Apparently it's not just me that's sceptical about the value of security crystal ball-gazing. Tim Wilson of Dark Reading takes us (the security industry) to task for being "subjective" and inconsistent in our predictions for the coming year.
Strangely, although he does quote an ESET blog (an observation of Randy's) in his selection of predictions he does consider insightful, he doesn't quote this one: http://www.eset.com/threat-center/blog/2009/12/30/top-ten-trite-security-predictions ;-)
But let's be serious about this for a moment. The media, if Dark Reading will forgive me including them under that label, are in a competitive business and want/need eye-catching news to make them stand out. (I not only understand that pressure, but as a blogger here and elsewhere, I'm often exposed to it.).
As a researcher, my natural inclination when asked to play the oracle is to say "Expect the unexpected (always), but here are a few things that I think are likely to happen." Which is the way I see our blog at http://www.eset.com/threat-center/blog/2009/12/14/que-sera-sera-%e2%80%93-a-buffet-of-predications-for-2010, the one that Tim did quote. The fact is, though, that safe prediction isn't eye-catching. The media would rather we come up with something really off-the-wall, and if we look really silly when it doesn't happen, that's a good story too. After all, being disliked is part of the security industry's job description. In some cases, we don't even like each other (http://www.virusbtn.com/virusbulletin/archive/2006/11/vb200611-OK).
In the real world, though, this is how it is:
- We don't know everything that's happening at the moment: why would you expect us to know everything that'll happen next year? Of course, we can certainly hazard some guesses, and hopefully an honest researcher's guess will be worth something, but let's not expect miracles.
- Some of us go out of our way to be as accurate and honest as we can in our professional lives: in general, we're a lot more comfortable trying to give an appropriate view of stuff we know about than we are talking about stuff we can't know (much) about.
- It's actually perfectly possible for two predictions to contradict each other and still both be true, or at least contain elements of the truth. Some of Tim's objections to particular prophecies seem to based on claims that X will be the top-ranking threat for 2010. Well, any researcher who gets pushed into that corner has my sympathy.
- You might also bear in mind that sometimes we know more about certain issues than we can make public. Of course, that's easier to say than to prove, so feel free to assume I'm lying.
David ("I may be old, but my name isn't Moore") Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
