The most devastating security failures often occur when assumptions about potential risks are not taken into account. Prior to major incidents, such as 9/11 or the SolarWinds breach, assumptions were made that turned out to be incorrect. The imperative of security is to anticipate and mitigate risks that will arise in the future.
Assumptions are necessary for any security plan, but they have a shelf life. As new interdependencies emerge, the pace of technological development accelerates, and the role of who provides security changes, assumptions need to be stress-tested.
A future-resilient approach requires questioning existing assumptions about the world and environments in which we operate. This involves identifying broad or narrow assumptions across four categories: referent (who is being protected and why), affect (defenders’ ability to protect themselves and attackers’ capabilities), interdependence (system effects not sufficiently anticipated), and governance (role of government).
Stress-testing these assumptions is necessary for any leader interested in ensuring long-term security and resilience.