Threat Forward

“If it hasn’t been exploited yet, it probably won’t be.”

Repeat this ten times out loud:  You can’t predict the future.  We like to think we can “forecast” and come up with likely scenarios about what is going to happen, but it never works for long.  Risk management models fall apart in information security because there is so very, very much that you do not know.  The more specific you try to be, the shorter the lifetime of your prediction.

Of course, that’s nuance for people who understand forecasting and risk.  Headstrong predictions will be coming from the stakeholders who have to spend time and money to fix problems.  They will have tortured explanations–the whip marks still fresh–for why the problem of the day won’t ever really be a problem.  In these cases, it pays to be the only one in the organization with the official magic 8-ball.