the students must understand a topic to be able to predict what is next.

But what about “dumb predictions” by the masses? How about unqualified ideas that just waste our time? Don’t we need better quality predictions from a select few?

Answer: no. We all can learn this way.

Besides, the experts are not always right, as we know from practical experience in sporting upsets that no expert predicts or huge snowstorms that hit, despite meteorologist predictions that say it won’t happen.

There are certainly times when we need a child to say, “The emperor has no clothes!”

3) More people, companies, media outlets and others are trying to define themselves as your “trusted adviser” within security. They want to be recognized as the top experts.

This requires that we dig deeper into the best sources – look beyond specific dates to trends, analysis and signals to watch out for. Of course, as consumers of predictions, we need to make educated decisions about who offers the best advice, insights, trends and predictions. We should hold experts accountable.

Just as those who do a good job of predicting economic trends and stocks and bond prices are listened to closely the next year, I expect a closer look at who is making what security predictions in the coming years. 2015 saw incidents that involved hacked or insecure devices, ranging from baby monitors, smart TVs, and connected cars. Even as users have increasingly become aware of the security risks of connecting appliances and devices to the Internet, the public interest in “smartifying” just about everything will continue to peak.

Smart-connected home device shipments are projected to grow at a compound annual rate of 67% in the next five years, and are expected to hit almost 2 billion units shipped in 2019—faster than the growth of smartphones and tablet devices. Given the diversity of operating systems and lack of regulation for these smart devices, there remains to be no signs of a possibility of a large-scale hacking attack. Wi-Fi and Bluetooth networks, however, will become polluted and clogged as devices fight for connections. This will, in turn, push mission-critical tasks to suffer.

However, the likelihood that a failure in consumer-grade smart devices will result in physical harm is greater. As more drones encroach on public air space for various missions, more devices are used for healthcare-related services, and more home and business appliances rely on an Internet connection to operate, the more likely we will see an incident involving a device malfunction, a hack, or a misuse that will trigger conversation on creating regulations on device production and usage.

How Can You Benefit From Security Predictions?

1) Gain industry knowledge, understand overall trends and expand your horizons beyond one stovepipe or topic. Security predictions help you understand industry trends and help you grow in your knowledge – if you do your homework and read the supporting research that usually comes from major vendors.

Remember that the actual date the event happens is less important than trends, patterns and even repetition of an item. Sure, these people or vendors are predicting that it will happen in 2016. It could certainly be 2017 or 2018. But the trend is still valid – especially if many top vendors predict the same thing.

Meanwhile, we reward those who make unique predictions that no one else thought of if they come true. So don’t always penalize bad predictions, since no one is perfect.

2) Use the free advice, direction, insights and annual reports provided by many.

Are some these predictions just marketing? Sure. But a lot of it is very good analysis of where we have been and where we are going.

And this has been going on for years.

Gartner, Forrester and many other services typically charge for the advice and predictions that many top vendors give away for free in their annual prediction reports. I am not saying you should not use those services for expert advice, if you like what they offer, but understand that there is value in many of these free annual reports from companies like FireEye, Symantec, McAfee, Websense, Sophos and others.

3) Use predictions as an opportunity to educate others. Get the word out on cybersecurity – whether that is to your company, your family or your community group. Are you bringing problems or solutions? We claim we want to educate end users on cybersecurity, so educate!

Or, why not offer your own predictions? Join the party, after you do your homework.

Here’s an area where I think we can all agree. Even if you think most annual security predictions are lemons, turn them into lemonade! Make the most out of the situation.

What’s Next?

Here’s a prediction for you: We’ll see even more security predictions next December 2016 (looking towards 2017). Some predictions will be good, some not so good. Some general and some very specific. Some irrelevant. Some (who knows what).

And guess what? Not all the industry thought leaders will be right, and not all of the wannabee novices will be wrong with their predictions.

But isn’t that the truth about most areas of life? The Internet is giving us more voices, and we need to learn who we really trust and turn to. Who will we listen to moving forward?

Bottom line, the more the security and technology industries grow, the more predictions we will have. From the Internet of Things, to new technologies to robots to self-driving cars, do you really think we will be talking about security and privacy less in 2020? I don’t. 

Congratulations security industry, and welcome to center ring in this three-ring circus. Yes, it is a very big circus, but that’s where all the action is.

Cloud Security General HIPAA PCI DSS General Infosec Island Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.