In this season of expert predictions and analysis, I will try something different and stick to a few topics and trends that are high buzz and assess them objectively. In this information age, it’s important to know what you should pay attention to and what is phasic. Noise and “risk chaff” can distract us an take valuable time from our primary missions. Prioritization of risk intelligence focus has never been more important and a good resolution for professionals in 2024 should be to get better at prioritization of threat and risk characterization.
High Profile Cyber Attacks in 2023
2023 ushered in another year of high-profile cyber-attacks including massive casinos in Las Vegas. This led to the usual “hair on fire” spending spree that usually follows without regard to the etiology of the vulnerabilities and where security investment should be made. All the major cyber technology firms lick their chops when these things happen as they know the herds will react by paying top dollar for enterprise cyber security systems that may or may not address the vulnerability that victimized them. Nonetheless, large companies will go into CYA mode and overspend to create an optic of vigilance and prevention against the next attack.
The predominance of cyber-attacks in 2023 were enabled by human vulnerabilities and not a lack of technology. In some cases, companies, especially SME, failed to have basic protections of systems and infrastructure, but this is an exception. This points to a long standing and prevalent problem of siloed security programs and profiles that are not isolated to 2023. Human and physical risks are much more of a risk and create the most defendable cyber and infosec vulnerabilities. Cyber-attacks are impacting hundreds of companies across the globe without headlines and remain a potent threat. However, we need to look beyond the knee-jerk reaction headlines and realize that the threats are not new or even a trend.
Discussion About Inflation and the Economy in 2023
It’s true, even our organization was caught in the narratives heading into and throughout 2023 about the economy, recession, inflation, and even possible depression. These headlines and economic pundits all reported different angles and analysis creating mass confusion in markets and different interpretations of impact on security and risk. The predictions ranged from complete societal failure to actual decreases in threat vectors due to improved economic health. There was not a consistent message to be found and, in the end, the economy never experienced a “hard landing”, and the predictions are carrying over into 2024.
Looking past all of this, the truth can be found in the metrics. Many types of crime have increased and 2023 experienced record economically motivated crimes such as car theft and retail theft. Violent extremist organizations recruited well and took 2023 to organize and prepare for future operations. Homelessness has been at high levels in most major cities. Public law enforcement suffered recruiting and budget failures and created security vacuums filled by the private sector. More private security guards were attacked or murdered doing their jobs and retail shops around the country had to close due to rising theft and risks involved in operations.
Given this, I don’t care about what the economic pundits are saying about our economy and whether we will have a recession or a bull market. We need to focus on what is right in front of our face. The security industry is facing unprecedented challenges domestically and this is not even considering geopolitical risk factors. 2024 will be another year of struggle, consolidation, and heightened risk for the security and risk professionals as they attempt to protect assets and their clients.
School Security Consultant Bleating and Public Bureaucracy
School risks and vulnerabilities continued in 2023 with more shootings, drug use, suicide, and gang membership. This has led to the same boring prescriptions coming from the usual suspects in the school safety and security industrial complex. I call it that because it has become a self licking ice cream cone that has long since stopped being effective and serves only to protect itself and not students. The same experts and consultants shouting from the rooftops have been consulting for many years and the vulnerabilities have not changed.
At some point these “trusted” consultants should be seen as they are and have enough introspection to know that their approaches are not valid nor effective. A comprehensive review of school safety and security threats and vulnerabilities would show more of the same hot air and “policy” driven security and risk plans. The school administrators and leadership are just as guilty for not accepting this truth and continuing to hire and propagate these proven consulting failures because they are “safe” bets. The definition of insanity is at play here and I don’t see it changing anytime soon. Innovation has risk but it is necessary to change the status quo. The sooner government and decision makers realize this, we can get rid ourselves of “old school” relics and make meaningful impacts to school security and risk exposure.
The Use of the Word AI by Nearly Every Vendor When Describing Products
Artificial Intelligence was probably the most prevalent buzzword in 2023 across industries and security was no different. Every security and risk vendor began to use the term and attach it to their marketing regiment. I would estimate that more than 95% of all security vendors are not actually utilizing or even developing true AI. This has made it more difficult for those looking for AI solutions to find actual value through all the noise and has become a significant time waster. Some companies have decided to invest millions of dollars in AI development with on clear plan or strategy for return on investment. This will contribute the bankrupting of many companies.
In 2024, I invite all security and risk professionals across market segments to insulate yourself from hype and buzzwords revolving around AI. There are a handful of valuable solutions out there (including Alpha Recon’s), but even the existing solutions are still developing and will take time to demonstrate value. Invest in AI with a trusted technology partner, resist the temptation to build it yourself, and meter expectations. Remember that the first mainstream large language models are less than 10 years old, there are many factors to consider when tapping into the capabilities afforded by AI. 2024 will be a fun year of innovation and we will no doubt be surprised by what we achieve, but AI tools and development must be part of a comprehensive security risk management strategy.
Things I Care About
Lack of Cohesiveness and Constant Negative Content from Security & Risk Professionals
I don’t know if it’s just me but the negativity and flame throwing from competing risk and security consultants seemed to peak in 2023. There has always been friendly competition but the consolidation of security markets and advances in technology have stimulated some dark debates and mudslinging. Whether it is constant frontal attacks on companies that fail in their security, heated debates on social media platforms about who has the most experience, or directed insults at competitors, it was a dark year. The security industry has become paranoid, siloed, and is resembling a shark tank. Some have tried to build social cohesion in the industry, such as those with the Kindness Games, but many are just becoming “invite only” clubs and memberships that are highly controlled by industry gate keepers or big box security companies.
I cannot say I’ve been immune to negativity, and it is often hard to bit one’s tongue, but we need to do a better job of working together, bringing down walls, and respecting what we all must bring to the table. Intellectual property will always be a challenge and we live in a world of opportunists, but collaboration will bring a new increase in domestic and international security. Even where there are differences and disagreements, we need to be more supportive and empathetic. When young and aspiring professionals or vendors are trying to break into the industry, welcome them and help them. Guide them. This hatred of vendors must stop. Let’s collaborate more in 2024 to create a more secure future for all of us.
The Increased Pressure on Private Security and Resulting Vulnerabilities: Shootings
The strain on private security in 2023 was palpable. The reduction in effectiveness of public law enforcement (for a myriad of reason), created a higher demand for private security companies and vendors. This was realized with an increase in physical attacks on guards and other security professionals. The private security industry was not prepared to scale and lacked some of the support (such as intelligence) that the public sector had. Margins have always been thin in physical security and the quality of professional was compromised by a “lowest bidder” phenomenon and the consolidation of the industry by “big box” security firms (they will remain nameless here). This led to a downward spiral, especially considering the increased threat landscape, and increasing costs.
Private security will need to evolve quickly to become more holistic, lean, and proactive to effectively improve their own force protection and to serve their clients with the quality required in 2024. Government should look seriously at security monopolies to spark innovation and to prevent the boutique, specialized, and high-quality security companies and vendors from going out of business. Clients of security companies should look more at the quality and true capabilities of security companies and not necessarily go with the biggest or cheapest. This can be a catastrophic mistake. Security companies themselves should realize the existential value of good risk intelligence and strive to equip their teams with the best technology and early warning to improve ROI and services. Traditional physical security set ups and methods must be updated. Evolve or die.
The Increased Cost of Risk
As the number of significant activities (SIGACTS) and realized risk impacts have increased, insurance carriers who normally cover physical security companies for general liability, cyber, or specialty products are substantially raising rates or getting out of these markets altogether. This has pinched already tight margins and has caused at least three security companies that I know of to go out of business. This is another indicator of the changing threat landscape and increased cost of risk. Many insurance companies are not even covering cyber-attacks or losses anymore, especially outside of the United States. The fallback plan of any ill-conceived security or risk management plan has always been insurance to cover losses, but this safety net is starting to evaporate.
This points to a greater problem for society that could lead to major destabilization for several reasons. The increased cost of operations is creating more consolidation as only larger security companies can afford these margins. This means fewer security companies serving a high demand market. This logically leads to less competition and poorer quality, low innovation services. As the threat landscape devolves because of poor security quality, more insurance companies raise rates or leave markets eventually leading to downward spiral quality, more insurance companies raise rates or leave markets eventually leading to downward spiral of decay in safety and increases in many threat vectors. Risk intelligence technology (both actuarial and services solutions) can help insurance companies better protect themselves from losses in these markets so they can lower premiums and get back in the fight.
Lack of Focus and Preparation for Risks with High Probability & High Potential Impact
There is still a prevalent shortage of proactive security and risk professionals and the budgets to support them. Companies and security firms are trimming budgets for all kinds of reasons, none of them good reasons. They are also spending more on low probability, low impact risk vulnerability. The losses from high impact, high probability threats are much more manageable with proactive and preventative approaches that almost always require forward thinking and anticipation of bad luck or targeted impacts. Cleaning up the mess from a cyber attack, law suit, lost talent, operational disruption, reputational harm, or lost revenue opportunity is always more expensive and can be a “company killer” in some cases. I have personally assessed and examined dozens of security programs and was genuinely surprised by the sheer number and scale of easily preventable vulnerabilities, the lack of planning, and the absence of any risk characterization.
The idea of security and risk management activities being cost centers is long outdated and the executive staff must learn this quickly if they haven’t already. Ignoring highly relevant and high impact potential threats and “winging it” with insurance and minimalist, siloed security measures is not forgivable. That is not to say larger budgets are always the answer. In most cases, it’s the assessment and optimization of existing SRM programs and profiles that will yield value and benefits. Security and risk management should be a staple of business and physical security companies should be building their client security profiles based on comprehensive understand of risk. This is important for their own force protection and to provide the proactive and effective services their clients need today in any situation.