2013 Prognostications

I skipped doing this for a few years but I’ll be back at it again. Most of these prognostications are based on the principles of computing as a utility, erosion of the professional information technology field, and risk acceptance as mitigation standard if it enhances corporate profit. I am intrigued by the “bring your own device” (BYOD) debate. Specifically, the position espoused by CIO/CSO types that they will “allow” BYOD if the corporation controls the device. Try and apply that to a car, my house, or even my clothes and we have a fight. Yet they will try and do the same with cell phones. That relegates BYOD to purchase a device for corporate use. Not going to happen. The position of information control ignores all the “day planners” and squishy brains with that information they don’t control. This is a set of prognostications and I could make a dozen of them that I know absolutely will come true but what fun is that? I’m moving away from the safe zone and looking at broader trends of maybe in the next year.

1. Information Technology professionals and pundits will continue to conflate Moores Law and human organizational time changes. We will see this is as continued stories talking about how fast technology moves forward and ignoring the fact the human brain isn’t getting substantially better. The more a CIO/CSO espouses this position of technology speed the more they are eroding their own position. This disconnect is a side-effect of the (l)user objectification of information technology consumers in corporations. The CIO/CSO talking this way is ignoring the human component. Blaming the human is a non-starter and if done also shows a complete lack of understanding the reality of an information job. You will be able to measure whether this is occurring as an ongoing change by the policy changes in corporations and the decreasing control of information technology professionals in how their infrastructure is utilized.
2. We can’t change, it costs too much to adapt, costs are to high, policy won’t allow that, regulatory controls are to stringent, and a string of other erroneous statements by information technology and information security professionals are creating a “change required” environment. Since most of the former excuses are subject to a two or three-year refresh cycle they can easily be discounted if organizational will is in place (along with leadership). Most regulatory controls for the vast majority of businesses are voluntary. Upon this clay we build a return on investment for information technology practices. Expect continued diminution of the Chief Information Officers and Chief Information Security Officer through the two best metrics possible. Measure who they report to and how much control over their budgets they have.
3. Bring Your Own Device (BYOD) is going to continue to move forward regardless of the contrarian arguments. The argument to keep this from happening is that it will dramatically impact security posture of organizations and be impossible to accredit or certify. The argument for rolling out BYOD is that it will save organizations money and increase productivity. So, you have an argument that is part of a cost center and another argument that will increase profitability. All other arguments being similar this is a foregone conclusion. The number of organizations that implement BYOD over the next year easily measures this. I think we’ll end up with a dress code type implementation of BYOD where we tell you what you need to wear (use) in only the most general terms. Obey the laundry and washing instructions and you’ll be fine. If not? You’ll have to buy a new pair of pants or an iPhone.
4. Risk assessment in corporations is evolving faster than regulatory controls. I first noticed a few comments by risk assessment practitioners stating that Taleb’s discussion was pedantic. This was a far cry from when he was considered a god of risk thinking. This is a symptom of maturation of the topic versus celebrity. It bodes well for risk assessment practices and the “Thomas Friedmaning” of Nicholas Taleb. I expect risk assessment to move further into the mainstream with CFOs requiring assessments for information technology acquisitions. One way of measuring this is if the NIST based federal risk management frameworks start getting a big push back as poorly conceived. I saw some of this in how people reacted to the DHS risk framework required by the draft executive order. I expect that even PCI and other compliance frameworks will start to see user push back as inadequate to poorly instantiated.
5. There have historically been many stories looking at the relative external versus internal costs of a breach in corporate security (given a healthy company to start with). The external costs (impacts against share price, customer loyalty, and such) are relatively neutral to positive. That’s right. If you have a breach within a few quarters all lost profits will be made up and relatively a corporation may be above previous expected share prices. Internal costs of a breach for incident handling and such can be extremely high (though some say they are falling). We can off-hand discount most information security professionals opinions about lost productivity, fines, law suits, impacts against lost intellectual property, and regulatory costs. Why? Most corporate boards are more worried about year to year earning potential and quarterly stock prices. The key euphemism for this kind of thinking currently in vogue is “assumption of breach”. In such a world the paradigm changes and measuring this new way of thinking entails watching the stories and professional articles proposing or discounting it. An interesting point on this is every story discounting assumption of breach actually supports the concept as valid. Expect lots of stories and policy shifts toward assumption of breach on non-critical systems. Watch how this is used to “go around” breach notification laws.
6. Computer forensics will become more automated and stagnant. Using the telecommunications world as a model I see two trends starting to be exposed. Take the case of a warrant request for records of cell phone tower use or other administrative data. The law enforcement agency requests the data and it is turned over in a spreadsheet or other agreed upon format. The provenance of the data is nearly impossible to prove or disprove. To be succinct such information is not forensically sound. This is not much different from how electricity bills or water bills might be used as evidence to support a search warrant for marijuana grow operations. I expect the cloud and other forms of distributed computing to result in less forensics and mere acceptance of corporate provided data to become the norm. This is a social cultural trend outside the principles or science of forensics. The second part of this is that de facto acceptance of computer provided information in court rooms (already well on its way) will result in attacks against those systems as a form of anti-forensics (already also occurring). Expect more of the same into 2013 and the future. Measure this by how many schools and certificate companies move from “computer forensics” to “incident handling” in their language.

These are just a few of the trends I see rising in 2013. Agree or disagree I don’t expect more information technology professionals will like what they see. I remember the post 2000 fall off in information technology careers and also the late 1980s when lots of people jumped into computing and there was a huge downturn in PC sales. I see this as part of the future paradigm but I’m not calling it yet for 2013. I will mention that the Defense Science Board found that they feel there is no issue in Department of Defense finding enough science, technology, engineering and mathematics type people. All those stories of shortfalls in information technology are likely going to be shown as false.