Dec 12 2013
One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions. Marketing teams must think these are a great idea, because we see them again and again … ad nauseum. Why not? Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views. And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are. No one actually holds any of the authors to a standard and measures how accurate they were in any case.
Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least. With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year. The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading. Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.
These predictions serve absolutely no purpose other than getting page views. As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference. We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t. So what does a prediction get the reader? Nothing. What does it get a vendor? A few more page views … and a little less respect.
So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO. Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why? Let someone else embarrass themselves with a list everyone knows is meaningless. Spend the time focusing on one issue you’ve seen in the last year and how to overcome it. Concentrate on one basic, core concept every security department should be working on and talk about that. Write about almost anything other than security predictions for the coming year. Because they’re utterly and completely worthless.
Remember: Stop, Think, Don’t!