I don’t have much time to listen to Sports Radio anymore, but I used to love to listen to Mike & Mike on ESPN Radio. They had a segment called Predictions, Sure to Go Wrong which was clearly their way of having fun making predictions while making fun of themselves and admitting they really had a strong likelihood of being wrong. In that spirit, I offer these predictions for 2017.
- Ransomware will continue to explode and countermeasures will evolve.
- Phishing and Social attacks will continue to be a common and easy attack vector.
- Vendors will continue to sell “Security in a Box” ™ despite the fact that this hasn’t worked for years. People will continue to buy “Security in a Box” ™ even though they know it doesn’t work well because they don’t have any other options.
- Technical debt will continue to grow and realizations about the scope of technical debt will explode.
- Security leaders will continue to be underfunded not only because of the asymmetric nature of security but also because they will fail to own up to planning for the wrong adversary for the last few years. Even substantial increases in budget (eg. 25% increase) will be a pittance compared to what is needed.
- Lots of household name companies will get hacked. Security will continue to be visible in geopolitical sphere.
- Cloud providers – both at the platform and the security level – will continue to innovate and be able to provide some of the best security solutions available. Already providing identity, WAF, key management, logging and network controls, automated monitoring and platform level predictive algorithms will advance and become more accessible to common users.
- Efforts to build warrantees will fail. The idea of accountability for software vulnerabilities is well founded. Its just that software development is so complicated that a clear line of responsibility seems almost impossible to establish. In cases where it might be, software firms I know would never sign on because they con’t control each and every developer to a level where they can absorb the inevitable breach.
- There will be active growth and consolidation in events, communities and vendors.
- There will be emerging certifications for developers around security.
- There will be broad training for people to get into security.
Companies will see the need for engineering work specific to security. Things like the following will be increasingly interesting:
- Authentication service
- Authorization service
- Managing secrets
- Security automation
- Application level signal for logs
- Frameworks for mobile infrastructure