"I have seen the future and it is very much like the present, only longer."
-Kehlog Albran, The Profit
Since I use the word Trends in this blog title, I'm legally obligated to review my past predictions and make new ones for 2014. So, here's Part I, a look back at the trends I predicted for 2013:
- Continuing and refined targeting of attacks - This prediction also included "Press attention to threats will start to wane in 2013, which is always an indicator that the threats have actually gotten more serious." This one may seem like low hanging fruit, but the prediction was issued two weeks before the Mandiant China threat report caused APT hype to balloon. That hype sort of peaked at the RSA conference and was completely knocked off the press radar by the Snowden leaks. But real live (non-NSA) advanced targeted threats continued and expaned - with a lot less press attention.
- Increased Mobility - This one included "The risk of malware on those devices has been widely overhyped for years..."The prediction of mobility increasing was definitely a no-brainer, but once again the overhype for mobile malware continued - and the actual impact of mobile malware continued to be minimal. That will continue to be the case, as smart phones and tablets are not just smaller, lighter Windows PCs - vulnerabilities and threats are different.
- Choose Your Own IT - The security impact is much, much more than just the users buying and bringing their own devices - think of the system integration and security issues we will be facing as enterprises try to glue together mixtures of cloud services, multiple user devices and legacy systems to meet user demand. This one really hasn't hit yet - there is still a lot of "don't ask, don't tell" going on in BYOD/CYOIT. Users are gluing together apps like OneNote and Google Docs with DropBox and other services while IT is pretending it isn't happening, and IT Security is saying it shouldn't happen.
- More Government "Help" - this one ended with "legislation will invariably lead to increased compliance costs vs. increased levels of security." The NIST framework effort and other proposed legislation proved this one true. Luckily, the government moves slowly - a bad thing for healthcare web sites, a good thing for forestalling security legislation.
- Overhype of the year - this one listed "security is just a big data problem" and "security industry consolidation" as the two areas that would be overhyped in 2013.The big data overhype at the RSA conference prediction was dead on, but mercifully the backlash occurred pretty rapidly - there is already counter-hype that "small data" is what is needed, whatever that is. The Snowden leaks provided a great example of the cost and complexity of trying to turn huge volumes of data into any actionable advice.On the security industry consolidation front, Cisco buying Sourcefire was the only real blockbluster security acquisition of 2013. However, FireEye went public and pretty much replaced Sourcefire's revenue on the independent company side of the IDS/IPS ledger, and after a first year bounce, Cisco is unlikely to keep up with FireEye's growth. Numerous other startups showed strong growth and there really was no meaningful consolidation overall in 2013.
- Cracks will appear in the stranglehold of two of the most ubiquitous and tenacious, but least useful, security approaches: desktop/endpoint anti-malware and reusable passwords. This one included "predicting the end of the reusable password is like saying 'this is the year there will be peace in the Middle East.'"There was definitely more "signature-based AV is dead" and more experimenting with adding better desktop security approaches like Invincea or whitelisting, so I'll count this one as valid - but there was very little replacement of endpoint AV with those stronger approaches. The end of XP and Security Essentials support by Microsoft in 2014 might cause some movement in that direction, but the overall market for Windows PC security will at best be flat, and more likely declining over the next 5 years.
On the password front, definite increases in consumer's adding SMS messaging as second factor authentication but less so on the enterprise side. I can't even call it cracks, more like pre-crack tremors that barely registered on the password Richter scale. I'll count this as a miss - just as in 2003 I had to declare my 2001 prediction about smart card authentication growth wrong.
That's the end of the retrospective, next installment will be the mandatory predictions for 2014.
We want to get 80%-85% of predictions right, not 100%. Or else we calibrated our estimates in the wrong way.