Forward-looking processes¶

Retrospectives look at what happened. Forward-looking processes ask what is likely to happen, what conditions are building toward a problem, and what would need to be true for things to go well.

The distinction matters in security because most threats do not arrive without warning. They develop through a sequence of conditions, decisions, and small failures that were visible in advance but not attended to. A forward-looking process is a structured way of attending to them before they become incidents.

What forward-looking is not¶

It is not a risk register exercise. Risk registers capture known risks and assign scores to them. Forward-looking processes are for developing thinking about the future: what is changing in the environment, what assumptions are being tested by those changes, and what responses would be available if certain things came to pass.

It is not a threat modelling session, though it draws on similar thinking. Threat modelling focuses on a system and asks what could go wrong with it. A forward-looking process starts with the organisation and asks what the next six to eighteen months might bring and how prepared the organisation is to meet it.

The core questions¶

A forward-looking workshop for a security team works with questions like these:

What is changing in the threat landscape that the current programme was not designed for? This surfaces model drift: the programme was designed for conditions that may no longer hold.

What is changing inside the organisation that creates new exposure? Growth, restructuring, new cloud adoption, new partnerships, regulatory changes: each of these alters the attack surface and may not have triggered a corresponding adjustment to the security posture.

What would the organisation need to be able to do in twelve months that it cannot do today? This reframes the question from reactive (what are we missing now?) to developmental (what capability do we need to build, and what is the path to building it?).

What signals are we currently not collecting that would tell us things were going wrong? Monitoring gaps are often the gap between what the programme was designed to detect and what is actually happening. Naming them explicitly is the first step to closing them.

Weinberg’s contribution¶

Weinberg’s problem-solving work suggests that the most valuable part of a forward-looking process is not the predictions it produces but the mental models it surfaces. When a group works through what they expect to happen over the next year, they are revealing the assumptions they are currently operating on. Those assumptions can then be examined: are they still accurate? Are there conditions under which they would fail? What would early evidence of that failure look like?

This is SEM applied to planning: the forward-looking exercise is a tool for making models visible so they can be tested rather than just acted on.

Running a forward-looking session¶

A useful structure for a security team:

Set the time horizon explicitly. Eighteen months is usually far enough to be genuinely forward-looking without becoming speculative. Twelve months works if the organisation is in a fast-changing environment.

Work in small groups on each of the core questions, then bring groups together to share. Different parts of the team will have different visibility into what is changing and what the organisation is not ready for.

Capture not only the findings but the reasoning behind them. The assumptions that led to a particular expectation are often more valuable than the expectation itself, because they can be monitored and updated as reality develops.

End with explicit identification of the two or three things that, if they change in the next period, should trigger a re-run of the process. This makes the forward-looking work a continuous practice rather than a one-time event.