If you're going to forecast the future, go big.

Dave Lewis, Global Advisory CISO, Cisco Security

December 26, 2017

4 Min Read

It's no secret that I've long held a dim view of the security predictions that invariably bombard our feeds and social media accounts every December. In years past, I made a point to write up an article using a list of predictions from a blog post 10 years earlier. The catch here was that the list read as an indictment as opposed to a prediction. Of the list of 10 security issues, eight  remained relevant a decade after they were posted.

The practice of making predictions often brings to mind the image  of a palm reader or medium saying, "I'm seeing a security breach for a company that starts with … A … B?" This may seem a little cruel, but I can't help to draw a parallel with Alfred Hitchcock's Rear Window. The protagonist of the film — confined to his apartment in the summer heat — pieces together a crime from the bits and pieces that he sees unfolding in the apartment across the way from his rear window. This view feels familiar as we talk about security issues in bits and pieces as found in security predictions.

If you pull all of the predictions together, they start to paint a more vivid picture of the issues that security practitioners face every day. As the end of the year drew closer, I couldn't help but wonder how the palm readers fared with their 2017 proclamations, so I took a sampling of some of the lists that I could find online. They discussed a wide range of topics such as these:

  1. Ransomware will continue to be a problem.

  2. Security blame will continue as one of the least popular games.

  3. Mobile will continue to rise as a point of entry.

  4. The Internet of Things (IoT) will continue to haunt the security threat landscape.

  5. At least one major safety incident will be caused by an IT security failure that will cause injury.

It strikes me that these security predictions, by and large, are so poorly defined that they could easily be claimed to be correct with a thinly veiled argument. If someone stands on a stage and declares that "water is wet," there invariably will be someone who chin wags that yes, indeed it is.

When I look at this loose collection of five predictions, it is easy to say yes, they are indeed true, but they were all safe bets. Ransomware isn't going to suddenly disappear. The blame game is part of human nature and it will continue on as long as we have opposable thumbs.

Mobile security will rise as an entry point isn't far off correct in hindsight. When you look at the research from Akamai (full disclosure: that's my day job) and other companies on the discovery of the WireX botnet, this was a distributed denial-of-service botnet that was based on mobile devices running Android. This was a platform built out using roughly 300 compromised applications in the Google Play store and which infected thousands of customers.

The one prediction on the list that caught my eye and might have some actual substance is the last one, about a major safety incident. To be fair, the writer had said that this might happen in the next four years, granting him some serious wiggle room. Because I spent nine years working in the power systems industry, this is a fear I hold, too. There is always a danger that someone could die as a result of a power failure, for one example.

When we look at the rise of self-driving cars and similar IoT-related vehicles, there certainly is a chance that something could go horribly wrong. I don't say this to stir up fear, but we need to make sure that the companies making these products take security very seriously. There has been no shortage of reporting on vehicle security research, from distribution of firmware updates to communications, and there are many avenues that need to be addressed because of potential adversaries. This is definitely one prediction that I truly hope isn't something that comes to pass.

If people truly want to make predictions, they should make ones that cause them to put their reputations on the line. Don't make predictions that are merely safe bets. Better still, make a list of things that a company should be doing to better secure enterprises. That would have far greater value to those of us who are diligently working to defend our patch while attempting to avoid being thrown out the window by our very own Lars Thorwald.

Related Content:

About the Author(s)

Dave Lewis

Global Advisory CISO, Cisco Security

Dave Lewis is a Global Advisory CISO at Cisco Security. He has 25 years of experience in IT security operations and management including a decade dealing with critical infrastructure security. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights