Spoiler alert: of course, the guy won’t do that.
How many times the end of the world has been predicted? Wikipedia has a reasonable estimate.
Look these two predictions:
"There is not the slightest indication that nuclear energy will ever be obtainable. It would mean that the atom would have to be shattered at will." —Albert Einstein, 1932.
"Spam will be a thing of the past in two years' time." —Bill Gates, 2004.
Everybody is attracted to predictions. As humans, we are hardwired to seek information in an attempt to cope with uncertainty. Some people, for instance, consume astrology trying to foresee their future to anticipate bad outcomes or feeling relieved about good ones. Others rely on "spiritual gurus" believing they possess an "eye" into the future. In business, the story is similar, but without the esoteric halo. Many organizations and specialized news agencies publish their trends or predictions in almost every sector of the economy for the upcoming (or starting) year. Do a simple google search for trends: technology, fashion, business, human resources, innovation, and more. There are many predictions.
Nevertheless, there are several issues with predictions. The previous quotes show how bad these predictions went. Nuclear energy has been a reality for decades, and spam is still around causing problems. Cybersecurity has its chunk of "trends publicity" year over year.
We looked at some of these predictions for 2020, those easily reachable online, and we tried to do a simple classification. In the next lines, we share the first piece of our comments regarding this exercise. We found that some trends are no trends at all; some others reach a level of consensus, and finally, we found some isolated predictions insightful. We will focus on those dubious trends.
Fear will drive cybersecurity spending
We don’t know about you, but the moment we read that subtitle pointing to a cybersecurity trend, we were a bit shocked. If that is true, we wonder what other aspects do writers think have driven spending in previous years? Fear has always been a driver for behavior. In cybersecurity, we can’t deny it plays a significant role, naturally. That’s not new, and it’s not a trend. Furthermore, the figure used to support this claim ("76% of organizations plan to increase their cybersecurity budget") does not imply fear only, but an array of reasons. We think the most plausible is that some cybersecurity investments pay off.
In another place, we found this "trend": "Information security technology remains important." Who said security technology would decline? Where’s the evidence? If almost everything now is a piece of software, who dares to say that security technology would become useless? Security technology evolves like any other technology. We were shocked to read this as this implies there was a claim in the other direction, but the writers offer nothing from which this trend could be stated. Maybe the trend is that organizations will renew their security technology at a faster pace?
"A Growing Awareness of the Importance of Cybersecurity" No shit! As in the "fear" trend, this one points to the expected growth of cybersecurity spending. In principle, it sounds plausible. But one should ask: who is "aware" here? Organizations as a whole? Its top management? Their employees? It might be the case that precisely for the lack of awareness, organizations are spending more in cybersecurity. In other words, behaviors that contribute to security seem not to support the claim of higher consciousness.
The premise pointing to a higher awareness could be used precisely in the opposite direction, so this trend is very unclear. A few people also consider “awareness training” as a trend, based on more training demanded by companies. Again, this probably shows that awareness is not growing, so organizations are investing in this training, expecting to raise it. Cybersecurity spending is not a reliable indicator of awareness as a whole. One last thought: do awareness translate into behavior? Scientific studies have found this is hardly true in plenty of circumstances (see for example Sheeran, & Webb, 2016, about the intention-action gap; a specific case in cybersecurity is discussed by Bada et al., 2019). Be mindful of the goals your company pursues when analyzing to invest in cybersecurity awareness training.
To conclude, a final exotic example: "Security is integrating with data science." Current buzzwords are also pervasive in these publications. What the f*ck do they mean by "integrating with data science"? Maybe the wording is not appropriate. Writers of this trend probably wanted to say this instead: data science —applied statistics, given availability of programming and processing power— is being used more in cybersecurity, and that’s undeniable. Data science is being used increasingly in all sectors of the economy to deliver more value. However, if we take this sentence literally, it is hard to understand what it means. We didn’t find any clarity on the source either.
As these examples show, we shouldn’t take trends for granted; we should analyze these predictions critically. Vagueness and lack of precision populate these claims.
One fundamental issue with most forecasts
We believe these trends we mentioned are, on average, based on good faith. Nevertheless, most of them, if not all, will have no consequences for inaccuracy; there’s no accountability for authors. That’s an essential insight explaining why there are so many forecasters out there. In essence, there’s no clear incentive or punishment for the outcomes of predictions. When forecasters are confronted upon inaccuracy, rationalizations kick-in. Moreover, most people just forget about forecasters. Do you remember a very bad forecaster? Maybe not if you also had no skin-in-the-game related to those forecasts.
Continuous hacking shows a higher value
We have never got into making forecasts about cybersecurity. This exercise allowed us to be mindful of considering any sort of prediction in our field, if we were attracted to it. We must have clear evidence about the value of any trend under consideration. In an upcoming post, we will address some trends we found appealing and with better support. We will also return to the skin-in-the-game issue among others coming from scientific scrutiny about forecasting or prediction.
We recently launched our "State of Attacks" 2020 Report. Click here to read it. Among our results in working with customers, you will find one key takeaway worth noting now, in line with this post: continuous hacking delivers more value. If that is so, we could expect this to keep growing. We have evidence that customers continuously testing the robustness of their software and IT infrastructure do find more weaknesses and achieve a higher rate of fixes.
We hope you have enjoyed this post, and we look forward to hearing from you. Do get in touch with us!
Bada, M., Sasse, A. M., & Nurse, J. R. (2019). Cyber security awareness campaigns: Why do they fail to change behaviour? arXiv preprint arXiv:1901.02672.
Sheeran, P., & Webb, T. L. (2016). The intention–behavior gap. Social and Personality Psychology Compass, 10(9), 503-518.
Recommended blog posts
You might be interested in the following related posts.
An OffSec Exploitation Expert review
Towards an approach that engages more than SCA and SBOM
An interview with members of our hacking team
A brief overview of this recent EU draft regulation
What is invisible to some hackers is visible to others
Increase the board's cyber savvy with these reads
Soon it will be a must in cybersecurity due to NIS2
Toyota's ancient and recently disclosed data leaks