Hey, it’s a new year! You knew that already, despite still having written 2018 on the last few things you dated. With each new year comes a slew of “expert” information security predictions outlining what we can expect to happen to the industry in the upcoming year.
I’ve made my share of InfoSec predictions in the past, including those for 2018. But this year, when I was asked to write predictions, I just didn’t feel it. Instead, I decided to take a different approach. I’ll share the four reasons why I’m not doing InfoSec predictions this year. Each reason for not writing a prediction comes with a corresponding New Year’s resolution that I’ve set for myself and feel would also make a positive impact on your careers and lives as well.
Reason #1 – What’s the Point?
Let me be honest with you. I didn’t write InfoSec predictions because I thought I was helping. Sure, that was part of it, but it wasn’t the motivation. The motivation was that I wanted to prove to people that I was a thought leader who had this special skill— this special skill that portrayed I was so in touch with this industry that I could predict the future! That was 80% of my motivation. 10% was that I wanted people to read my sh*t. The remaining 10% was to help people. Unless I get my motivations ironed out, I’m not going to write predictions.
New Year’s R
Use introspection to be more honest about my true motivations. The point is to spend more time actually helping people.
Reason #2 – They Don’t Help
I refuse to point out and bash other people’s predictions here, so I’ll take my InfoSec predictions last year as an example. The quick and dirty. Here’s my predictions list from January 2018 in order:
- The General Data Protection Regulation (GDPR): it really is a big deal.
- Ransomware attacks will continue and will become more sophisticated.
- IoT attacks will get nasty.
- More financial fraud attacks through partners.
- The lack of qualified security expertise problem gets worse; outsourcing of security services will grow.
- Cryptocurrency chaos; attacks, price volatility, and regulation.
- Cyber-Insurance SME market will explode.
- Attacks on the US government and critical infrastructure.
- A breach will occur that results in loss of life (directly).
- A new law protecting U.S. citizen identities.
Did these predictions help you? I got maybe 7 of them correct and the other 3 missed the mark. Some of them were obvious, and some of them were a stretch. Impressed? Did your security get any better because of reading the predictions? Likely not. It feels like I sort of wasted your time.
New Year’s R
Spend more time helping people with advice that they can apply to their own circumstance(s).
Reason #3 – Other People Do It B
There are people in our industry who are better at predicting the future of our industry. I won’t waste your time
Here’s a list of some predictions. Some of them are good and some are not so good. I’ll let you be the judge.
- 9 Cyber Security Predictions for 2019 by CSO
- Cyber Security Predictions: 2019 and Beyond by Symantec
- 60 Cybersecurity Predictions For 2019 (60?! Holy buckets, that’s a lot of predictions) by Forbes
- Experts Weigh In on the Top Cyber Security Predictions for 2019 by BlueFin
- McAfee Labs 2019 Threats Predictions Report by McAfee
- WatchGuard’s 2019 Security Predictions by WatchGuard
- Facing Forward: Cyber Security in 2019 and Beyond by FireEye
- Malwarebytes’ 2019 Security Predictions by Malwarebytes
- 8 Cybersecurity Predictions for 2019 by LogRhythm
- Here’s What to Expect in Cybersecurity in 2019 by TechCrunch
I broke down summaries of their predictions into a table for you to review:
Besides the fact that I flippin’ hate the word “cybersecurity” when used to refer to “information security,” all of these prediction articles are worth the read. The boldest predictions seem to be the ones from LogRhythm. I don’t think that there is a consensus, but maybe you see a pattern.
New Year’s Resolution
Let people who are better at stuff do the stuff that they’re better at, and help where I can.
Reason #4 – Focus on You
The last reason why I’m not writing predictions this year is because I think it can be distracting to some people. 2019 predictions are fine if you don’t let them distract you from your own information security goals and objectives. The best advice I can give you is to focus on your most significant risks— period. If you don’t know what your most significant risks are, then you have a problem that needs a solution ASAP. Information security is all about managing (and living with) risks (not eliminating them).
Here’s some logic to get you on your way:
- You can’t (effectively) secure what you don’t know you have. Make sense? This means that you must have an accounting of your assets if you have any hope of securing them well. Assets come in three primary flavors; hardware, software, and data. Some people add “intangible” assets like ideas and people too— your call. If you don’t have a solid asset inventory, get one ASAP.
- You can’t (effectively) secure the things that you can’t control. Controls come in all shapes and sizes. Start with things like access control and configuration/change control.
- You can’t (effectively) manage what you can’t measure. Implement measurements everywhere and use them to put things into context. At FRSecure and SecurityStudio we use the FISASCORE® for these things.
The point is to focus on you this year. I mean really focus on you. Don’t worry about the predictions but stay abreast of the newsworthy things that are happening. When you hear or read information security news, look for the ways it applies to your specific situation. Just don’t let these events distract you from the basics of an information security program. Master the things I listed above and THEN apply things to fit the latest trends and news.
New Year’s Resolution
Master the basics. Define “information security” and “risk” in your organization. Conduct a good information security risk assessment. Improve your asset management practices (don’t try to nail this out of the gate, and don’t forget cloud). Assess and improve access control. Assess and improve change management. Assess and improve configuration management.
There you have it! The four reasons I decided not to do InfoSec predictions this year and the New Year’s resolutions I set for myself that align with them. I implore you to consider these resolutions for yourself and your business as well. I truly believe they will help our information security much more significantly than a few predictions that may or may not apply to us.
To learn more ways you can help improve your information security programs in 2019 and beyond, visit frsecure.com.