It is the nature of many security pros to look to the past to prepare the organizations IT defences. After all, there’s never a shortage of historical data spewed out by everything on the network.
But an expert says chief security officers and risk managers instead should use tools and skills in a new discipline called strategic foresight to look into the future.
That’s the message Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, gave this week at a conference in Toronto on enterprise risk management.
“In the world of IT we know we are facing a world that is evolving very rapidly,” he said in an interview during the meeting. “Traditional risk management is dependent on the past — you look at past data, you look at past occurrences, at risk, you look at statistics, all of which historically based. (But) if you’ve got a rapidly evolving environment where things are changing quickly you are more than likely not going to have historical data for some of the big changes and new risks you are going to face. This is particularly true in IT. Some of those risks are not technologically based, they’re based on choices of people and how they behave and what they do with technology.”
Strategic foresight uses multiple scenarios to build a picture of plausible alternate futures to better understand some of the risks an organization may face.
Although the field is still emerging, Kabilan used to be the head of strategic futures in Britain’s Home Office, and said its cybersecurity group developed very good threat scenarios.
The World Economic Forum products produces a range of future scenarios, he said, some of which have IT elelments.
Some service providers, such as Shaping Tomorrow, have automated tools that help risk managers scan the Internet for trends, he said. However, he added, insights still have to come from a broad set of stakeholders contributing to the analysis.
“You can’t predict the future,” Kabilan emphasized. “However you can get a broader view of the future that allows you to make a better decision today”
A non-IT example he gave is an organization figures out that mobility will be a big trend without knowing if consumers will want tablets, phablets or smart phones.
From an IT security perspective a risk manager may be able to see that the human element is more important than hardware.
He believes that broadly speaking that many Canadian organizations are aware and are preparing to meet the possibility of external cyber attacks. But, he added, “in many cases people try to manage down the risks and don’t put in place all of the pieces and the knowledge they need to deal with an incident if it happens.”
That in part is because organizations manage risk by looking backwards, and that across Canada the number data breaches have so far been small.
The challenge, he added, is to convince organizations that with the world evolving as quicky as it is they shouldn’t just “manage risk down and hope that it doesn’t happen.”
“But the problem is risk evolving from the future, and some of those risks and the potential for breaches and other problems you might see may not be ones we’re currently aware of. And that big unknown is what we need to be prepared for.”
The Conference Board will hold a training session in Ottawa on strategic foresight March 18-19.