It’s that time of year again when everyone wants to wow you with their insights and predictions about what the next year will bring us in terms of technology and hacks in the security industry. Don’t get me wrong, always thinking ahead and applying a predictive approach to security is an idea and practice I fully endorse. However, I would like to ask the security community as a whole to please not waste our time with vagaries and statements that are so broad that they could apply to anything, and/or at the same time, nothing.
For those unfamiliar with the name or work, Michel de Nostredame, aka Nostradamus, was a French apothecary and reputed seer who published collections of prophecies that have become famous worldwide. While he is the most famous of the prognosticators, his predictions are largely panned by the scientific community as being too general as to be moldable to fit multiple scenarios and situations. His most famous of all predictions was that the world was going to end in 1994, and then again in 1998 or maybe it was 2000. No, it was definitely going to end on December 21, 2012. Well, I’m writing this in November of 2013 so I guess that didn’t quite work out the way he had envisioned after all.
The reason I bring this up is that if Nostradamus had envisioned our networked world of 2014 and had written predictions about the security challenges that existed, I’d expect them to look something like this:
– Hackers will target data in the cloud
– Attacks will continue to become more sophisticated
– Cybercriminals will be motivated by profit
– China and other nation states will remain a top security concern
– Mobile devices will be under increased scrutiny
Please raise your hand if any of these predictions have helped you shore up your security planning for 2014. Anyone? I didn’t think so. While I changed some of the wording to protect the guilty, the themes of each of these predictions was a direct pull from members of our industry. Forward-thinking and practical advice from experts is always appreciated, but we need to do a better job making constructive points in our observations.
What we need are view points and recommendations based on analytics and trends in data that will point us towards actual solutions to real problems. One of the better reports published each year is the Emerging Cyber Threats Report presented by the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI). While it’s a fairly lengthy report, it is well worth your time investment as it provides analysis and trends with straightforward explanations of the types of threats we should be actively preparing to deal with in the coming years. These are the types of reports that allow companies to plan for security based upon facts, data, and the analysis of the best minds in the security industry and law enforcement.
As I’ve written about in the past, we as an industry do a great job of hyping ourselves, but a poor job of explaining what we do and how we solve problems within an organization. This needs to change. As we move into 2014 and beyond, security will continue to take on increased importance within organizations, especially those who deal in sensitive data or areas of critical infrastructure. It will need to become more tightly integrated into business planning and the CISO will need to become an agent of change within the organization.
As I’m sure you could gather from the opening portion of my article, I’m not much into predictions. A clever sound bite can’t ever be a substitute for careful analysis and years of research and development aimed at solving the industry’s most technical challenges. Despite years of heavy investment in security, none of us can stand here today and say that we are winning. At the same time, we continue to face more sophisticated foes with increasingly well-funded technology capable of delivering significant attacks on our most valuable institutions.
While I won’t make a prediction per se, I will leave you with what I consider to be a statement of fact. We in the security industry need to do better. We need to continue to advance our technology and develop new and better ways of addressing security concerns and vulnerabilities. Due to the very nature of our business we will always be playing catch-up to the hackers, but that is a challenge we need to meet. I’m not sure who said it first, but the reality remains, in the security industry, we need to be right 100 percent of the time whereas the hacker only needs to be right once. Words to live by and ones that I’m pretty sure didn’t come from Nostradamus.