Predictable Surprises

It’s hard for me to believe that I’m sitting down at my keyboard thinking about the 2018 Security Predictions report that we’re hitting “publish” on today. It seems like just moments ago that I was working with the team on where we thought 2017 was going. For me – and I expect for you too - the year has gone by in a flash, largely because of just how busy it’s been.

Even though I firmly believe that the way to see into the future is to know the past (something that we, as an industry, don’t tend to be very good at, but that’s another post entirely – you ignore history at your peril!), today I’m going to focus entirely on the future, and where I think we’re going.

To that end, I rifled through the report and picked out a few of my favorite predictions. Only when I was done writing this did I realize that they share a common theme: they all are directly or tangentially related to privacy. Given the work I’ve been doing over the last few months, I suppose I should not be surprised. In fact, I’d call that outcome a “predictable surprise,” an expression I am shamelessly stealing from a longtime friend and colleague (hello, Ronda!).

As Ronda would say it, a predictable surprise occurs when we behave as if we were startled by something, when in actuality it was obviously going to happen. While I know that it’s easy to construct a story showing how obvious certain outcomes are after the fact, there really are such things as predictable surprises in security – and I think there’s two predictions in this year’s report that fit this category: the rise in SSL, and the inevitability of GDPR.

The ticking clock of GDPR

I’ll start with what’s got to be the most predictable surprise in 2018: GDPR will land, and there’s going to be companies that aren’t ready. Although we’ve observed considerable discussion around compliance as the clock ticks down, we’re going to transition into an implementation phase. It’s not smart to procrastinate as we plan, and then be caught up in a huge (and messy) rush to implement – potentially at a pace that is too fast for comfort. The panic coming is a very predictable surprise; the smart CISO would do well to make sure they are ahead of this particular curve, working backward from where the technology controls have to be in place and operational. If the requirements from your legal team haven’t hit your desk yet, it’s already too late.

I’ll take a webpage, please, with a side order of SSL

Another thing we must plan for are the implications of ubiquitous encryption. While encryption sounds like a good thing, it’s very much a double-edged sword, as encryption hides the content to everyone, good guy and bad guy alike. Thus, as more of the web runs over SSL, the need to carry out traffic inspection is going to collide with both workload (examining an encrypted stream is much harder than an unencrypted one) and privacy. My connection to my bank is encrypted precisely because I don’t want anyone peering into those particular packets, thank you very much.

And an extra helping of privacy

One of our most interesting – but riskiest – predictions for 2018: the “privacy wars,” AKA when privacy becomes a top-of-mind issue for ordinary folks. Why risky? Not because I don’t believe it’s going to happen (I’m convinced it will), but because timing the change is hard. Maybe 2018, maybe a little later, but it is going to happen.

One of the big triggers is, of course, the highly-publicized MOAB (Mother of All Breaches), Equifax. Here, the question is not whether it was egregious or not, or even the amount of people impacted – it’s the fact that suddenly who holds data on you is personal because it impacts your day-to-day life. Essentially, it moves the discussion from the abstract to the concrete. That, coupled with GDPR, is going to drive a lot of discussion and, sadly, much of that conversation will be based upon gross oversimplification of the issues. Privacy is a highly-nuanced topic, and so cannot be meaningfully explored in 30-second soundbites. We run the risk of doing as much harm as good trying to “fix” the perceived tension between privacy and security, and I’m hoping that in this case, forewarned is forearmed. We need to have a real conversation about all things privacy, but should not just react to the environment. Instead we must shape it. 

For the rest of our predictions, I hope that you download the report and read it. Moreover, I sincerely hope you enjoy rolling some of these ideas around in your head as much as the team enjoyed putting them together, and that these predictions help you make plans to be ready for what 2018 will bring. Oh, on that note, one closing bonus prediction not in our report: I bet we missed something important. I guess now I’m going to worry about what that was.