Predicting the future has fascinated humans for a very long time. Knowing what is ahead is compelling and our minds tend to get excited about the vast array of possibilities. Knowing next week’s lottery numbers, for example, would be a quite profitable way to harness this ability. A substantial part of the time-travel fantasy trope is based on the ability to know, and potentially change, the future that seems very much set in stone.

One of the many aspects of knowing the future is the prospect of being able to deal with risks in a much more prepared and organized way. Had we known that the Swiss railway system would deal with significant outages in the Berne area this summer and when exactly these would occur, many of us could have prepared accordingly and saved substantial amounts of time and avoided quite a bit of discomfort. However, as platforms full of waiting passengers illustrated quite well, that is not how unexpected events work.

This example does, however, illustrate quite well, why predictions in the space of information security are popular and have become a staple of magazines and blogs across the globe. In fact, our very own Marc Ruef will post the predictions our very own research team has developed over the past weeks just next week. But of course the infosec community is eager to know the future. One of the core assignments a CISO has to manage, is to deal with emerging risks and threats. Preferably before they hit. A delicate task, to say the very least.

Predictions: Caveat Emptor

Having established that addressing future challenges is a part of the many responsibilities we bear as information security professionals, it is easy to see why predictions are popular. But we should also address the way these predictions are established.

Much like the weather forecast, predictions in the information security space can be created on a sliding scale from “somewhat hard science” to “pure folklore”. It is unfortunately not rare for major publications to publish somewhat random Buzzfeed-esque listicles that provide little to no value, rehash old buzzwords and try to give a new spin to very old issues. Sometimes, generic advice is thrown as sort of a “call to action” to create the illusion of additional value that is, more often than not, inexistent.

As an example, Dark Reading recently published their CISO Resolutions for 2019. To be fair, the article is not labelled as a prediction as much as it is marketed as a whimsical “to-do list for security leaders”, but it does essentially boil down to the same concept.

Deconstructing Predictions and Resolutions

It is easy to be a critic and to tear apart the six resolutions formulated in these slides. But instead, let’s go through these points critically, but constructive, and see what we can gain.

• Communicate risk more clearly: The first resolution urges CISOs to “communicate risk more clearly”. While this is not wrong, it has become somewhat of a shibboleth of the infosec industry to constantly reiterate the importance of risk and the communication thereof. At the same time, it is clearly observable that the challenge does not necessarily lay in the awareness of the existence of risks, but their uniform assessment and the associated metrics. So this recommendation should actually urge professionals to move to more formalized approaches to manage and communicate risks, such as FAIR.
• Build a bigger, better team: Next on the list is “Build a bigger, better team”. Since the ongoing wave of digitalization is moving forward with unbridled force, this seems logical. However, building “bigger” teams should be way lower on any CISOs priority list than organizing existing resources into more nimble, more agile teams. Growing a team that has not yet reached a certain maturity rapidly comes with a risk of inefficiency and potential failure to communicate both internally and externally. Hence, “building a better team” is a great resolution; “building a bigger team” on the other hand, should be handled with caution.
• Contain Containers: The usage of containers to aid the rapidly growing DevOps field is rampant, so the inclusion of the resolution to develop security strategies to handle this technology in particular is quite understandable. It is worth taking a step back from this particular viewpoint though: If an organization is struggling with having basic security policies in place for technological components like containers, maybe that is an indicator that there is a tendency to rush the deployment of new technology without proper processes and considerations. So while OpenStack and Docker certainly need some well-deserved care in the security and configuration management department, a CISO should generally focus on the bigger picture and make sure that security is built-in, not bolt-on.
• Understand API Risk Exposure: Even though there was a recent issue with an API maintained by the US Postal Service that led to the exposure of 60 million customers, the considerations of the previous item (container security) do apply here. A failure to address the security requirements of an API specifically, assuming other parts of the application are handled with more care, does indicate a lack of maturity in the Software Development Lifecycle utilized by the organization as a whole. But there is a more prominent trap here: Shaping the efforts of an organization based on current events is a dangerous game that more often leads to a lack of focus on the individual needs of the organization.
• Upping their GDPR Game: Of course, some current affairs do demand attention, especially when they are tied to legislation and failure to address them comes with dire consequences. It is hard to disagree with the statement, that GDPR is not yet fully understood and handled by a vast majority of organizations at this point, more than half a year after May 25. According to a sponsored study by Dimensional Data, about 20% of organizations worldwide believe, they are compliant, with another 53% claiming that they were in the process of implementing appropriate compliance measures. So yes, if “upping their GDPR game” means that CISOs should observe how GDPR is developing “in the wild” and to actively track not just the compliance aspects, but also the actual privacy and data protection rights of their customers, then this is a valid resolution.
• Securing Supply Chains: Almost a tie-in from the previous item regarding GDPR, this does again feel quite obvious. And much like other resolutions before, this should be on a CISOs radar for many years now: Despite the broad variety of security concerns the term “supply chain” can carry, this is rarely a new challenge despite the recent, still very questionable, claims to hardware implants. It does not end there yet: Even the usage of third party software components, such as external libraries, is still an unresolved issue for many organizations. Hence, this is a valid resolution – but sadly it should be for the year 2012, not the year 2019.

What we can learn from other people’s predictions

So quite evidently, there is quite a bit to talk about even with those fairly broad and basic predictions. In order to gain anything from any predictions made by a 3rd party, there is a need of reflection and adaptation to the unique circumstances of the environment the reader is involved with. Blanket statements such as “we need to focus on container security” do not create value, but distract from the real challenges ahead. But with these caveats in mind, predictions can be a good starting point to strategize, reflect and see where your priorities should lay in the upcoming months of the new year.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk
• https://www.darkreading.com/perimeter/6-ciso-resolutions-for-2019/d/d-id/1333402?image_number=1
• https://www.techrepublic.com/article/only-20-of-companies-believe-theyre-actually-gdpr-compliant/
• https://www.theinquirer.net/inquirer/news/3066805/usps-data-breach-api-flaw