Enterprise technology is characterised by uncertainty over crucial aspects such as the speed of development, the rate of adoption and the scale of its impact on business. Differing perspectives and expectations mean that people tend, as ‘Amara’s law’ states, to ‘overestimate the effect of a technology in the short run and underestimate the effects in the long run’. In a quest for some semblance of certainty in this environment, those deemed authoritative sources of insight have a disproportionate influence over popular opinions. No more so is this the case than for industry analysts, whose predictions and future-gazing judgements are instantly taken as gospel. Yet, this can be dangerous – while analysts undoubtedly have access to and oversight of leading industry opinions, their views are by no means fated. Indeed, there is plenty of evidence to suggest that analysts themselves often fall into the trap of Amara’s law. When it comes to the security industry this can be problematic, as decisions made with overweighed authority given to analysts’ views could lead enterprises to misallocate funds – or worse – prioritise the wrong areas and leave themselves open to vulnerabilities.
This blog details four specific predictions made within IDC’s Security Predictions 2019, and offers an assessment of the validity of each. The fundamental message of the blog is that the reader should not be too quick to accept what insight they receive from analysts, and instead apply critical thought to arrive at their own, informed conclusion.
Intro: Introduce the reader to the important role that analysts play in the industry as an aggregator of trends based on their interactions with a range of customers. Discuss the dangers of the industry obsession with ‘future-gazing’ on technology trends and make specific reference to why this can be a serious issue in the area of enterprise security. State the importance of critically assessing every opinion or forecast you encounter in relation to the industry’s future.
Introduce the purpose of this blog – to assess four specific predictions made by IDC and critically appraise their likelihood. The predictions relate to:
- Key & access management
- Vendor consolidation
- Security automation
- Threat lifecycle services
‘By 2021, demand for key management as a service will rise by 20%, with an emphasis on native encryption services from public cloud providers.’
Key management is an important concept. In enterprise security, you have to assume that breaches will happen. The important thing is not only seeking to prevent the breach, but making sure the systems are in place to address the breach once it’s occurred. It’s often the case that when a breach occurs, there is confusion around who has access and what responsibilities they have, therefore proper key management (and demand for -as-a-service) is essential.
Likelihood: Highly likely
In 2019, there are roughly 1,400 companies offering cybersecurity services or products of significance; by 2023, the number of cybersecurity companies will drop by nearly 40% from 2019.
The essence of this prediction is that companies will converge on a smaller number of ‘best-of-breed’ vendors, therefore forcing the industry towards consolidation. The issue with this prediction is that the analysts themselves have a role in driving this trend – through lists such as Gartner’s Magic Quadrant, certain vendors will be preferred to others even if that’s not the purpose of the quadrant. This can have the effect of marginalising vendors that aren’t rated highly by analysts.
Likelihood: Likely, but at least partly caused by the analysts
By 2021, fully 50% of legitimate security alerts will have an automated response, untouched by human analysts.
Security automation is unlikely to take off as quickly as people think. People like to think that full automation is close and their jobs will become much easier. In reality, the level of technology required for this to be seamlessly and securely done in a fully automated way is well off. It’s hard enough for humans to do it, so artificial intelligence will need to be much further advanced to assume this role.
90% of managed security services customers will adopt threat life-cycle services by 2024, rising from 50% in 2019.
Threat lifecycle management is a framework for detecting and responding to security threats. While the framework is interesting, the problem is that security methodologies are based on ‘old’ ways of working. Software development, driven by methodologies like agile development, has now reached a point where fast deployment is a given. Trying to introduce security steps like pen-testing into this, slows the process down. It’s hard to automate security steps within the standard software development lifecycle, and so the only way to make sure it’s included, is to train developers on security steps. The necessary change is therefore the people element, rather than the technology solutions that analysts are emphasising.
Likelihood: Potentially greater use of lifecycle methodology, but not in the way / for the reasons that analysts think
Conclusion: Conclude that business need to think twice before taking analyst predictions at face value. There needs to be critical assessment of predictions before letting them influence your business decision-making. Focus on what’s really important to your business and allocate funding on that basis.