Dec 12 2013

Annual Predictions: Stop, think, don’t!

Published by at 10:12 pm under Blogging,General,Humor,Security Advisories

One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions.  Marketing teams must think these are a great idea, because we see them again and again … ad nauseum.  Why not?  Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views.  And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are.  No one actually holds any of the authors to a standard and measures how accurate they were in any case.

Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least.  With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year.  The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading.  Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.

These predictions serve absolutely no purpose other than getting page views.  As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference.  We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t.  So what does a prediction get the reader?  Nothing.  What does it get a vendor?  A few more page views … and a little less respect.

So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO.  Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why?  Let someone else embarrass themselves with a list everyone knows is meaningless.  Spend the time focusing on one issue you’ve seen in the last year and how to overcome it.  Concentrate on one basic, core concept every security department should be working on and talk about that.  Write about almost anything other than security predictions for the coming year.  Because they’re utterly and completely worthless.

Remember: Stop, Think, Don’t!

3 responses so far

3 Responses to “Annual Predictions: Stop, think, don’t!”

  1. Marc Ruefon 12 Dec 2013 at 11:44 pm

    Hello,

    I’m one of those guys who publishes an annual forecast for more than 4 years now. And I see your criticism and share it partially.

    In my case I am “measuring” my predictions by updating the old entries if the expectations were met or not. I’d say that about two third are matches. The others are usually too early (they get true 1-2 years later). Forecasting is one aspect. Hitting the right timeframe is another.

    I have to disagree that these lists are meaningless per se. Weak lists are, of course. But some strategic aspects might be quite interesting. For example, I expect the first media-wide outrage about Google Glass (perhaps predicted 1 year too early), more of our customers switching to virtual clients (VDI) and a stunning fight between XboxOne vs. PS4 ;)

    Regards,
    Marc

  2. […] interesante, pero inútil”. Mi alma está tranquila de que no soy el único que piensa así. Francamente, podríamos vivir tranquilamente sin estas predicciones anuales de seguridad que […]

  3. […] come out with their annual security predictions… I took some inspiration from these posts by Martin McKeay, Dave Lewis and Steve Ragan to come up with my own security […]

Trackback URI | Comments RSS

Leave a Reply