Don’t Let Annual Predictions Overshadow the Need for Iterative Security

“In this world nothing can be said to be certain except death and taxes,” said Benjamin Franklin, whose now-infamous quotation still rings true today. Well, mostly true. As a security practitioner, I would add another certainty to that list: the flood of annual security predictions that returns without fail every year starting in October, if not sooner. This year has been no different, with many practitioners’, journalists’, and vendors’ 2020 security predictions already published and many more sure to be soon.

One of the biggest reasons these annual security predictions are so reliably abundant and consistently popular is that they can be quite useful. Aside from serving as a great reminder to start (or continue) working on your security plan for next year, they also reinforce the importance of anticipating and accounting for any business, geopolitical, technological, or other variables that will or could impact your organization’s security posture in such a plan. 

But given the seemingly clear consensus that long-term planning and strategic, multidisciplinary thinking are crucial in security, why do we so often only discuss these things in great depth at the end of each year? 

The fiscal calendar is, understandably, an answer I commonly hear in response to this question. After all, budgetary allocation, product roadmaps, and revenue goals for most organizations are largely dictated by the fiscal calendar, so it makes sense that security planning and forecasting would be, too. 

The challenge is—and as most security practitioners would surely attest—the cybercriminals, fraudsters, and other adversaries behind the threats we’ve been entrusted to combat can be highly opportunistic and erratic. In other words, they don’t exactly abide by our fiscal calendar. The same can be said for many of the variables that have been known to motivate these adversaries and catalyze these threats, ranging from geopolitically significant events and economic instability, to new legislation, mergers and acquisitions, and even natural disasters, to name a few.

It’s crucial to recognize that annual security predictions generally only include that which can be feasibly predicted by the final months of the prior year. And in most cases, this means they are limited to potential security implications of known upcoming or ongoing events or issues. 

Many 2020 security predictions, for example, focus on the next U.S. presidential election, the continuation of targeted ransomware attacks, and longstanding tensions between adversarial nations. But what these predictions don’t include are the data breaches that are sure to occur, the thousands of new software vulnerabilities that are sure to be identified, and the new fraud schemes that are sure to arise, as well as which organizations will be impacted, how, and when.

Though they tend to be largely unpredictable and not always possible to fully account for initially within an annual security plan, these and countless other lower-profile threats, incidents, and related variables are still certain to have considerable implications in the short- and long-term. And when they inevitably do occur, security teams at affected organizations must be prepared to quickly evaluate the resulting risks, apply mitigations, and ultimately, adjust their security plans and any future predictions or forecasts accordingly. 

Above all else, it’s important to remember that the unpredictability  of so many of the adversaries we face, the threats they pose, and the circumstances in which they operate means that our security plans must not only be strategic and comprehensive but also extremely agile and iterative in order to be truly effective.

Related: ‘Tis The Season For Security Resolutions, Not Predictions