Every year around Christmas-time an assortment of industry pundits fill the pages of trade magazines and populate their blogs with their predictions for the upcoming year. Although the practical value of this form of rudimentary forecasting is not clear, it became common practice for infosec industry analysts and thought-leaders.
Indulging in year-end foretelling is risky to the amateur futurologists and of limited value to their audience. Since it only takes about a year to contrast last years predictions with reality, the braver foretellers may find their reputation ruined if they predicted radically new developments or if they stated their prophecies in uncompromising uncorrectably clear terms. On the other hand, less outrageous, unclear or hardly verifiable predictions will have little practical impact on their audiences actions. The forecasting ability required to predict a short-term future as a slightly modified version of the present isnt that great.
To the CISOs and CSOs the year-end predictions of December 2009 for 2010 will be essentially of tactical nature and may just be useful to consider marginal changes in the distribution and prioritisation of resources in their already prepared plans for the upcoming year.
In this context, a futures talk about the evolution of Information Security Risk within a one-year horizon is futile. I posit that the overall aspect of the information security risk landscape and its measurement is not likely to change substantially in one to three years notwithstanding the Basel II Accordand its implications to infosecurity in Operational Risk Managementand despite the multiple regulatory frameworks applicable.
A more promising approach to information security futurology may come from science fiction writers, professional science and technology futurologists witharguablyless concern about the developments of a specific industry or their ranking in the pundit reputation scale than for the artistic and commercial value of the output of their creative process.
A few weeks ago, I was pondering about this when a friend pointed me to the keynote presentation delivered by science fiction author Charles Stross at the LOGIN 2009 conference last May. As an avid reader of science fiction I immediately recognised many of the underlying constructs of his published works but I was amazed by his precise mapping of those ideas to a possible landscape for the gaming industry by 2030.
Reading of the presentation instantly triggered an attempt to understand the implications of such a possible future to the information security risk management practice.
What may 2030 look like to the CISO or to the information security practitioner? What will be the prevalent form of Information Security Risk Management?
Although I cant provide definitive answers I do feel confident enough to share some thoughts and predictions knowing that it is unlikely that Ill be made accountable for them in 20 years. While the exercise has little immediate pragmatic value it may be useful to foster longer term strategic thinking about the infosecurity community, the market and the evolution of threats and risk.
Sign up for MIS Asia eNewsletters.