It is that time of the year where I pull out my tea leaves, crystal ball and dartboard in order to provide you with guidance for the upcoming year. Before we do that, it is only fair that we look back at our predictions from a year ago. Overall, I am pretty satisfied with their accuracy and might be just one more year away from my own psychic 900 number.
2003 ReviewDec 2002 Prediction: Cost of Viruses Decreased in 2002 - I predict that Computer Economics will issue a press release in 2003 saying that the business cost of viruses has fallen for the second year in a row. This number, which was $17.1B in 2000 and $13.2B in 2001, will be $11B in 2002… Will this decreasing trend continue in 2003? It only takes one extremely well written, imaginative virus that preys upon people's current mentality to change an entire year. My guess is that we will see one of those in 2003, which will stop the decreasing cost trend…
Actual: "Computer Economics estimates that the total costs related to cleaning viruses from infected systems, lost productivity and restoring damaged files reached $10.7 billion in 2002."(quoted by MailWatch) With MS Blaster, SoBig, et al, it is safe to assume the decreasing trend ended as well.
Grade: A+, bow down before me!
Dec 2002 Prediction: Automated Patch Management - We will see an uptake in this in 2003, although the bigger growth will occur in succeeding years. The big driver will be the breaking down of the corporate philosophy of proprietary, standardized desktop images that change infrequently. The rapid introduction of new vulnerabilities is forcing a more pragmatic philosophy to maintain desktop machines according to standards recommended by the vendors.
Actual: 2003 could well have been the Year of Automated Patch Management (in fact Information Security Magazine's December 2003 issue made a statement very similar to this). In the wake of hard hitting viruses, patch management companies recorded exponential increases in sales. Patch management was a featured heavily in industry magazines, and Microsoft's CSO Scott Charney spent virtually all his time on this topic at industry conferences.
Grade: A, we have another winner!
Dec 2002 Prediction: Internet Infrastructure Attacks - I expect that we will see 1 or 2 significant attacks on the infrastructure of the Internet that will have origins in the US, Middle East & terrorism conflicts.
Actual: Unless it were to be proven that the August 2003 blackout had a malevolent cyber origin, I missed this one. I am still surprised that this didn't happen in a year where the US fought a war and faced much global opposition. This prediction that wasn't brings home the point that hackers today primarily have an economic agenda or are kids that have no agenda at all.
Grade: F, back to school on this one.
Dec 2002 Prediction: Identity Management's "Killer App" - The problem with solutions like PKI and meta directories is that they first came at us with the big picture, and not the "killer app". Self Service Password Resetting looks like a killer app to me.
Actual: IM got big press and growth for the major companies. Self Service Passwords was consistently mentioned as a significant ROI sell, but some other benefits were also cited with regularity. Oblix has received much notice for awards and customer wins, and Netegrity has had above average stock appreciation.
Grade: B-, ok, could have been more specific.
Dec 2002 Prediction: MSSPs will have a good year in 2003. This is their year to grow. There is enough maturity in product offerings and corporate planning to outsource at a greater level than before. Also, it is still too small of a market for global service providers to aggressively target. What are the metrics of a good year? I would say 20% revenue growth for quality MSSPs.
Actual: Managed Security Service Providers grew strongly in 2003, even exceeding my 20% growth prediction. In addition, MSSPs received the most venture funding of any security sector in 2003. MSSPs, who seemed to be on the brink of oblivion in early 2002, were ahead of their time. However, not all MSSPs were successful and a rising tide did not lift all boats. (More on MSSPs in the Investor News section)
Grade: B, that'll do, Jim.
Dec 2002 Prediction: IDS - By the end of 2003, I believe that the market will clearly recognize that Host-based IDS provides a better method for Intrusion Prevention than Network-based IDS. NIDS is not going away, but will evolve to provide "bigger picture" threat recognition that will prove complimentary to Host IDS, AntiVirus and other security components. All significant NIDS products on the market will have some behavioral based attack recognition.
Actual: I think I was out ahead on this one, but we are seeing incremental moves that validate this prediction. Host intrusion prevention was a bigger M&A play, with Cisco and NAI both making big acquisitions (NAI also acquired IntruVert, a network-based intrusion prevention company). In November, Cisco announced the Network Admission Control initiative (NAC), a big picture approach not unlike my initial prediction.
Grade: C, no Nostradamus here.
Cumulative Grade: B, not enough for the honor roll, but good enough to keep me out of detention and graduate on to the 2004 predictions.
2004 PredictionsCell phone hijinx - I think the "sexiest" security-related news story we will see in 2004 will be related to cell phones. The security in trendy cell phones that take pictures and do all sorts of fun things is so appalling that some very embarrassing and public hacks will occur in 2004 that will catalyze the industry to do something. It's hard to say exactly what and when the attacks will be, but they will be memorable. The possibility of remote attacks are scary, from creating 900 number billing scams, wide scale denial of service attacks, theft of service via cell phone zombies - down to remotely activating a phone to take pictures in your bedroom.
Internet Infrastructure Attacks - I am going to try this one again. Given the fact that the August 2003 blackouts are believed to have originated with a software failure at FirstEnergy Corp, the vulnerabilities of our critical infrastructure to cyber attacks are as apparent as ever and I believe someone is planning to exploit them.
Major SB 1386 Casualty - In 2004 a company governed by the California Senate Bill 1386 mandating breach notification will have a major security incident exposing customer information, with Arthur Andersen-type consequences. Ah-nold will be powerless to help this company, which will be changed from top to bottom via acquisition, major restructuring or by going out of business. Despite this ugly event, SB 1386 will march on and businesses will have to get used to it.
Microsoft's security moves - Microsoft will make a few acquisitions and product announcements in the security space in 2004. My crystal ball says they will try to acquire a certificate authority as well as someone in the AAA space (Authentication, Authorization and Access Control), potentially an Identity Management company. This will allow MS to provide a more simplified and turnkey set of business web services in .NET and will further strengthen their digital rights management strategy.
SSL VPNs - The use of SSL-based VPNs to provide access to proprietary corporate applications via the ubiquitous web browser will prove to be so popular that by the end of 2004 this will cease to exist as an independent market as traditional networking and firewall/VPN companies build this into their offerings. However, the granular provisioning required to manage application access will drive the need for a nascent outsourcing market for credentials management and access control, which will grow further in 2005.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.