![\"2020](\"https:\/\/blog.trendmicro.com\/wp-content\/uploads\/2019\/11\/img-cybersecurity-300x300.jpg\")
<\/p>\n<\/p>\n
It doesn\u2019t take a wily prediction to see that the cycles of tech procurement and planning are increasingly compressed. In enterprise IT, the two largest forces at play are business changes and technology changes. These two major forces are somewhat independent; a lot of tech change happened during the last economic downturn, and in fact the best predictions during that period involved using tech to navigate the downturn. So watching and understanding both large forces matter.<\/p>\n
Security predictions however have both those large forces (business and tech), and the added third large force of The Threat. It\u2019s a common misconception that security predictions are only about threat. Security predictions need to watch tech trends because security doesn\u2019t exist in a vacuum: Security is applied to technology and if tech changes, so too must security. How the business will change is a unique lens for security: remote workforces, new payment methods, cloud adoption, open banking standards, and new regulations are examples of how business changes drove security in new directions. And the third major force of threat trends is the special territory of security and is linked to the other two forces.<\/p>\n
Security predictions aren\u2019t just headline fodder. Successful enterprise security leaders do look to the future \u2013 as they must. But, they are highly skeptical of the majority of security predictions, because most of the predictions are weak. Leaders latch onto those few meaningful predictions as rudders for moving their security organizations forward.<\/p>\n
So what makes for a good security prediction? Here\u2019s the characteristics:<\/p>\n
Near-Term But Not Long Term<\/strong><\/p>\n Predictions of security in the far future are fun but not useful. The slice of time for utility in security predictions has a near term wall of about 6 months \u2013 this is the reality of procurement actions, and of how long it takes to move the tiller to meaningful change.<\/p>\n A next-day prediction is also cool, but it is either a tactical observation or not something that action can be taken based on. And the far wall I believe is 12-24 months. Anything longer term is likely jetpacks and flying cars given how much can change in business, tech or the threat. I can\u2019t recall a meaningful recent prediction that wasn\u2019t within this 6-24 months window.<\/p>\n Likelihood and Geography<\/strong><\/p>\n No prediction is a sure thing, otherwise it is a fact. How likely is it that the prediction will occur? Even a prediction with a very low likelihood is useful, intimating that the event is unlikely to occur and therefore action likely need not be taken, or at least not in great proportion. The weakest predictions are those that are so watered down in specifics because of weak analysis combined with doubt. \u201cA Bad Thing Will Happen Next Year\u201d is never wrong, and never helpful.<\/p>\n Geography is helpful. Not all threats, business trends or tech adoptions are global, or at least not proportioned equally across the globe. Some great security predictions have watched trends develop in one region and extended the analysis to assess whether the trend would or wouldn\u2019t expand to other regions.<\/p>\n Actionable Is Everything<\/strong><\/p>\n Information is only useful if it can be acted upon. The timeliness window mentioned above touches on the keystone of security predictions: actionability. In addition to being within that golden time window, a prediction must have give rise to something that can be done, something concrete. A great number of bad predictions are concerning threat trends. Changes in some aspect of the threat landscape that don\u2019t actually give rise to some action you can take are pointless commentary. One long running security predictions joke is \u201cNext Year Will Be the Year of PKI\u201d and the prediction is repeated every year.<\/p>\n Beware The Self-Serving Prediction<\/strong><\/p>\n \u201cThe threat our product counters will increase 1000-fold.\u201d Hmmm. Vendor predictions should not be automatically accepted or discounted any more than other predictions; however, there is an added onus on vendor predictions to explain what they base the prediction on. Predictions from vendors must show their work. But, if it is not explained carefully or is too generic it should be filed under \u201cmarketing\u201d rather than \u201cprediction.\u201d As some vendors have large threat research teams and very large numbers of customers, predictions based on that unique data can be highly useful, sometimes more useful than predictions from disinterested third parties who don\u2019t have that pool of data to base it upon. Predictions made in that kind of vacuum of data or deployment reality are usually quickly dismissed by enterprises who live in that reality daily.<\/p>\n