Security Predictions - Dumb or Priceless? A closer look

Security Predictions

Dumb or Priceless? A closer look

Stefan Friedli
by Stefan Friedli
time to read: 8 minutes

Keypoints

This is how you deal with predictions

  • Humans wanted to know the future for a very long time now. It's a compelling ability granting us unique advantages
  • Especially in information security, where dealing with risk is so crucial, making predictions is a natural thing
  • The quality of predictions varies greatly, but even the best predictions are irrelevant when individual requirements and circumstances are not factored in.

Predicting the future has fascinated humans for a very long time. Knowing what is ahead is compelling and our minds tend to get excited about the vast array of possibilities. Knowing next week’s lottery numbers, for example, would be a quite profitable way to harness this ability. A substantial part of the time-travel fantasy trope is based on the ability to know, and potentially change, the future that seems very much set in stone.

One of the many aspects of knowing the future is the prospect of being able to deal with risks in a much more prepared and organized way. Had we known that the Swiss railway system would deal with significant outages in the Berne area this summer and when exactly these would occur, many of us could have prepared accordingly and saved substantial amounts of time and avoided quite a bit of discomfort. However, as platforms full of waiting passengers illustrated quite well, that is not how unexpected events work.

This example does, however, illustrate quite well, why predictions in the space of information security are popular and have become a staple of magazines and blogs across the globe. In fact, our very own Marc Ruef will post the predictions our very own research team has developed over the past weeks just next week. But of course the infosec community is eager to know the future. One of the core assignments a CISO has to manage, is to deal with emerging risks and threats. Preferably before they hit. A delicate task, to say the very least.

Predictions: Caveat Emptor

Having established that addressing future challenges is a part of the many responsibilities we bear as information security professionals, it is easy to see why predictions are popular. But we should also address the way these predictions are established.

Much like the weather forecast, predictions in the information security space can be created on a sliding scale from “somewhat hard science” to “pure folklore”. It is unfortunately not rare for major publications to publish somewhat random Buzzfeed-esque listicles that provide little to no value, rehash old buzzwords and try to give a new spin to very old issues. Sometimes, generic advice is thrown as sort of a “call to action” to create the illusion of additional value that is, more often than not, inexistent.

As an example, Dark Reading recently published their CISO Resolutions for 2019. To be fair, the article is not labelled as a prediction as much as it is marketed as a whimsical “to-do list for security leaders”, but it does essentially boil down to the same concept.

Deconstructing Predictions and Resolutions

It is easy to be a critic and to tear apart the six resolutions formulated in these slides. But instead, let’s go through these points critically, but constructive, and see what we can gain.

What we can learn from other people’s predictions

So quite evidently, there is quite a bit to talk about even with those fairly broad and basic predictions. In order to gain anything from any predictions made by a 3rd party, there is a need of reflection and adaptation to the unique circumstances of the environment the reader is involved with. Blanket statements such as “we need to focus on container security” do not create value, but distract from the real challenges ahead. But with these caveats in mind, predictions can be a good starting point to strategize, reflect and see where your priorities should lay in the upcoming months of the new year.

About the Author

Stefan Friedli

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

General Data Protection Regulation GDPR is a Challenge?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here