A look into my secret crystal ball: The security industry by 2025

Disclaimer: A personal comment by Peter Kleissner. Views are my own. These predictions come with absolutely no warranty. First published in Czech Republic on 11/25/2015.

Foreword: I want to make predictions on how the IT security market will look like in 10 years. If anyone disagrees with my predictions, my assessments or finds flaws in my logic, I would like to invite anyone to counter me via mail to info@kleissner.org. My personal background is that I'm a programmer and entrepreneur. I started the IT security company Kleissner & Associates in 2013 which was acquired a few months ago. Previously I worked at an international bank and at an anti-virus company. I am also a frequent speaker at security conferences.

My predictions.


1. I believe in 10 years from now most security companies will not exist anymore - they will either die, or get acquired.
The security market is pretty crowded, for each niche we have about ~30 different vendors. There are on Virus Total 54 vendors listed (though some share the same engines, I suspect about 30-35 that can be considered unique). There are plenty firewall vendors. Plenty of "security product X" vendors.

Why I believe at the current point this is legitimate? Innovation.
Every year I see new companies rise with new products or new features in existing products. The companies, even if in the same niche, currently compete with different products and features - some are even complementary in the threat intelligence market.
There are new ways to detect & remediate threats, be it exploit mitigation, or a new way to detect virus communication or some special JavaScript to detect banking fraud.

However, I believe the rate of innovation will start to significantly slow down in 3-5 years. Once that's happening, companies no longer compete by features.
They will compete by their market strength and go-to market strategies.

Local companies (in the IT security service sector) always have their "local plus" vs foreign companies but for software & hardware products there is absolutely no justification for 30 different ones if they are "all the same".

1.2 That said, only companies with comprehensive solutions will make it. I know bigger companies are already annoyed by using 99 different services from 99 different companies.

1.3 You will need something unique (like Virus Tracker) to exist as company in the future (for the previous reasons stated), otherwise you are going to have tough times ahead of you.

2. I believe what's happening right now was the same in the late 90s. There's a race and not everyone will make it. It is my understanding (even though I was too young around that time) that in the late 90s there were several companies in the same fields - take Amazon.com and Kozmoo.com as examples. Today, no one would bother to be the new Amazon or the new Ebay.


3. Attacks in general get more targeted (that is happening already right now, but will further evolve). The headlines where we read "2 million botnet dismantled" will disappear (as a matter of fact, they are already much rare than few years ago). Rather we will have smaller but more effective botnets carrying out attacks. For example MultiBanker which just targets German users and even checks if you are a customer of a certain bank which they "support".

Gone are the times of huge botnets like Conficker, ZeroAccess and ZeuS Gameover.

4. In general everything (operating system, browser, hardware platform) gets more secure, but the user. Therefore, we'll see more phishing and social engineering attacks.
Writing a rootkit for example is today very difficult, there are all kinds of mechanisms that will harden it (TPM, code signing in general, other 64-bit security features, ...). On the technical level we see already the drift from hard core rootkits and Trojans to user level viruses that run on the same access level as the user.

5. The exploit market will grow. There will be more people making their living by selling exploits. Not only the "professional" market but also bug bounty programs. The bigger share will be the one which has higher payouts, which is and will remain to be the professional exploit development/sale/resale market. Exploit kits will diversify to also deliver exploits to mobile and other devices. New features will include built in remote access trojans and other simple bot functionality which will make it even easier (and more attractive) to use them. By 2025 exploit packs will be multi-purpose.


6. A bank or stock exchange will be under fire. I wonder why it didn't happen more already, so my conclusion is that it has to happen at some point.
Ddos attacks are "dumb" but they can be very effective if you find the bottleneck, which is often on application level. For example if the bank server is reachable, but the login is not working, because someone attacks the logon server (by exhausting the maximum of available SSL sessions for example), it will be still successful. Attacks carried out on application level will be on the rise.

7. There will be attacks on entire countries. The technical capability exists today already (take the Sality botnet with millions of infections, or the Chinese firewall which was allegedly used for orchestrating attacks) but currently it is not popular (I think that is, because there is right now nothing to gain unless you are a government).
By attacks on entire countries I mean: Attacking national banks (see previous point), the stock exchange or core ISPs or internet relay points.
Most people think that future attacks mean they will magically hack the power grid or some traffic systems, which I personally think is nonsense and definitely not the low hanging fruit.

8. We will read more movie-alike stories of hackers who work for governments (/intelligence services), some of which might work for the government in exchange for their freedom after they were caught.

9. We will see a rise in propaganda through digital channels, again state sponsored. Russia is currently pushing the hybrid war both on the non-digital field and digital one.
I personally observe many comments in the comment section of news sites (for example on SPIEGEL ONLINE) which are clearly paid Russian propaganda against western believes.
Other countries will copy this digital psychological warfare as it is effective in catching the dumb.

10. Big countries will realize that defense in IT security DOES NOT work by pushing out military threats. Attribution of attacks is the toughest part when it comes to analysis, and therefore any threats of physical military interventions in response digital attacks are effectless. Once countries realize that, they will increase the budget for actual IT security.

11. Even though many people believe it, terrorist groups like IS or Al Qaeda will not be capable of carrying out any strong attacks on foreign IT infrastructure. First, I believe they will have a difficult time of recruiting anyone with substantial skills, and then second there are big intelligence agencies just waiting to jump on anyone carrying out any attacks in the name of such terrorist groups.
However, they will continue to abuse social media for their propaganda and recruitments.

12. The United Nations will address IT security and there will be a new global Convention on Cybercrime. Certain countries will, however, not ratify it due to their own geopolitical interests.

13. While there will not be laws to force companies to implement "active" backdoors (which would force them to have an active "bug" or "agent" running on your device), there will be laws to force companies to give governments access to customer data on-site if presented a warrant. Such a legislation will be the result of blind short sighted pseudo-activism propagandistic politicians, and will eventually lead into global diplomatic disputes - as other countries will start to enforce similar laws, which will ironically contradict the interest of the local national security.