In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016.

Basically I don’t have any clue.

I could lie to you and say I’ve got it all figured out, but I don’t. I fly by the seat of my pants pretty much every day of my life. And any time I think I have things figured out, I get a reminder (usually pretty harsh) that I don’t know squat. One thing I’m comfortable predicting is that things will be changing. Because they always do. Some years the change is very significant, like in 2015. Other years less so. But all the same, change is constant in my world.

We’re going to do some different things at Securosis next year. We are very pleased with how we have focused our research toward cloud security, and plan to double down on that in 2016. We’ll roll out some new offerings, though I’m not exactly sure when or what they’ll be. We have a ton of ideas, and now we have to figure out which of them make the most sense, because we have more ideas than time or resources. Rich, Adrian, and I will get together in January and make those decisions – and it will involve beer.

Personally, I’ll continue my path of growth because well, growth. That includes trying new things, traveling to new places, and making new friends. I’m not going to set any goals besides that I want to wake up every morning, maintain my physical health, and continue my meditation and spiritual practices. My kids are at an age where they need my presence and guidance, even though they will likely not listen, because teenagers know everything. Which basically means I’ll also need to be there to pick them up when they screw things up (and they will), and try to not say I told you so too many times.

I’ll also tell my story of transformation through the year. I’m not ready to do that yet, but I will because it’s an interesting story and I think it will resonate with some of you. It also ensures that I will remember as time marches on. I spent some time earlier in the year reading through old Incites and it was a great reminder of my journey.

Overall I’m very excited about 2016 and continuing to live with a view toward potential and not limitations. I’m focused on making sure those I love know they are special every single day. I’m committed to being happy where I am, grateful for how I got here, and excited for what is to come. I’ll ring in the New Year in a tropical paradise, and play the rest by ear.

All of us at Securosis are grateful for your support, and we wish you a healthy and happy 2016.


Photo credit: “looking forward to” from Elizabeth M

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Good deed for the holidays: You too can help make software security better! OWASP, the Open Web Application Security Project, is developing a new set of secure coding guidelines for software developers. This document will be a great aid to developers who want to get up to speed on secure coding. It offers a succinct set of code examples – in most of the widely used programming languages – which address the top ten security coding flaws. And what developer doesn’t love easy to understand code examples? But wait, there’s more! This effort is truly open, so you get to participate in building the guidelines: the document I referenced is open for public comments and direct editing! So if you think the document is missing something, or there are better examples to be offered, or you think something is wrong, you can improve it. Do a good deed for the holidays and contribute. – AL
  2. Happy Holidays. Let’s make some crap up… It’s the holiday season. So obviously we will be subjected to everyone’s predictions of what’s in store for 2016. As you can tell from our last FireStarter of the year, we don’t buy into predictions. But the IDC folks don’t have any issue making things up. Their cousins at NetworkWorld (both have the same corporate parent IDG) have some bait posted about an upcoming IDC predictions webcast, and one of their predictions is that by 2020 data breaches will affect 25% of the world’s population. What does that even mean? How could you tell if it’s right? And who cares anyway? How will that prediction do anything to change what you are doing on a daily basis? Right, it won’t, because odds are you have already been affected by a data breach. So this is the worst kind of prediction. It can’t be proven or disproven, and it’s not relevant to your daily activity. Bravo IDC. I hope the others are a little better, but I won’t know, because I have better stuff to do than listen to nonsense. – MR
  3. Black Friday, Cyber Monday, and Liability Tuesday: As I have been out and about a lot this month, showing relatives around Arizona, my credit cards have gotten a lot of use. Restaurants, gift shops, museums, pet stores, big box retail, national parks, and even a place called “The Hippie Emporium” (don’t ask). And you know what I have seen? Outside Target, not a single merchant had adopted EMV. EMV-ready PoS devices are in place, but the EMV functionality is not operational. Got that? All that hype about merchant liability and almost zero adoption. A couple weeks back Branden Williams asked (paraphrasing) will sucky and slow EMV chip readers will cause people stay home and shop at Amazon or other online retailers. To which I respond ‘No’: they are not in wide enough use to have a detrimental effect. Amazon is getting a ton of new traffic this year, and I hear so are Etsy and even the ecommerce sites of traditional brick-and-mortar stores. It’s not because of EMV readers – it’s just getting easier to shop online, and more people are comfortable with it. But it does mean we are going to see the effects of the liability shift soon – ‘tis the season for credit card scams and fraud, and we will see some merchants get hammered. – AL
  4. Step by step malvertising: I enjoy blow-by-blow descriptions of recent attacks, so thanks to the Malwarebytes folks, who posted a detailed analysis of a recent malvertising campaign targeting Xfinity. What’s interesting is how this attack combines malvertising, an exploit kit, phishing (to collect personal data), and then a tech support scam. Now that’s leverage. Of course there are clues it’s a scam, including a different domain for the first linked site. Malwarebytes also posted a set of indicators so you can be ready for this kind of attack if your employees or family tend to click. – MR