Given the recent devastation of COVID-19, and the intelligence activities surrounding the pandemic, it is interesting to think about how often predictions and projections come true. It is also interesting to think about how the exercise itself can provide insight into threats and risk scenarios we might not have thought of, even when we’re wrong. It is rare when a security or risk professional will go out on a limb to make a prediction. The consequences of being wrong in an industry where reputation means everything can lead to linear and group thought processes. We need to use the intelligence and experience we have, to at least try. In the process, we may see trends, patterns, and inherent biases that might have been missed…even if we end up being wrong.
Dr. Anthony Fauci is quoted in January of 2017 as saying that the next administration (Trump’s) would “no doubt face a surprise infections disease outbreak.” He went on to predict that this would occur within the next three years. Almost exactly three years later, the largest pandemic since the early 1900’s rocked the world. Mostly powered by the thought leadership at the time in science, technology, and politics, Fauci’s prediction tapped into his current understanding and frequency of disease and extrapolations of global commerce and transportation factors. His prediction about the future was so eerie and accurate that many accused him of being part of a plot to introduce the virus! If only we could be so accurate and sure of emerging threats and risks that will impact our assets and organization. When we look back at the quantitative projections of COVID-19 spread and mortality, after the virus was known to be a major threat, the story was much different and many data scientists were shamed into obscurity. We predicted the threat type but struggled with the impact analysis.
The Oliver Wyman consulting group predicted in 2018 that companies would increasingly use machine learning and data science to hire and conduct risk assessments on employees. In a 2019 review, their projection on this topic proved to be correct as multiple tech start-ups emerged, offering this service and capability, much to the chagrin of privacy zealots. However, many more predictions the same consulting group made ended up NOT being true and the percentage of correct predictions was below 50%. They still had no problem sharing their predictions for the security industry and their consulting clients most likely appreciated the thought leadership as they looked forward to their organizational fates. After all, they were off the hook for being wrong. Security and risk professionals love to pass on exposure.
We need to be more comfortable with being wrong and to quickly accept when we are. We need to measure our successes AND failures as professionals. It’s the only way we can improve and truly grapple with emerging threats and exposures. Francesc Guell wrote that “a forecast will never be accurate,” and “the experience of the organization in the operational forecasts with structured and perfected methods, generate knowledge and experience for innovation projects.” This applies to security risk management directly. If the goal of SRM is to relate security and risk management activities to the success of the company and form a strategic component of business, we must use the many methods of projecting and predicting to better understand future scenarios, threats, and risk contexts. If security will ever be strategic, we must treat a security and risk program as such, and cease being overly concerned with failure. It would be prudent for organizational stakeholders and boards to support this new paradigm and their officers, as it would likely result in better outcomes and preparedness. Who knows, you might just help predict and avoid a major threat to your business!
Contact Alpha Recon for help with your forecasts and risk intelligence picture. www.alpharecon.com