It’s December, which means three things: Thanksgiving is over, it’s cold in New Hampshire (so, so, so very cold), and security predictions are here. Call them “cybersecurity predictions” if you must (because, like, all the cyberz, amirite?) or call them something else, but the the season for forecasting is nigh upon us.
What has always interested me about these predictions is that they aren’t exactly “predictive” per se. What I mean by that is that, because these predictions target the coming year (covering a one year span) and they are usually done in December (like right before that year starts), they almost always are extrapolations of existing trends. Meaning, people take the things right in front of them, and assume that they will grow and expand over the course of the year. There’s nothing wrong with that of course, but it’s how almost all of these predictions are constructed.
To see what I mean, consider this set of predictions right here. This is an OK set as far as these things go. Meaning, there’s nothing provably false, it seems to reflect where things are now and extrapolates them forward. So it’s a set of things that are probably likely to occur over the next year. He predicts the following (paraphrased):
- machine learning (evolution in using them for attack & defense)
- more ransomware
- more serverless
- home IoT privacy and security issues
- reputational issues stemming from from children’s digital content
You could probably quibble about one or two of them. For example, is serverless really going to entrench right away (i.e. this year) or will it take longer to occur? Meh… it could go either way. I wrote about serverless like a year ago, but it’s just starting to pick up traction now – so it could well be like 2020 or longer before we see it really take off. It could also happen overnight. IoT and “more ransomware”? That’s probably as safe a bet as you could probably make, given that we’re already starting to see those things happen. In fact, the only one here that isn’t exactly “safe” is the last one — so props to him for including that. Will there legit be children’s content that leads to reputation impact for folks? I don’t know… Could be.
Anyway, based on this style of prediction: i.e. taking stuff that’s going on now and extrapolating them forward, I’m going to make a prediction that you can take to the bank for 2018. Namely, jackasses in cybersecurity will increase. It’s already happening now, and I think it will continue over the next year. Malpractice will go up, there will be a downward pressure on actual skill/ability for practitioners, and the loudest (but yet most ignorant) of those entering the community will lead corporations and other practitioners astray. Sound dark? Maybe so. But take it to the bank.
What do I mean and why do I say this? Well, first security is a hot area right now. There’s a well-publicized (some might say “over publicized”) skills gap out there along with a general recognition that organizations aren’t great at keeping stuff secure. Then, there’s an influx in money – from organizations and governments – in trying to buy their way out of the mistakes of the past and get a handle on the trainwreck their lack of stewardship and discipline has helped to create. This, in turn, leads to influx of venture capital and people looking to capitalize on the gravy train. Being that people tend to gravitate to where the money is, you will have people entering the field in droves. Some percentage of them will be solid, ethical, and thoughtful professionals — some will be blowhards whose ignorance is only rivaled by their lack of humility. Look around. It’s happening now.
What is the impact of this? The astute and workmanlike professionals will take their place in the workforce and help to do goodness. The blowhards will crow about being king of the world. This second group will inevitably cause damage to various organizations through their misguided (though well-intentioned) malpractice. They will advocate for things that make no sense, base decisions on unfounded, untested methods, and flout a reasonable standard of care because “they know better”. They will assume they are security’s equivalent of Stephen Hawking — and, because of the Dunning-Kruger effect, they will legitimately not be capable of understanding why it’s not the case. They will trick others, new practitioners and those outside the space, who don’t (or can’t) recognize the intersection of ignorance and hubris they embody.
Is this too dark? Too cynical? Yeah, maybe. I have to confess that I continue to be frustrated by people who just don’t get it, who advocate (sincerely) for malpractice, who by their actions increase risk because they don’t know what they don’t know. For example, people who argue that asking for a password three times is “three factor authentication” (and fight with you when you correct them.) Or people who step over known, tested, workmanlike methods to undertake some “flavor of the month” quackery.
So my prediction for 2018? Jackasses. Jackasses all the way down.
Or… we could start the conversation about professional standards. Things like professional licensing that allow us, as a community, to strip away someone’s right to practice if they are dangerous, unethical, or careless. I’d really like to have that conversation. But I don’t think we’re there yet. Maybe when we reach “peak ignorance” in the field, we can have that conversation. I’m hopeful someday it’ll be true.