![](\"https:\/\/media.giphy.com\/media\/11S8kibkX64gmc\/giphy.gif\")
It’s December, which means three things: Thanksgiving is over, it’s cold in New Hampshire (so, so, so very cold), and security predictions are here. Call them “cybersecurity predictions” if you must (because, like, all the cyberz, amirite?) or call them something else, but the the season for forecasting is nigh upon us.<\/p>\n
What has always interested me about these predictions is that they aren’t exactly “predictive” per se.\u00a0 \u00a0What I mean by that is that, because these predictions target the coming year (covering a one year span) and they are usually done in December (like right before that year starts), they almost always are extrapolations of existing trends. Meaning, people take the things right in front of them, and assume that they will grow and expand over the course of the year.\u00a0 There’s nothing wrong with that of course, but it’s how almost all of these predictions are constructed.<\/p>\n
To see what I mean, consider this set of predictions right here.<\/a>\u00a0 This is an OK set as far as these things go.\u00a0 Meaning, there’s nothing provably false, it seems to reflect where things are now and extrapolates them forward.\u00a0 So it’s a set of things that are probably likely to occur over the next year.\u00a0 He predicts the following (paraphrased):<\/p>\n You could probably quibble about one or two of them.\u00a0 For example, is serverless really going to entrench right away (i.e. this year) or will it take longer to occur?\u00a0 Meh…\u00a0 it could go either way.\u00a0 I wrote about serverless like a year ago, but it’s just starting to pick up traction now – so it could well be like 2020 or longer before we see it really take off.\u00a0 It could also happen overnight.\u00a0 IoT and “more ransomware”?\u00a0 That’s probably as safe a bet as you could probably make, given that we’re already starting to see those things happen.\u00a0 In fact, the only one here that isn’t exactly “safe” is the last one — so props to him for including that.\u00a0 Will there legit be children’s content that leads to reputation impact for folks?\u00a0 I don’t know…\u00a0 Could be.<\/p>\n Anyway, based on this style of prediction: i.e. taking stuff that’s going on now and extrapolating them forward, I’m going to make a prediction that you can take to the bank<\/strong> for 2018.\u00a0 Namely, jackasses in cybersecurity will increase<\/span>. It’s already happening now, and I think it will continue over the next year.\u00a0 Malpractice will go up, there will be a downward pressure on actual skill\/ability for practitioners, and the loudest (but yet most ignorant) of those entering the community will lead corporations and other practitioners astray.\u00a0 Sound dark?\u00a0 Maybe so.\u00a0 But take it to the bank.<\/p>\n What do I mean and why do I say this?\u00a0 Well, first security is a hot area right now.\u00a0 There’s a well-publicized (some might say “over publicized”) skills gap out there along with a general recognition that organizations aren’t great at keeping stuff secure.\u00a0 Then, there’s an influx in money – from organizations and governments – in trying to buy their way out of the mistakes of the past and get a handle on the trainwreck their lack of stewardship and discipline has helped to create.\u00a0 This, in turn, leads to influx of venture capital and people looking to capitalize on the gravy train.\u00a0 Being that people tend to gravitate to where the money is, you will have people entering the field in droves.\u00a0 Some percentage of them will be solid, ethical, and thoughtful professionals — some will be blowhards whose ignorance is only rivaled by their lack of humility.\u00a0 Look around.\u00a0 It’s happening now.<\/p>\n What is the impact of this?\u00a0 The astute and workmanlike professionals will take their place in the workforce and help to do goodness.\u00a0 The blowhards will crow about being king of the world.\u00a0 This second group will inevitably cause damage to various organizations through their misguided (though well-intentioned) malpractice.\u00a0 They will advocate for things that make no sense, base decisions on unfounded, untested methods, and flout a reasonable standard of care because “they know better”.\u00a0 They will assume they are security’s equivalent of Stephen Hawking — and, because of the Dunning-Kruger effect<\/a>, they will legitimately not be capable of understanding why it’s not the case.\u00a0 They will trick others, new practitioners and those outside the space, who don’t (or can’t) recognize the intersection of ignorance and hubris they embody.<\/p>\n Is this too dark?\u00a0 Too cynical?\u00a0 Yeah, maybe.\u00a0 I have to confess that I continue to be frustrated by people who just don’t get it, who advocate (sincerely) for malpractice, who by their actions increase risk because they don’t know what they don’t know.\u00a0 For example, people who argue that asking for a password three times is “three factor authentication” (and fight with you when you correct them.)\u00a0 Or people who step over known, tested, workmanlike methods to undertake some “flavor of the month” quackery.<\/p>\n So my prediction for 2018?\u00a0 Jackasses.\u00a0 Jackasses all the way down.<\/p>\n Or…\u00a0 we could start the conversation about professional standards.\u00a0 Things like professional licensing that allow us, as a community, to strip away someone’s right to practice if they are dangerous, unethical, or careless.\u00a0 I’d really like to have that conversation.\u00a0 But I don’t think we’re there yet.\u00a0 Maybe when we reach “peak ignorance” in the field, we can have that conversation.\u00a0 I’m hopeful someday it’ll be true.<\/p>\n","protected":false},"excerpt":{"rendered":" It’s December, which means three things: Thanksgiving is over, it’s cold in New Hampshire (so, so, so very cold), and security predictions are here. Call them “cybersecurity predictions” if you must (because, like, all the cyberz, amirite?) or call them something else, but the the season for forecasting is nigh upon us. What has always […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[93],"class_list":["post-692","post","type-post","status-publish","format-standard","hentry","category-security","tag-predictions"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/692","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=692"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/692\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=692"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=692"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=692"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n