2019 Predictions

As we are in the season of predictions, which vary from the factual and realistic to the downright comical. We’ve all seen these, year after year, generally driven by ‘experts’ with little to no clue as to what they are talking about. I’m struggling to think of a single one of these predictions that has actually come true.

So, to be no different let’s have a crack at some predictions myself.

AI and ML (they are the same bloody thing!!!!) will rise and rise.

Despite almost all AI being non-symbolic and thus hard to trust the outcome of, as it is unexplainable, AI adoption will rise. Hopefully people will actually start to understand what things like human readable mean when it comes to AI, but I won’t be holding my breath. We will also see a rise in AI being ripped out again as it didn’t do what the ignorant purchaser thought it would do. Mainly because they didn’t actually understand the subject, what they were buying and of course the age-old case of them being ‘sold to’!

AI experts will magically appear.

Much like the rise in data scientists, many of whom don’t even know what a n-triple is, we will see a rise in AI experts. Similarly, to most other experts in the technology space they will speak about ephemeral concepts, buzzwords, little of value and share thought leadership that is consistently lacking in both thought and leadership. Others will laud these experts, for they are equally lacking in expertise, but will see these experts as guiding lights.

Attacks and attackers will become more and more sophisticated.

I know this is nothing new, but it ain’t going away. It is, however, about time that we had another buzzy term for this to freshen it up so that we take more notice and buy some more 8th generation threat fighting widgets. This will of course include the use of nation state and APT as often as possible so that even the butchers down the road is petrified that China is after his sausage orders. How about ANST? Advanced Nation State Threat. Not just Nation State, but ADVANCED NATION STATE!!!!! [dramatic music]

Intel sharing will be high on the agenda.

Despite the fact that almost all of it isn’t intelligence and that most organisations can do nothing meaningful with it, we will look to share like never before. We will take SOCs from alert fatigue to alert flood. We will ignore contextualisation in favour of noise.

The magic quadrant will continue to flourish.

People will still look ‘top right’ for their answers, and of course follow what the ‘analysts’ put out there as being the latest thing that you NEED to do. No change here. This isn’t really a prediction, just how it is sadly.

Adoption of frameworks will rise.

For example ATT&CK, and then many will drop it as being hard to do, or rather not really get into it fully in the first place, but of course claim it.

There will be 400 billion digital startups.

All of whom is the emperor’s new clothes. The startup market shows no signs of slowing and in fact increasing. This will make it harder to succeed and also harder to pick the one you want to solve a problem. We’ll continue to see people early adopting for right and wrong reasons. And the chase for the unicorn will continue. Must have a good logo though. Some will really push boundaries and that is to be championed.

CIOs will continue to come into new roles, re-org, strategise with buzzwords, transform and then leave before it lands.

Maybe a tad harsh, but the cycle of the CIO will continue. New role, re-org (probably into a structure that has been previously seen in the org 4 or 5 times), define a strategy with lots of buzzwords, hit the transformation button and then leave before the outcome is realised. And repeat. Ad infinitum every 3 years.

Security leaders will continue to offer no leadership.

Again harsh, but we will, I am certain, see the continuance of security leaders sharing articles et al with no thought of their own on the subject in question. They will offer no opinion and people will lap it up and comment to ensure that they are commenting on these security leader’s posts. It is painful, and it happens constantly. Have a quick look up and down your LinkedIn timelines and see how much actual opinion is presented by the poster.

Encryption backdoor legislation will come in.

It will be opposed by those who know what this means, and also those who believe such access already exists in a lot of places. However, I think we will finally see this legislative measure make headway. Wrong as it is, and of course based on the ‘nothing to hide’ argument coupled with ‘nasty terrorists’ so we must allow Gov to have backdoor access. What could possibly be wrong in that? Sheesh! What I’d love is to trust big tech companies will all the data in the world and Gov in tandem. It is just a recipe for misuse. Not that that would ever happen of course. You can trust them all can’t you? It is not like any (either tech or Gov) have ever misused in the past right?

Organisations will continue to bury incidents, especially personal data breaches.

I know we have things like the GDPR that bring in mandatory breach notification, where there is a risk to the data subject, but that does mean it’ll actually happen. Personal data breaches have been happening for years and been hushed up and hidden for years. This trend will continue. Well, rather than will, it is. If you don’t believe this happens, or that this will happen post the GDPR etc. then you need a quick dip in the reality pool.

CIR firms will continue to battle with the ethical question in ‘silently’ cleaning up said breaches.

It is not just the organisations themselves who tidy up these breaches. CIR firms are often on hand to help organisations, which is great. Expensive, but great where they do not have that expertise. However, there are occasions where these include personal data breaches, to which the CIR is a cog in the wheel of ‘making it go away’, including ensuring reports do not leave organisations open to risk. Wording is very careful, to ensure least possible risk should anything be uncovered in the future. Kind of like a cyber Ray Donovan. It must be hard at times where you have helped clean up a breach that you know involves personal data, and includes a risk to the data subjects, yet it magically never sees the light of day. Especially if this were a repeat occurrence and yet the organisation in question has never seemed to notify anyone about the breaches that have never happened.

A CIR whistleblower.

I do think at some point, especially with the personal data slant, that we will see a CIR whistle-blower who brings this out into the open. How they have cleaned up serious breaches to make them go away for large organisations, probably household names. Telling tales of regular visits to the same organisation for yet another personal data breach. Tired of seeing householdname.com getting away with it time and time again. Continually failing their customers in protecting their data.

There will be lots more, but that will do for now.

One final one.

We will to continue to ignore basic security measures and understanding therein. We will continue with pointless, unread policies that are no use to anyone. Continue ignoring risk management. You know the full loop with changing parameters of threat, vuln, exploit, likelihood, impact, controls effectiveness etc.! Training that just annoys the end user and raises zero awareness. Security controls that don’t work in operation. Firewalls that serve no positive purpose. Elastoplast security for theoretical risks. Unknown assets, users, privileges, protocols, networks, architectures, vulnerabilities………ah just buy some technology and I’m sure it’ll be fine!! Go on, go on, follow the flashing lights. Aren’t they pretty. And then wonder why you got breached.

At least please, maybe, look at the rules on your external firewalls, if you know where they are. Please? Give yourself some breathing space. Engage with your customers (users) to find what they need and work with them.

And if you're looking at new innovation or approaches, or indeed looking at some of the buzzwords, please start by solving a business problem. Don't start with technology, or product name/type, this way failure lies. Always solve a business problem, even hypothetically, first. Too many focus on technology. Like we need a data late, let's start with Hadoop, before actually defining the analytical problem.

*these predictions were brought to you by non-symbolic AI. Which means they may or may not be right, we have no way of knowing, or understanding how we got to these predictions.