Froud on Fraud – Cybersecurity Predictions for 2020

In 2016 I predicted that:

  1. Identity Management will begin to replace single-factor authentication;
  2. Identity Management will be decentralised onto consumer mobile devices;
  3. HOW you pay will become increasingly irrelevant;
  4. Value-Add Services and Customer Service will be the only differentiator;
  5. Loyalty Programs will begin to centralis;

Even 3 years later only 1 of these things is becoming [slightly] true (#1).

In 2017 I predicted that:

  1. ISO 27001 certification will be increasingly important;
  2. Biometrics vendors will keep pushing their wares, and fail;
  3. Amazon GO will be the new model for brick & mortar;
  4. Containerised Security Services [will mature]; and
  5. Automated Governance, Risk & Compliance [will exist]

2 years later, again, only 1 of these is remotely true (#2).

In 2018 I was smart enough not to expose my complete ineptitude, but here I am again in 2019 laying it on the line. However, this time with a slight difference; I’m predicting the things that are NOT going to change!

Basically this is my last chance of the year to 1) bitch about the things I’ve spent all year bitching about, and 2) up my blog session stats to something that’s not totally embarrassing.

Prediction 1: Senior Leadership will continue to not give a f&$# about security – This one is so obvious it’s basically cheating, and represents the single biggest obstacle to a decent security program. On the one hand they have to [be seen to] care or no one below them will, but on the other hand, why should they actually care, when only those with a vested interest are going to? However, 99% of organisations who are breached deserve it, and in 99% of those cases it’s the CEO’s fault. Maybe the impending class-action suits related to personal data loss/misuse will have the necessary impact;

Prediction 2: 99% of security spend will be reactionary, and not planned – In most organisations, security spend is a line in the IT budget. IT over inflate their requirements, the BoD knocks them down, no one gets what they want/need. This is not entirely the BoD’s fault, many security teams have absolutely no idea how to speak the right language, or how to enumerate good security’s many organisation-wide benefits. The result is that anything outside of the established budget becomes a stand-alone project with little to no long-term benefits;

Prediction 3: Security vendors will continue to sell you what you ask for, not what you need – This has been a recurring topic [pet peeve] in my blogs for years; if you’re not an expert in something yourself, you won’t know the right questions to ask to get what you really need. The experts are supposed to help you with that, but 99.99% of salespeople are not experts, so they’ll sell you what you ask for. Or worse, they’ll sell you everything they can get you to buy. If this happens to you it’s your fault, asking the right questions is your responsibility;

Prediction 4: Buzz-words, hype, and FUD will continue to drive the market – Another pet peeve of mine (I have many), and something the security vendors wouldn’t get away with if we only did our homework properly. From the utterly disgusting lies of those touting artificial intelligence, to the use of new acronyms to describe ages-old basics, providing real value is a very distant second to making profit. Fall for this nonsense and I have little sympathy;

Prediction 5: The PCI DSS v4.0 will drive yet another land-grab for your security budgets – Providing PCI consulting services has become so price compressed that ANY change in the DSS is seen as an opportunity to raise prices. The fact is that regardless of how many changes the SSC come up with, if you were doing security appropriately, the impact would be minimal. A good QSA company would have provided this guidance years ago. If they did and you ignored them, they should charge you more, if they didn’t, replace them as they are doing you no favours.

I have always compared working in the security industry to working in the insurance industry; you really don’t want to spend money on security / insurance, you just know you have to. This means that any budget is provided minimally, grudgingly, and with next to no organisational context or long-term benefit.

The net result is there is little impetus for the industry to change. As long as organisations look for a ‘silver bullet’ to make the security problems go away, security vendors will dribble all over themselves trying to come up with one. Marketing departments get bigger budgets than R&D.

Well, that was a totally negative blog, and just in time for the Holidays! Let’s hope I’m completely wrong again this year. 🙂

I hope that you and your families have a very Merry Christmas, and I look forward to whinging at you in 2020!

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.