Predictions vs Process: Why “How” Trumps “What”
Author: Chris Finan
Chris Finan is the COO of ActZero, with experience spanning cybersecurity (Shape Security, acquired by f5), fin-tech (Manifold Technology), government (Director of Cybersecurity Policy, The White House) and leadership at growth-stage companies (Imperium, acquired by Google), as well as federal agencies (Product Director for DARPA’s Foundational Cyber Warfare Program).
We recently released our cybersecurity predictions for 2022. This got me reflecting on whether all the time we allocate toward analyzing adversary trends to generate these predictions is worthwhile. I realized that when compared to other predictive efforts, ours stood unique, in both the approach we had taken and the outcomes we were driving.
Why do we predict cybersecurity trends?
The marketing team likes these types of pieces because they tend to generate interest. But the real reason we spend so much valuable time trying to predict the future is to prepare for what’s to come. Or, at least, react with agility if something we had thought about does come to pass.
That may sound self-serving, but it is ultimately in the service of our customers. We focus on small to medium-sized enterprises, for whom resource constraints are often an issue. One such constraint for them is cybersecurity expertise. This means it doesn’t take Nostradamus-level predictions to add value; practically-minded predictions are more valuable. When our functional experts look at the landscape, they can anticipate what’s coming — and offer ways that both we as an organization and provider can prepare; but also, ways our customers can prepare.
So, we do this for the IT leaders who don’t have the wherewithal to analyze and predict adversary trends, but need guidance before their budgets are allocated for the year. I’ve spoken previously of the partnership model that is becoming increasingly necessary in this domain.
Intent aside, what are the outcomes we hope to drive in making these predictions? They are actually separate from those we drive with our service offering.
Preparative Action: We are far from the only group to offer cybersecurity predictions, yet others consistently miss the “how to prepare” angle. If your predictions have any merit, they should be practically useful for your audience, whether that’s CISOs, Threat Hunters, or IT leaders without a cybersecurity foundation. That’s why once our strategists and leaders identify the trends to expect, we turn it over to tacticians and subject matter experts to inform the specific steps to take, assuming our predictions come to pass.
An Informed Approach: The implications of new cybersecurity developments should inform (and influence) your efforts in the IT domain. These could include anything from network architecture to hiring practices. The point is they extend well beyond “I’d better have a defense for the latest upcoming threat” to the essential program requirements for risk mitigation.
Education and Trust: We encourage our prospects and our customers to question their vendors about cybersecurity success metrics, outcomes, and approaches — including those we preach and practice ourselves. As a cybersecurity startup, these are common questions we get, and we seek to encourage them as a matter of strategy. The better we get as a community at articulating and evaluating the outcomes we need to achieve to stay secure, the more secure we’ll all be.
We gather our experts, we review the research, and we look at our attack trend data to formulate what is to come.
Our experts are not limited to the cybersecurity domain, but span IT, leadership, data science, people, and operations. The cross-functional nature of our predictive team is critical to seeing the forest from the trees, and ensuring relevance.
This usually results in a laundry list, which we pare down to those most relevant for our customers. We specifically avoid reading other expert predictions, so as not to bias the process (though it’s always fun to review them after to see where we thought alike).
In keeping with our data-driven nature, we then ask “How will we know if this prediction has come to pass?” So many predictions are ambiguously worded, and could easily be massaged into being true. Such efforts don’t inspire trust, rather they leave the predictions without practical context. How useful is it to know something’s coming, without the context around what that actually means? Actionability is meaningful.
We are constantly sharing developments in the industry throughout the year with our customers as a means of continuously improving their security posture. As a result, we have a clear view when things happen that are in keeping with, or contrary to, what we have predicted. We set these aside for our retrospective…
… In which we reconvene and discuss whether our predictions came to pass. Feel free to watch the recording where we discuss predictions new and old.
We do this because it reflects our values. This isn’t about bragging rights; it’s about a practical exercise to inform our plans, enable preparative action, and educate those without that strategic view of the landscape, to ultimately establish trust.
This predictive effort is not all altruistic; in dogfooding, it stands to inform our own plans at ActZero — from product development (features to address changes to network architecture), to threat hunting (training to detect and respond to the latest threat), to data science (finding indicators for such threats) to partnerships (helping insurers remain affordable for customers who have prepared).
The predictive effort, and the outcomes it drives, should empower the community at large. If nothing else, through dialog. We encourage companies, vendors, analysts and influencers to react to the predictions we put forward — call us out. Because that dialog is how we iterate and improve to stay more secure.