Random security predictions for 2013

Lots of malware and industry activity, but continuing intransigence in Washington.

Author(s): Jon Oltsik

Published: January 15, 2013

It’s January 15, which means I probably should have posted a blog on my security predictions for 2013. Here is a somewhat random list of things I believe will happen this year:

  1. Visible increase in hacktivism. Hacktivists have a lot to build upon in 2013, including the tragic death of Aaron Swartz, some notable 2012 successes by Anonymous (e.g., OpVendetta), the trial of PFC Bradley Manning, etc. There is also a growing trend toward global hacktivism against domestic organizations and the U.S. government. I expect at least one major hacktivism incident per month this year.
  2. Continued cybersecurity waffling on Capitol Hill. It took the financial sword of Damocles to get Democrats and Republicans to compromise on legislation to avoid falling off the fiscal cliff at the eleventh hour. Regrettably, cybersecurity legislation lacks a similar trigger. Given the volume of cybersecurity breaches, we should hear a lot of rhetoric from both parties but Washington has bigger fish to fry and legislators aren’t anxious for geeky debates about things they don’t understand. The wild card is a major cybersecurity incident. If this happens, expect lots of finger pointing and a reactive bill that serves as the cybersecurity equivalent of the USA Patriot Act. In short, we can expect inaction or bad action from Washington and nothing more.
  3. A mobile malware whopper. Mobile malware increased more than 1,000% in 2012. Volume will continue to increase but mobile malware will make it to the front page of the Wall Street Journal this year for another reason. I believe we will see a really sophisticated and damaging mobile malware variant in 2013 that will scare the heck out of the security research community. Think of the mobile malware equivalent of Conficker. It may be something that is limited to a single mobile operating system like Android or Windows 8, or it may coordinate with PC-based malware in some type of distributed object-oriented malware architecture.  Few people take mobile malware seriously but this attitude will radically change before we ring in 2014.
  4. A rapid enterprise security transition. Okay, this one will take a few years to accomplish but 2013 will still be a tipping point. Get a few drinks into most CISOs and they will tell you how vulnerable their organization is to a cyber attack. This will be the year that they can no longer maintain this poorly kept secret. Expect CISOs to deliver bad and worse news to CEOs. The bad news is that they are completely under prepared and way behind. The worse news is that they need to invest in a new integrated data-driven (dare I say big data?) security infrastructure immediately. The cybersecurity emperor has no clothes and we have no time to debate about his wardrobe. 
  5. A boom year for security services. As CISOs rapidly design and build a real enterprise security architecture, they will realize that they don’t have the skills or staff needed for present day security requirements—let alone future strategy and deployment.  Managed and professional security services to the rescue! Great news for the security eggheads at Accenture, CSC, HP, IBM, Lockheed-Martin, and Unisys.

These last two trends are bound to lead to a lot of M&A activity as large security players such as Check Point, Cisco, McAfee, Symantec, and Trend Micro fill in product gaps, create enterprise security software architectures, and add services capabilities. Smaller hot security vendors like Cyber-Ark, FireEye, Invincea, LogRhythm, and Palo Alto Networks could be scooped up by Memorial Day.

As I mentioned above, the one wild card in 2013 is a major cybersecurity attack. Something that really gets people’s attention—a gas pipeline explosion, an interruption of a financial market, an attack on a power grid, etc. If this happens (and it could) the whole cybersecurity arena will take on a very different identity. 


Post a Comment
  • Leave this field empty
Please Enter Correct Verification Number

*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.



Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s information security service. With over 25 years of technology industry experience, Jon is widely recognized as an expert in all aspects of information security and is often called upon to help customers understand a CISO's perspective and strategies. Recently, Jon has been an active participant with cybersecurity issues, legislation, and technology within the U.S. federal government.

Full Biography


Enter your email address, and click subscribe