Recently in Future Trends Category

The world in 2018 (or not)

| No Comments | No TrackBacks
| More

Now I'm not saying that I get everything right about the future. But I can certainly spot the excesses of other futurists. The latest example is IBM's predictions for the next five years.

The most important thing about forecasts is to understand the human, societal and legal blockers, as well as the limitations of technology and developers to deliver on promises. Against this background, IBM's suggestions seem rather naive, especially against a five year timeline.  

The classroom will learn you

Not only is it bad English but it seems rather sinister to suggest that technology should assess children's potential and be relied on to identify dyslexia instantly.

Buying local will beat online

I couldn't think of anything more likely to send me quickly to the exit than the prospect of a salesperson intercepting me in the aisle in which the products I'm interested are located.

Doctors will use your DNA to keep you well

The prospect of doctors determining my medication based exclusively on DNA readings fills me with concern. I prefer a human diagnosis based on a richer set of symptoms and experience.

A digital guardian will protect you online

The idea that a digital guardian learns about a user and authenticates transactions is a sound one in theory but will citizens be comfortable with a third party system that continuously shadows their behaviour? I think not.

The city will help you live in it

The prospect of large scale urban sprawl is bad enough but the idea that decisions on urban services are directed by crowdsourcing is enough to make central planning a desirable option.  

As a Daily Telegraph letter writer might put it "Am I alone in thinking this?"    

Predictions for 2014

| No Comments | No TrackBacks
| More

So what will 2014 hold for cyber security professionals? Will it be something new or more of the old? The answer is bit of both. We have all reached a crossroads in the way we manage security. Some CSOs will soldier on ahead - with diminishing effectiveness - while others will others will benefit from taking a fresh direction. Here are my forecasts for the state of security in 2014.   

Escape from monoculture

New security technologies will provide a greater choice of defensive options. I've reported before on the danger of security 'monoculture', i.e. we have all been implementing identical security defences, providing attackers with a simple testing platform for attacks. New products that detect malware through behaviour and characteristics other than traditional signature scanning will present a new challenge for attackers.  

A new generation of attacks

Forward-looking security professionals have been wondering what comes next after Stuxnet et al. That code was developed many years ago. The next generation of attacks will inevitably be richer, more sophisticated and even stealthier. There are enough political, commercial and criminal motives to encourage further attacks, so we can expect to see some spectacular threats - if we can detect them. They may already be amongst us.

A backlash against security standards

Wherever I go in the world I find a huge percentage of security managers who believe that security has failed, and the major culprit is compliance along with the bureaucratic standards it promotes. I've been saying this for years but lately I detect that governments and regulators are beginning to see the light. Compliance cannot go away. In fact it's likely to become even stronger. There will however be a rethink of the standards we need to achieve effective security. But don't expect an early solution.   

Improving strategic crisis response

Crisis management has been a long-standing weakness in all enterprises, for both business and security crises, especially at the strategic level which aims to safeguard the intellectual assets of the organisation. The growth in major incidents, CERTs, SOCs and SIEM tools has all helped to raise awareness of the need for better crisis management. It will be a long journey. But it's a healthy sign that enterprises are finally looking beyond simple incident management processes and business continuity plans.

Cyber skills gap grows

We all know there's a shortage of high-end cyber skills. Ask anyone that runs a security testing company. It's because skills such as high-speed reverse-engineering require a special kind of person. Training courses can't fix this problem, especially those that teach ancient security rituals. People with special skills can't be mass produced. They have to be sought out. And that's a more difficult challenge.

No change at NSA    

Don't expect any major changes in the operations at NSA, despite continuing Snowden revelations. The weakness is primarily with visible oversight and public presentation of policy, rather than day-to-day operations. The reality is that you we have to gather large amounts of intelligence to prevent terrorist incidents. And that threat has not diminished. There is no evidence of widespread misuse of the data gathered. Admittedly there is a theoretical possibility of a future dictator abusing the power. But that's arguably a lower risk than the threat of terrorists gaining access to weapons of mass destruction.

And on that controversial note I'll wish everybody Seasons Greeting.  

Enhanced by Zemanta

Predictions for 2013

| No Comments | No TrackBacks
| More

It's the time of year when we reflect on our progress (or failures) over the last year and anticipate the challenges of the coming year. Last December I made five predications for 2013. How well did I do?  Let's examine them.

Attacks get nastier

I forecast that attacks would become more damaging. It didn't happen quite the way I imagined. Some data breaches were massive (e.g. Snowden) but most attacks were designed primarily to steal data than damage business operations. We await the latter. It's simply a matter of time.

Big challenges from Big Data

Big Data enables powerful user access and new opportunities for bigger data breaches. The potential was illustrated by the Snowden case which highlighted the massive power that is now in the hands of our administrators and power users. We are witnessing the slow death of the 'least privilege' principle. The worst is yet to come.      

Final death of corporate perimeters

The users have left the building, the applications are progressively following, and the enemy is already inside. Everybody is aware of the challenge. The Jericho Forum has therefore disbanded their evangelic mission and declared success. All that remains is for enterprises to follow their mew instincts and implement security at the application and data levels. 

Security speeds up

Security managers are speeding up their act, supported by a new generation of security tools that deliver real-time, continuous security. There are no excuses today for delay in detecting and mitigating vulnerabilities. Security managers should take full advantage of the new opportunities presented by Cloud security technology for speed and empowerment. 

SMEs discover security

For decades SMEs have been the soft underbelly of big business and critical national infrastructure. They still are. I predicted that 2013 would see the beginning of a slow change in this sector. Certainly there is greater awareness and interest with governments and regulators. But we yet to see any significant change despite the fact that we (ISSA-UK) set out a practical blueprint nearly two years ago.    

Learning points

The events of 2013 demonstrated several home truths of cyber security. The Snowden case illustrated these well. Firstly, you can't keep anything secret in a hyper-connected society. Secondly, the short term damage of a massive breach can seem less than expected, though the longer term effects will be surprisingly broad and disruptive. Thirdly, existing security practices are inadequate for addressing the risks presented by today's infrastructure. And finally, it takes a painfully long time for stakeholders to address issues that have for many years been staring them in the face. 

Enhanced by Zemanta

Visions of the Future

| No Comments | No TrackBacks
| More

I've just read an interesting report of future 2020 scenarios on cyber security put together by an esoteric institute called the International Cyber Security Protection Alliance (ICSPA). I don't know who they are but they have some excellent chaps such as John Lyons and the Right Honourable David Blunkett MP on board. It's a fascinating read and a valiant attempt to visualise life in the next decade and beyond. As a keen futurist I applaud such exercises but cannot help but see them with critical eyes.

Many attempts to predict the future fall into the trap of imagining the future as an exaggerated version of present trends, rather than taking a step back and trying to identify the real blockers, enablers and catalysts of the current and emerging drivers and trends. This one falls into a similar trap of extrapolating the present rather than imagining a different future.

Personally I find that 2020 is a hard call. I can generally see the next 18 months and imagine life a decade Or two away. But very little changes in five or six years. As even Bill Gates has noted we tend to overestimate the changes that will occur in the next two years and underestimate the changes that will occur in the next ten.

In the ICSPA report we see mention of attacks on critical infrastructure, augmented reality and the Internet of things. Yet these possibilities have been around and viable for the last two decades. SCADA systems have been vulnerable (and hacked) since the time they were first introduced. Augmented reality is based on a technology worn continuously by Thad Starner for two decades. And the Internet of things is little more than a rather lacklustre adaption of Neil Gershenfeld's pioneering visions at MIT Media Lab in the 1990s. 

Why did these technologies not materialise in the past? It's a good question, and it represents one of the keys to understanding the future. Augmented reality has been a reality since the turn of century but has not caught on. There's clearly a major blocker. It may be cost, health and safety or a combination of both. Attacks on critical infrastructure have been possible for decades but the threat has not materialised (and I'm sure it will be well and truly mitigated as soon as a 9/11 type incident occurs). The Internet of things is a wonderful field for imaginative speculation but the business case and reality lags very far behind.

It's good however to stretch the minds of executives with far-fetched scenarios of the future. People tend to suspend their disbelief when contemplating fictional visions and accounts. The Royal Dutch/Shell Group has been exploiting this phenomenon for around forty years. It works. But it's a lot more effective when it's accurate. 


Enhanced by Zemanta

Business understanding of cyber attacks a decade out of date

| No Comments | No TrackBacks
| More

This is the title of an article from yesterday's Australian Financial Review, the leading Australian business newspaper. It was written by Chris Joye, a leading economist, fund manager and policy adviser, previously with Goldman Sachs, following an interview with me. Chris is a leading influence in business leadership in Australia. If he gets it, it's only a matter of time before the business community follow his lead.

It's good news to gain the interest of business leaders like Chris. It's another problem to exploit this spotlight. Let's hope that the Australian security community has the imagination to follow through.    

Enhanced by Zemanta

Learning points from Advanced Persistent Threats

| 1 Comment | No TrackBacks
| More

I've been very busy this year as you might gather from my rather thin postings. It's a positive sign in fact as it reflects the mushrooming demands of a growing industry which has a long way further to grow.      

One thing that is currently occupying my attention is the subject of APTs, which I'm currently researching for a new publication. It's an interesting and fast moving topic. Ten years ago nobody was interested in this level of threat. I was even accused of being a 'doomsayer' by ZDNet for warning about such risks. But what strikes me about APTs today is that nearly all of the published information about them is either factual analysis about how they work, or promotional claims about new technologies to make them go away.

What's lacking are the learning points from actual attacks. It's understandable given that most companies prefer to keep quiet about attacks. Yet this is the information we need. If we'd been warned earlier about the full facts of these attacks we might have done things differently.  

We need to know things such as: What should we do differently? How can we discover an attack? What measures should be implemented to minimise future risks?  This information is still hard to come by. Implementing ISO standards does not solve the problem. Committees, responsibilities and policies certainly don't deliver enough.

Going beyond today's best practices should be the focus of security researchers today. Too many are still trying to invent new ways of outdated controls to unsympathetic executive boards. I have occasional debates with Fred Piper on the subject of whether today's practices are better than nothing. I claim they're not because they're an expensive distraction. He says they still serve some use. But we both agree they're not good enough.

So I invite anybody who has a great new idea on how to reduce the risk of APTs to contribute it to my current research. You'll get full credit. We need your innovation. At the same time, I must encourage anyone who has experienced an APT attack to share their views on what they would do differently in the future. We need your experience.   

Predictions for 2013

| No Comments | No TrackBacks
| More

What will 2013 hold for information security professionals? Certainly a lot more serious incidents as we've been incubating a raft of potential crises for the past two decades. But what specifically can we expect? Will it be more of same? Or could we see the dawn of a new era? The answer is likely to be a little of both. Here are my top five forecasts for 2013.

Attacks get nastier

Data breaches are bad enough, but at least they don't disrupt business operations. Long term data damage is much worse. I've been forecasting this as a future risk for the last decade. It will begin to hit home during 2013, with rapid growth in cyber extortion and vandalism, perhaps coupled with the emergence of real cyber terrorism. Expect much nastier attacks and watch out for the beginnings of organised protection rackets.

Big challenges from Big Data

Big Data is the latest technology in a long term trend of increasingly powerful user access, enabling new dimensions in data mining, fusion and navigation, as well as new opportunities for big data breaches. Only compliance and expensive licence fees stand in the way of a user free-for-all in data access. But it spells the end of the 'least privilege' principle.     

Final death of corporate perimeters

Many enterprises, including big banks, still cling to the fig-leaf protection provided by private infrastructure. It's an illusion of course because Internet and email access provides a massive back door for attackers. BYOD is the final nail in the coffin for traditional corporate perimeter protection. The users have left the building, the applications are following and the enemy is already inside.  

Security speeds up

Growth in the frequency and impact of attacks will at least persuade security managers to forget the achingly slow Deming cycle and respond to vulnerability alerts and incidents in real time. Patching will get faster, vulnerability scanning will become more frequent, and security staff will become more empowered.    

SMEs discover security

In recent years I've researched and written extensively about the lack of interest and awareness in security in the small and medium enterprise sectors. The reality is that SMEs aren't concerned and nobody has bothered to educate them. They remain the soft underbelly of big business and critical national infrastructure. 2013 will see the start of a slow change in this sector, starting with small retailers, as compliance requirements gradually cascade down supply chains. It won't happen overnight but it will open up new markets for security vendors.  

Enhanced by Zemanta

Forecasts for 2012

| No Comments | No TrackBacks
| More

It's the time of year when pundits express opinions on the year ahead. And naturally I have my own views. Before that, let's take a quick look at my forecasts for 2012. How well did I do? 

Last December I made six predictions for 2012.

1.       Space weather creates concern.
This risk didn't create the level of concern I anticipated. Levels of solar activity have been relatively low lately. Looks like another Y2K. I fell for both. The lesson from this is that professionals with well-researched data are just as likely as anyone else to overstate the risk.

2.       Social networks get secure.
It's happening, though very slowly. An increasing number of people are encrypting social media messages. Technology such as scrambls makes it easy. The rest is up to users. Some care, many don't. That will change though it might a few years.   

3.       Big Data is the new black.
If the RSA Conference is anything to go by, then it's true. The technology is here and it's available in leading products such as QualysGuard. The know-how on how to exploit it however is thin on the ground. And we've yet to scratch the surface of what can be done. 

4.       The electronic Pearl Harbour strikes home.
I've been forecasting it for a decade and a half but it hasn't happened, at least not in the form I expected. But awareness is considerably higher. Ten years ago people thought it was a wild exaggeration. Now they buy it; we've gone from denial to acceptance. But the disasters are still waiting to happen.  

5.       Public clouds fail to hit the spot.
Cloud services still have a long way to go, partly because of security and business continuity concerns. There is now a much wider understanding of the risks and how to address them. Paradoxically, Cloud security services are a compelling purchase and a big success.

6.       A new Global game - soft targets hit back.
If newspaper coverage is anything to go by then we are certainly into a new Great Game with angry reactions by those targeted or caught in the crossfire. This game is different as it's impossible to keep things secret in a networked society.   

Not a bad set of forecasts, and at least they were reasonably interesting. Perhaps I'll have better luck next time. 

Enhanced by Zemanta

Boutique consultancies are back in fashion

| 3 Comments | No TrackBacks
| More

It's been a few weeks since my last blog posting. That's the bad news. The good news is that it's the result of being rushed off my feet with consultancy assignments. Interestingly it's not my usual line of business. I generally set out to try and make a living from research and write white papers.

But I detect that the security consultancy market is going through a much needed change at the moment, with many clients getting fed up with buying the usual, off-the-shelf, template products offered by Big 4 and other large outfits. They are looking for more practical help from experts who are prepared to listen to their concerns and develop a tailored solution.

I'm particularly finding this in the Middle East where many of my customers started by buying identical paper bricks from big consultancies. These tomes now sit unread on the shelf gathering dust. Implementing them is the problem. Paperwork is useless unless everyone understands it. It might get you part of the way towards a certificate, or help to impress an inexperienced auditor. But it's near impossible to put a hundred page manual into action if no one has read it.   

This issue is largely inevitable. Consultants tend to measure their worth by the amount of paper they generate. Twenty years ago that might have been a challenge, but with the today's instant availability of thousands of policies, standards and control methodologies on the Internet, now anybody and everybody can be a security consultant. You just need to be able to cut and paste text and questionnaires.

I prefer to take a different approach. Rather than copying a business continuity manual from a previous client, I prefer to start with a two page plan and then show the client how to progressively build it into a more comprehensive working document. My clients from last year now have plans of around 50 pages. The difference is that they developed it all themselves. Now that's real security. Once upon a time I thought that was becoming an impossible dream. Perhaps there's hope for us all yet. So let's celebrate the fact that boutique consultancies are coming back into fashion. 

Enhanced by Zemanta

Six security forecasts for 2012

| 1 Comment | No TrackBacks
| More

My crystal ball tells me that 2012 is a relatively predictable one. That's largely because we've experienced significant changes in the political, business and security landscapes, ones that are sufficient to inspire some form of predictable short term action. Amongst other things it means some interesting action items will percolate up the management agenda. Here's my top six predictions for 2012.

Space weather creates concern

Even if you're cynical about the forecasts of widespread electrical disruption, it's certainly worth dusting down the contingency plans and filling up the generators. At the very least, increased solar activity will probably cause a few minor annoyances to GPS users. The larger concern, however, is that it might take out mobile communications, power supplies or perhaps anything with a GPS chip. Not quite Y2K in impact, but longer, less predictable and much less researched and publicised.

Social networks get secure

Why have we been waiting so long to deploy a solution to insecure social networks when it's not that difficult to achieve? The answer is our lack of imagination. This will change in 2012 as easy-to-use products emerge to secure Facebook and Twitter communications, just in time for a Springtime wave of citizen uprisings. I'm already playing with an alpha version.  

Big data is the new black

Yes, we've all known about the information explosion for decades, arguably for centuries. The problem is that no one has done much about it. But big data is now becoming interesting, both as a challenge to existing security processes and an opportunity for data mining and fusion opportunities. It's a timely catalyst for change as the real future of security lies more with smart information exploitation rather than industrial-age quality management systems. I detect an increasing number of security vendors exploring this area. That's good news for a security community that's lacking in imaginative ideas.

The electronic Pearl Harbour strikes home

I've been forecasting the electronic Pearl Harbour for more than a decade. In 1999 I predicted it would not happen until at least 2006. That analysis was based on technology road mapping exercises.  Last year I forecast it would finally hit home. It didn't, but the integrity of many of our critical services continues to survive on borrowed time. Expect a big catastrophe this year. It's long overdue, and much needed to shake up the current lacklustre order of battle in the cyber security space.

Public clouds fail to hit the spot

Why are public cloud services so reluctant to give security assurances? Now that's the bit I don't get. You can't make money without talking up your products. There are plenty of liability considerations of course. But that's precisely why big customers are holding back. If vendors can't deliver cast iron guarantees then big companies will not buy the services. If any cloud services catch on they are likely to be private or hybrid implementations. Public clouds might seem like a good idea in theory but they have a long way to go in practice.  

The new global game

For decades we lived in the shadow of a largely invisible cold war dominated by pervasive espionage aimed primarily at military or diplomatic targets. It had little, if any, apparent impact on everyday citizen and business interests. Few of us noticed, or cared what was going on. Today it's different. The new battleground is our global business infrastructure, and the targets our trade secrets. It's no longer realistic for governments to turn a blind eye to hostile attacks, or even attempt to keep the new game under wraps. As exploitation of stolen secrets becomes increasingly visible, then we should expect an overt response to any covert attacks. It's time for soft targets to strike back. 

Enhanced by Zemanta

About this Entry

This page contains a single entry by David Lacey published on December 22, 2013 9:31 PM.

Predictions for 2014 was the previous entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --