• United States



Why more security predictions and how can you benefit?

Jan 13, 201613 mins
Data and Information SecurityData BreachSecurity

forecast prediction
Credit: Thinkstock

Americans love baseball, hotdogs, apple pie and predictions.

In fact, if we really like something a lot, and especially if we have a growing interest in some new area of life, it’s not long before we start thinking about what the future holds within that area.

And the United States is not alone. All around the world, billions of people enjoy offering personal opinions, educated guesses and/or listening to expert commentary on what they think will happen next in topics ranging from sports scores to “must buy” stocks to political winners (and losers) to religious arguments to climate change.  

Predictions now seem to be almost as popular as New Year’s resolutions. There were many hot topics that got plenty of predictions over the recent holidays, including the ongoing battles against terrorists, college football bowl games and NFL playoff scores and even where the nation is going next with guns. Of course, since 2016 is an election year, there was plenty of discussion on who will win the primary elections in Iowa and New Hampshire in February.

But in case you think only experts share their viewpoints, look around you.

Over the recent holidays, one only needed to flip through a few cable channels to hear analysis on how current events would impact the coming year. From influential prognosticators to the man on the street who had traveled to New York to see the ball drop on New Year’s Eve, everyone seemed to be ready to offer their views on what 2016 will bring us.

And now…, more people care about…, (drumroll please…), CYBERSECURITY!

Ok, go ahead and laugh. I know this seems like a big stretch, but it is true.


Actually, what people all over the world really do care much more about are topics like: identity theft, data breaches, owners of Ashley Madison accounts, personal and professional emails getting hacked, our reliable utilities potentially not working at home, hackers stealing money from bank accounts, biometric data being lost to foreigners, cars that have their brakes turned off by hackers, baby monitors that are used to send (unwanted) messages from bad guys on the other side of the world, hospitals that lose personal health records, and much, much, more.    

Yes, with the surging growth in cyberspace, WiFi, apps, robots, drones, new technologies, virtual worlds, global games, terrorists with social media accounts, the Internet of Things (IoT) and nation-state hacking, online data security has become the Achilles’ heel of the Internet. A growing number of people want to know about new apps available for their smartphones and their data in the cloud – along with the upcoming security implications.

More outlooks than ever – but not everyone likes cybersecurity predictions

I have been monitoring (and participating in) the security prediction market for more than a decade, and there is no doubt the breadth and depth of security predictions continues to grow.

[ MORE PREDICTIONS: Top 15 security predictions for 2016 ]

Near the end of the year, almost every security blogger feels compelled to offer their coming year predictions. Large (and even midsized) security and technology companies dedicate extensive resources to packaging and marketing their predictions. Meanwhile, most startup company executives offer their crystal ball forecasts to try and get more media attention.

For reference, I chronicled a large number of recent security industry and media cybersecurity predictions into this summary blog: The Top 16 Security Predictions for 2016.

But not everyone is happy about (or eagerly participates in) this annual holiday prediction-fest. Some security industry thought-leaders think cybersecurity predictions are getting out of hand and this “new normal” is basically a waste of time and resources. For example, check out this Computerworld article from last week entitled: Hocus-pocus! The stupidity of cybersecurity predictions.

Ira Winkler writes:

“Why do these trite and useless lists proliferate? The media shares much of the blame. Columnists have to write stories, even during those end-of-year holidays when little in the way of actual tech news is being generated. Meanwhile, vendors’ PR people scramble to get their executives to come up with something, package the crap they come up with, and pitch it to any publication they can think of.

But little of it would get published if readers weren’t fascinated by predictions. Whatever readers click on, we will be given more of. Apparently, people just like to read lists.”

No doubt, it is easy to be sympathetic when reading Winkler’s “Bah Humbug” attack on our industry’s fascination with annual security predictions. I certainly agree that keeping score of the best predictors makes sense, and who can argue against the reality that many of the same predictions keep showing up?

And yes, some of these predicted security events have already happened, although we need to keep in mind that the “thought leaders” who make some of these predictions often forecast that smaller incidents will happen on a broader scale. (For example, power outages caused by hacking that affect a few houses is certainly different than an entire region losing power from hacking.)  

I encourage you to read the “Hocus-pocus” article to gain a grasp of Winkler’s disapproval of security predictions. Nevertheless, I’m about to pour a little gasoline on this fire. Winkler’s analysis on security predictions misses several larger, and much more important, points. It also fails to show where this trend is going and why you should care.

Yes – I believe more security predictions can be a good thing, if you know why this trend is happening and how to benefit from the research, analysis and insights from others.

Why more security predictions?

1) I think this security prediction trend both reflects and affects society. It is a sign of security industry growth, maturity and future prospects of the cybersecurity industry as a whole.

More cyber predictions is a sign that many more in professional technology fields as well as non-technical readers and end users are interested in the suite of topics I listed above. They care more about cybersecurity, data breaches, technology and the growing Internet of Things (IoT) market – even if they don’t use those words.

How does this trend reflect society? Winkler is right that readers are fascinated by predictions.

Advice: Go with it, whether you like it or not. The security industry did not invent this global train that predicts the future, and we are far from the lead engine. In fact, we are closer to the caboose, but get on board the train before it leaves the station. People have been making predictions for thousands of years, and it ain’t going away anytime soon.  

This trend also affects society in that security budgets, government legislation, company priorities and more are impacted by societal opinions. Better security can result if the majority is well-informed about risks and security trends and demands action on the privacy of data.  

2) Online and offline life are merging as never before. With technology affecting more areas of life and crossing multiple domains, security predictions are bleeding into other areas of interest, and other areas of interest are bleeding into security. For example, national defense now includes the cyber domain, along with air, water, sea, sky and land. Therefore, defense predictions will include cyber components. Other areas, like transportation and healthcare, are similarly affected.

But are security predictions really “Hocus-pocus?” My daughter Katherine, who is an elementary education major in college, brought up an interesting point when discussing this topic. She said that the scientific method begins and ends with hypothesis. Even children learn by making educated guesses, even if the guess is wrong. Teachers encourage predictions in all subject areas as the students must understand a topic to be able to predict what is next.

But what about “dumb predictions” by the masses? How about unqualified ideas that just waste our time? Don’t we need better quality predictions from a select few? Answer: no. We all can learn this way.

Besides, the experts are not always right, as we know from practical experience in sporting upsets that no expert predicts or huge snowstorms that hit, despite meteorologist predictions that say it won’t happen.

There are certainly times when we need a child to say, “The emperor has no clothes!”

Action item: Ask your children what they think will happen if certain data is not protected in the coming year.

3) More people, companies, media outlets and others are trying to define themselves as your “trusted adviser” within security. They want to be recognized as the top experts.

This requires that we dig deeper into the best sources – look beyond specific dates to trends, analysis and signals to watch out for. Of course, as consumers of predictions, we need to make educated decisions about who offers the best advice, insights, trends and predictions. We should hold experts accountable.

Just as those who do a good job of predicting economic trends and stocks and bond prices are listened to closely the next year, I expect a closer look at who is making what security predictions in the coming years.  

Each December, I read through hundreds of security predictions lists from a variety of sources that contain thousands of predictions. I can say without a hesitation, that I learn a tremendous amount each year by going through these predictions. Most of the major vendors have excellent reports and data that back up their predictions. If available, look at the detail behind the predictions.

For example, Trend Micro allows you to zoom down into more detail behind their simple one-line predictions like the one that Winkler criticized. Here’s an excerpt of what’s said related to one prediction: “A customer-grade smart device failure will be lethal.”

2015 saw incidents that involved hacked or insecure devices, ranging from baby monitors, smart TVs, and connected cars. Even as users have increasingly become aware of the security risks of connecting appliances and devices to the Internet, the public interest in smartifying just about everything will continue to peak.

Smart-connected home device shipments are projected to grow at a compound annual rate of 67% in the next five years, and are expected to hit almost 2 billion units shipped in 2019—faster than the growth of smartphones and tablet devices. Given the diversity of operating systems and lack of regulation for these smart devices, there remains to be no signs of a possibility of a large-scale hacking attack. WiFi and Bluetooth networks, however, will become polluted and clogged as devices fight for connections. This will, in turn, push mission-critical tasks to suffer.

However, the likelihood that a failure in consumer-grade smart devices will result in physical harm is greater. As more drones encroach on public air space for various missions, more devices are used for healthcare-related services, and more home and business appliances rely on an Internet connection to operate, the more likely we will see an incident involving a device malfunction, a hack, or a misuse that will trigger conversation on creating regulations on device production and usage.

How can you benefit from security predictions?

1) Gain industry knowledge, understand overall trends and expand your horizons beyond one stovepipe or topic. Security predictions help you understand industry trends and help you grow in your knowledge – if you do your homework and read the supporting research that usually comes from major vendors.

Remember that the actual date the event happens is less important than trends, patterns and even repetition of an item. Sure, these people or vendors are predicting that it will happen in 2016. It could certainly be 2017 or 2018. But the trend is still valid – especially if many top vendors predict the same thing.

Meanwhile, we reward those who make unique predictions that no one else thought of if they come true. So don’t always penalize bad predictions, since no one is perfect.

2) Use the free advice, direction, insights and annual reports provided by many.

Are some these predictions just marketing? Sure. But a lot of it is very good analysis of where we have been and where we are going.

And this has been going on for years. Gartner, Forrester and many other services typically charge for the advice and predictions that many top vendors give away for free in their annual prediction reports. I am not saying you should not use those services for expert advice, if you like what they offer, but understand that there is value in many of these free annual reports from companies like FireEye, Symantec, McAfee, Websense, Sophos and others.

3) Use predictions as an opportunity to educate others. Get the word out on cybersecurity – whether that is to your company, your family or your community group. Are you bringing problems or solutions? We claim we want to educate end users on cybersecurity, so educate!

Or, why not offer your own predictions? Join the party, after you do your homework.

Here’s an area where I think we can all agree. Even if you think most annual security predictions are lemons, turn them into lemonade! Make the most out of the situation.

I often get asked questions about dramatic security predictions that friends and family hear on TV. The questions come up in unexpected places – like church or at extended family events. Usually, someone has heard some prediction like, “A Cyber Pearl Harbor is coming!” They want to talk about it with a person they know and trust.

When such situations occur, we can either dismiss the comment and walk away, or offer an appropriate, kind response in whatever way you think is best. We have a choice to make at that moment. Hopefully we have the time to be wise, helpful and informative. Even if you disagree with the prediction, offer some examples of what you think will happen.

Final Thoughts

Here’s a new prediction for you: Even more security predictions next December 2016 (about 2017). Some predictions will be good, some not so good. Some general, some very specific. Some irrelevant. Some (who knows what).

And guess what? Not all the industry thought leaders will be right, and not all of the wannabee novices will be wrong with their predictions.

But isn’t that the truth about most areas of life? The Internet is giving us more voices, and we need to learn who we really trust and turn to. Who will we listen to moving forward?

Bottom line, the more the security and technology industries grow, the more predictions we will have. From the Internet of Things, to new technologies to robots to self-driving cars, do you really think we will be talking about security and privacy less in 2020? I don’t.  

Predictions are not new, and they are not going away. In fact, they are just getting started.

Congratulations security industry, and welcome to center ring in this three-ring circus. Yes, it is a very big circus, but that’s where all the action is.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author