The most severe security failures are generally those that we cannot anticipate – until they occur. Prior to 9/11, national security and law enforcement planners expected that airline hijackers would land their planes and reach a settlement — until they didn't. Prior to Stuxnet, control system engineers felt that air-gapped systems could work without interference—until a virus was installed. Prior to the SolarWinds breach discovery in 2020, IT managers believed that verified updates to a trusted network management platform were legal and safe—until the platform itself became the target of a devastating supply chain attack.
The severity of injury caused by these accidents is often determined by the extent to which novel risks were unforeseen, or assumed not to be threats in the first place. In other words, the more basic the assumption, the more harmful the compromise. The objective of security is to be safe not only now, but also in the future, anticipating and mitigating threats that might arise at a later time and place through adequate preparation and security. And the assumptions we make about the future environment form the basis for that work. Assumptions are required for any security strategy to be cohesive. But they have a shelf life.
It's doubtful that our presumptions from now will be true later on. We understand that growing interdependencies would inevitably lead to cross-domain and cross-disciplinary security concerns. We are aware that the endless cycles of discovery and patch, identify and neutralise, and detect and respond will be even more difficult to maintain than they are now due to the pace of change brought on by the rate of technological advancement.
Adopting a future-resilience approach
Recognising the shifting situation, we have endeavoured to speed this process by collecting and sharing more data, gaining deeper insights from more powerful analytics, detecting threat actors and their behaviours earlier, and responding faster to ongoing attacks.
But we're falling further behind. It is too late to understand a threat actor's aims and attack methods, let alone identify their moves. The primary challenge is to plan for a future with an unknown risk profile.
To become more resilient in a world of "unseen until it's too late" challenges, we must tighten our strategies and stress-test our assumptions. The future of security will be about resilience in the face of unknown hazards. Monitoring trends and anticipating threats is not sufficient. We must also reconsider the assumptions that support our current sense of security.
A new, future-resilient strategy will need to incorporate a purposeful process of challenging existing assumptions while they are still relevant in order to predict a future in which those assumptions are undermined. Then, based on this new future "reality," we can devise strategies for survival. In other words, we move away from assessing the current environment, making assumptions about the future, identifying threats, and then mitigating those risks, and towards explicitly identifying our assumptions, "making up" threats to undermine those assumptions, and building resilience to survive that future.