How To Be An Informed Skeptic About Security Predictions
It doesn’t take a wily prediction to see that the cycles of tech procurement and planning are increasingly compressed. In enterprise IT, the two largest forces at play are business changes and technology changes. These two major forces are somewhat independent; a lot of tech change happened during the last economic downturn, and in fact the best predictions during that period involved using tech to navigate the downturn. So watching and understanding both large forces matter.
Security predictions however have both those large forces (business and tech), and the added third large force of The Threat. It’s a common misconception that security predictions are only about threat. Security predictions need to watch tech trends because security doesn’t exist in a vacuum: Security is applied to technology and if tech changes, so too must security. How the business will change is a unique lens for security: remote workforces, new payment methods, cloud adoption, open banking standards, and new regulations are examples of how business changes drove security in new directions. And the third major force of threat trends is the special territory of security and is linked to the other two forces.
Security predictions aren’t just headline fodder. Successful enterprise security leaders do look to the future – as they must. But, they are highly skeptical of the majority of security predictions, because most of the predictions are weak. Leaders latch onto those few meaningful predictions as rudders for moving their security organizations forward.
So what makes for a good security prediction? Here’s the characteristics:
Near-Term But Not Long Term
Predictions of security in the far future are fun but not useful. The slice of time for utility in security predictions has a near term wall of about 6 months – this is the reality of procurement actions, and of how long it takes to move the tiller to meaningful change.
A next-day prediction is also cool, but it is either a tactical observation or not something that action can be taken based on. And the far wall I believe is 12-24 months. Anything longer term is likely jetpacks and flying cars given how much can change in business, tech or the threat. I can’t recall a meaningful recent prediction that wasn’t within this 6-24 months window.
Likelihood and Geography
No prediction is a sure thing, otherwise it is a fact. How likely is it that the prediction will occur? Even a prediction with a very low likelihood is useful, intimating that the event is unlikely to occur and therefore action likely need not be taken, or at least not in great proportion. The weakest predictions are those that are so watered down in specifics because of weak analysis combined with doubt. “A Bad Thing Will Happen Next Year” is never wrong, and never helpful.
Geography is helpful. Not all threats, business trends or tech adoptions are global, or at least not proportioned equally across the globe. Some great security predictions have watched trends develop in one region and extended the analysis to assess whether the trend would or wouldn’t expand to other regions.
Actionable Is Everything
Information is only useful if it can be acted upon. The timeliness window mentioned above touches on the keystone of security predictions: actionability. In addition to being within that golden time window, a prediction must have give rise to something that can be done, something concrete. A great number of bad predictions are concerning threat trends. Changes in some aspect of the threat landscape that don’t actually give rise to some action you can take are pointless commentary. One long running security predictions joke is “Next Year Will Be the Year of PKI” and the prediction is repeated every year.
Beware The Self-Serving Prediction
“The threat our product counters will increase 1000-fold.” Hmmm. Vendor predictions should not be automatically accepted or discounted any more than other predictions; however, there is an added onus on vendor predictions to explain what they base the prediction on. Predictions from vendors must show their work. But, if it is not explained carefully or is too generic it should be filed under “marketing” rather than “prediction.” As some vendors have large threat research teams and very large numbers of customers, predictions based on that unique data can be highly useful, sometimes more useful than predictions from disinterested third parties who don’t have that pool of data to base it upon. Predictions made in that kind of vacuum of data or deployment reality are usually quickly dismissed by enterprises who live in that reality daily.
Water Is Wet, And the “So What?” Filter
“Threats will happen next year” is a Captain Obvious prediction of no use. Too many security predictions are of the “threats are bad,” and “attacks will happen” category. This falls afoul of the Actionable test, but it also a sign of lazy thinking. These “Unpredictions” often have a kernel of high use and actionability that only takes some work to uncover. I call this the “So What Filter.” When there isn’t anything highly actionable in the assertion, I keep asking “So What?” until what goes through the filter has meaning.
For example. Last year one data set showed threats on the increase. So What? The majority of the increase was Cryptomining. OK, slightly interesting, but So What? Ransomware was on the decline for that quarter, but increased next quarter while Cryptomining took a relative dip. Ahhhh… So What? The cause of that event was that Bitcoin-to-dollar exchange took a dip, meaning Cryptomining is less popular when it is less profitable based on that exchange. We’re getting there… So What? Cryptomining increases at the expense of Ransomware when Bitcoin rates are high, as ransoms can set their own price. Bingo. Action can be taken on this, including having a new security metric to watch – Bitcoin exchange rates.
Bottom Line
Don’t discount all security predictions, and be an informed consumer of those you adopt as part of your planning. Security predictions can be very powerful in demonstrating to management and the business why your security plan is structured in a certain way, and to justify either the investments or the absence of investment. The three major forces change, so your attachment to trends and predictions must be frequently adjusted.
Read More HERE