It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last year I made half a dozen predictions for 2014. How well did I do? Let's examine them.
Escape from monoculture
A year ago I forecast that new security technologies would provide a greater choice of defensive options, making things less predictable for attackers. It hasn't quite happened yet, but there are some emerging alternatives that look promising.
A new generation of attacks
I also drew attention to the inevitable fact that the next generation of APT attacks would be richer, more sophisticated and stealthier. That's certainly happened, so much so that we can't detect the latest attacks, as illustrated by the recent discovery of a sophisticated APT attack (Regin) dating back six years.
A backlash against security standards
I also predicted a growing backlash against security standards, which have increasingly effective. That's certainly been a major issue this year, commencing with the FIC 2014 January opening conference theme of "Is cyber security a failure?" Unfortunately there is no realistic alternative for regulators to the growing mass of bureaucratic standards.
Improving strategic crisis response
On an optimistic note I forecast that enterprises would develop improving crisis management capabilities, correcting a long-standing weakness. I've certainly seen signs of this with the growth in deployment of SIEM technologies and security operations centres (SOCs).
Cyber skills gap grows
I also noted the growing shortage of high-end cyber skills, fuelled by the need to seek out a special kind of person for key monitoring and analysis tasks. Interestingly, there are now several proactive initiatives to employ or help find security work for dyslexic and autistic graduates. This approach will grow.
No change at NSA
I forecast no major changes in the operations at NSA, following Snowden. And I've yet to see any indication of this. Large scale intelligence gathering is necessary to combat terrorism, and that threat is growing.
The events of 2014 demonstrated a number of inescapable truths. Fast-changing subject areas tend to be held back by their legacy. The consequence is that they fail. Evolution will not deliver solutions. Nothing short of a revolution will succeed. New technologies, new skills and a new realism are needed to transform the effectiveness of cyber security.