Shostack + Friends Blog Archive


The New School of Security Predictions

Bill Brenner started it with “Stop them before they predict again!:”

My inbox has been getting hammered with 2012 vendor security predictions since Halloween. They all pretty much state the obvious:

  • Mobile malware is gonna be a big deal
  • Social networking will continue to be riddled with security holes
  • Technologies A, B and C will be dead
  • Microsoft will release a lot of security patches
  • Data security breaches will continue to get more expensive

Looking at the predictions I got this time last year for 2011, I found that any of them could be repackaged as 2012 predictions and nobody would know the difference. Here are some examples from the Zscaler Labs Research Team…

Jack Daniel followed up with “The Pandering Pentagram of Prognostication :”

The five points of the pentagram represent the key elements of “good” predictions, get them all and your prediction will land in the center of the pentagram, assuring a center brain shot to your victim. I mean reader. Whatever.

The five elements are outlined below, miss even one and your prediction may be off target and you will fail to hit your target.

  • Your prediction must be self-serving.
  • Your prediction must suck up to your customers, prospects, or others whose favor you are trying to win…

I’ll respond with a prediction that 90% of 2012 infosec predictions will contain no numbers and no dates. If someone selects a group of 10 or more predictors (say, bloggers in SBN, or 2011 BlackHat speakers with blogs) and proves me wrong, I’ll donate $100 to a charity of your

Both Bill and Jack are helping the community by pointing out the “best practices in predictions” so that people can recognize them for the self-serving (ad-serving) linkbait that most of them are.

To get something positive out of this, I encourage everyone to ask anyone who sends you predictions about the lack of underlying data.

One comment on "The New School of Security Predictions"

  • LonerVamp says:

    Or…any predictions, any at all, that are not expected by 90% of our industry. I don’t consider obvious statements worthy of being called interesting predictions.

    I would also think anyone who makes predictions should go over them the next year.

Comments are closed.