I don't recall doing any sort of predictions for the coming year before, so I thought I might try it this year. Of course, far be it for me to deliver the line straight, so if you detect a wee bit of snark, then you might want to adjust your sarcasm meters, because I'm going for the gold here. :)
Without further adieu...
Millions will die. As happens every year, tens of millions of global citizens will die next year (Source: Wikipedia: World Population). Cause of death will vary, of course, from disease to natural causes to natural disasters and sheer violence. Death is one of the truisms that cannot be escaped. The mainstream media, politicians, and various special interest groups will nonetheless leverage FUD-filled death-related arguments to promote their various flawed agendas. Infosec professionals and analysts will begin to see the utility in such arguments and begin tying all online risks to death statistics. The success of security programs everywhere will increase dramatically as people flee the horror of the 2010 e-pandemic du jour.
Lawyers and politicians will win. They usually do. Of course, some will also lose, what with it being an election year, and that almost every case has legal representation on both sides. More importantly, though, is that it seems likely that we will continue to see growth in regulations, particularly over financial services, and possibly for health care as well. I'm actually rather convinced that 2010 will be known as "the year of the infosec lawyer" as the legal field rushes to embrace this arena. Of course, this also supports my case for legal defensibility (how conveeeeeenient).
American consumers will lose. As if the myth of privacy isn't enough to depress people, or the outright misrepresentation of policies by key corporations like Facebook enough to make you hurl, it seems we're likely to continue seeing vast erosion of rights, especially in the U.S. Because, as Google's Schmidt says, only evil people have anything to hide (I guess that means 100% full disclosure from Google on all things, right? I mean, their motto is "do no evil," right? right?). It's almost as if nobody in Congress cares about what might be good for constituents, as is evidenced by the rancid and rancorous health care debate.
Signature-based "security" products will be less signature-based. Continuing the trend of conceding that blacklists and whitelists have marginal utility, especially when scaling, vendors will continue to blame customers for product shortcomings while moving to a combination of cloud-based signature sets and more intelligent analytics. Certain vendors will continue to make broad claims about the inherent security of their platforms, regardless of the reality that millions of lines of code will absolutely contain exploitable errors. Consumers will continue to pay a steep price as attacks focus more on cross-platform applications, such as Acrobat Reader (PDF) and Flash, as well as web applications.
Organizations will bemoan regulations. While aggressively resisting investment in improved security architecture, awareness, and practices, organizations will continue to bemoan regulations requiring them to make those investments. Ironically, through those forced investments organizations will actually begin to carry a lower information risk load, with an overall positive benefit. Unfortunately, due to a lack of quality metrics, nobody will notice, except Verizon Business (via their data breach investigation report) and WhiteHat Security (via their quarterly webappsec report). Ok, so a few people will notice, but it will undoubtedly be the wrong people, who will then fall into arguments about statistical methods.
The security industry will keep trying to reach a consensus... on something... anything... please. Standards will continue to emerge as the number of opinions about security follows a fractal growth pattern. The DHS' threat of 1000 new "cybersecurity" professionals will further dilute the pool of ideas as retiring AF colonels make their play for jobs or budgets. Several quality initiatives will continue to obscure the market and eliminate any hope of common sense, such as the promotion of various "risk" frameworks like FAIR, Risk IT (ISACA), ISO 31000, and so on, etc, etc, ad nauseam. In the end, checklists will continue to abound while politicians make ham-fisted attempts at writing really awful legislation that insults everyone in the industry while solving no problems and creating dozens of new problems. In the end, the only real consensus achieved will be that people in the industry will continue to have job security for the foreseeable future.
I'm sure I could say more, but... well, anyway... as 2012 approaches, I'm sure I'll have something more useful to contribute. Until then, here's to hoping that everybody has a happy holiday season, regardless of (dis)belief system. I'll be posting more between now and the end of the year, but not with any urgency.
BTW, keep an eye out for book news in the coming weeks. :)