Leveraging Forecasting Techniques for Security

Would it surprise you to learn that forecasting can be a valuable tool for security practitioners? If you were to ask most security practitioners whether this was something they would consider for their programs, a good percentage of them would laugh in your face. That said, there is a solid argument to be made about why this service is particularly valuable for security professionals and how there are benefits that come from following such a path.

It goes without saying that for any technologist, keeping pace with new developments — particularly changes in the technology landscape — is a key part of the job. In fact, if it’s true that the pace of change is increasing exponentially, keeping up with new developments is not only important now, but it will become more and more important as time goes by.

That said, it’s a practical reality that it’s easier for professionals in some technology disciplines to keep up with changes than others. For example, technology practitioners that directly support business teams are exposed almost constantly to developments in the space their business partners operate in; if there’s a new business application making the rounds, chances are they know about. By contrast, in the security world, this process of keeping up can be particularly challenging. There are a few reasons for this. First, not only do security professionals need to keep abreast of new developments in their own space — such as learning about new security technologies, vulnerabilities and attack techniques — but they also need to be aware of new technologies being adopted by their business and technology peers.

As we all know, business teams — and often other technology peers — don’t always loop security into new initiatives right from their inception. This can happen either purposefully, such as if the team wants to avoid a potential delay, or accidentally, such as if they just don’t think through possible security ramifications. However, whether deliberate or otherwise, security professionals sometimes don’t find out a new technology is being used until they’re up to their waist in it.

Understanding the security properties of a technology involves more effort and time than understanding usage of that same technology. If you don’t believe it, think about a car. If you want to use it, you need to learn how to drive, right? But what if you want to determine how safe it is to operate instead? To do that, you need to know about driving just as much as the operator does, or at least understand enough about driving to tell the difference between safe and unsafe driving.

But there’s more you should know, as well. You need to understand factors such as how braking and steering systems operate, road conditions, safety features such as seat belts and airbags, tire pressure and the car’s service and maintenance history. In other words, answering the question, “Is it safe?” takes more research than answering the question, “How do I use it?”

The upshot is that security teams have more to do and less time to do it to fulfill their mission. Follow that to its logical conclusion, and you’re met with two outcomes: Either the security team doesn’t complete its mission optimally, or it needs to develop a capability to learn about new technology developments before its technology peers so it can take appropriate action. Since nonoptimal performance is never an acceptable alternative, let’s examine what’s required for the second outcome.

Keeping Up

So, what can practitioners do to learn about new technologies proactively? How can they possibly know what is coming down the pike ahead of time? It’s not an easy proposition by any means, but fortunately, there are a few steps that can help.

First, Security professionals can make it part of their “hygiene” to keep up with what’s happening in the broader world outside their organization. Just as they keep pace with things like patch alerts, IDS events and new vulnerabilities, they can also make it a priority to keep up with other technology developments. This can be as simple as networking with external peers by going to a networking or industry event (a conference or a local professional association’s chapter meetings) or just talking with peers in other firms about which new areas they’re dealing with. For the same reason that a birthday attack works, get enough people together who represent different firms, and it’s almost certain that someone in the crowd is currently struggling with the same technology issues you will wrestle with in six months.

Another avenue can include keeping tabs on the industry press to see which new and emerging areas are being covered. Granted, nobody has infinite time to read the news all day. However, even just a cursory read-through of headlines on a periodic basis can clue you in on new trends as they come to the forefront.

Looking Further at Forecasting

Aside from these most basic steps, though, there is an additional option the security team can explore that I alluded to at the beginning: forecasting. Specifically, building a forecasting capability within the security program. Now, forecasting capability might sound fancy or pie-in-the-sky, but it’s actually approachable, pragmatic and practical. All it means is developing a systematic methodology to identify possible new technologies on the horizon and having a way to flag for further analysis and review the ones that are more likely to be of interest to the business and technical peer communities they support.

Many analyst firms (e.g., Gartner, Forrester and Frost & Sullivan) publish annual predictions about which trends and technologies seem most promising; many advisory firms (e.g., Ernst & Young and PricewaterhouseCoopers) publish the trends customers find most interesting. A rudimentary forecasting capability might simply be a systematic mechanism or process to ensure those documents are reviewed by someone and the information is analyzed and recorded for broader dissemination.

One level of maturity beyond that might be to move beyond those sources and build your own way to identify and evaluate new technology developments. This might sound complicated, but there are some tools out there that help support this. For example, SciCast is an open, collaborative prediction market designed to forecast likely outcomes in science and technology. Since the platform is open to all and free to use, data about new and emerging areas can be gleaned if you ask it the right questions.

Though it may sound a bit out there, a forecasting capability can have a place in a robust security program.

Share this Article:
Ed Moyle

Director, Emerging Business and Technology, ISACA

Ed Moyle is currently Director of Emerging Business and Technology for ISACA. Prior to joining ISACA, Ed was Senior Security Strategist with Savvis and a founding partner of the analyst firm Security Curve. In his 15+ years in information security, Ed has held numerous positions including: Senior Manager with CTG's global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.