The first time you’ll hear, “We’re always in incident mode,” it won’t be said with drama. It will be said the way you mention the weather. Grey again. Pager again.
And that’s the problem. When a constant alarm becomes normal, your team stops asking the only question that matters. Why do we keep ending up here?
You can buy more tools. You can hire more analysts. You can hang more dashboards. You’ll still end up sprinting after the last breach, the last misconfiguration, the last vendor surprise, the last “minor” change that ate your weekend.
The best cyber teams we’ve worked with didn’t win because they ran faster. They won because they were adaptive and changed the risk landscape. They built a culture where weak signals had a microphone, and action didn’t require heroics.
Forecasting in cybersecurity is not fortune-telling. It’s disciplined habits, clear choices and a team that treats risk as daily practice, not an annual slide.
The trap: When ‘busy’ replaces ‘aware’
Reactive teams don’t choose chaos. Chaos chooses them, one small compromise at a time.
A rushed change goes in late Friday. A privileged account sticks around “temporarily” for months. A patch slips because the product has a deadline, and security feels like the polite guest at the table. A supplier gets fast-tracked, and nobody circles back.
Each event seems manageable. Together, they create a pattern. The pattern is what burns you.
Most teams drown in noise because they treat every alert as equal and security’s job. You never develop direction. You develop reflexes.
Reflexes feel useful. They look good on incident bridges. They can also keep you blind.
Forecasting begins when you stop rewarding the “save” and start rewarding the “see and act.”
Risk culture: What it is when you strip the slogans
People talk about culture like it’s soft. Posters. Values. A town hall with applause on cue.
Culture is harder. Culture is what people do when nobody is watching, and when the clock is loud. Culture is what gets you the truth at 4 p.m., not at 4 a.m.
In cybersecurity, risk culture answers four questions.
Do people notice risk early?
Do they name it clearly?
Do they know who can decide?
Do they act without fear?
If anyone fails, you get silence. Silence is the most dangerous gap in the building.
We’ve seen teams with expensive tooling and miserable outcomes because engineers learned one lesson. “If I raise a risk, I’ll get punished, slowed down or ignored.” So they keep quiet, and you get surprised.
We’ve also seen teams with average tooling but strong habits. They didn’t pretend risk was comfortable. They made it speakable.
Speakable risk is the start of foresight. Foresight enables the right action or inaction to achieve the best result!
Signal discipline: Give weak signals a place to land
Forecasting is not about seeing everything. It’s about seeing the right things early enough to act.
Top teams collect near misses like pilots collect flight data. Not for blame. For pattern.
A near miss is the attacker who almost got in. The bad change that almost made it into production. The vendor who nearly exposed a secret. The credential that nearly shipped in code.
Most organizations throw these away. “No harm done.” Ticket closed. Then harm arrives later, wearing the same outfit.
So you need a place for near misses to land. A lightweight log. A channel people trust. A small weekly ritual where you ask, “What almost happened?” Not “Who messed up.”
You also need shared language. Not ten pages of taxonomy. Just words that mean the same thing across teams. When someone says “critical,” do they mean “drop everything,” or “put it in the next release?”
Ambiguity breeds delay. Delay breeds surprise.
Decision rights: Speed dies in committees
We’ve seen incident calls where 20 people had opinions, and nobody had authority. It’s like watching a committee try to steer a ship mid-storm.
Forecasting requires speed, and speed requires decision rights and Risk Intelligence.
Many programmes invest in detection and forget the human bottleneck. Even perfect visibility is useless if every decision needs a meeting, and every meeting needs a senior leader who is “in back-to-backs.”
Top teams make risk-intelligent decisions before the heat.
Who can block a release?
Who can isolate a system?
Who can force key rotation?
Who can accept risk, and under what conditions?
When an issue jumps a level, and what triggers that jump.
If you want forecasting, fix your approval grid. Make it short. Make it usable at 2 a.m.
Then protect it. One override for convenience, and people learn the real rules. The real rules always win.
Behavioral standards: What ‘good’ looks like on Tuesday
You can’t ask people to “care about risk” and expect it to stick. People run on what gets rewarded and what gets them in trouble.
So strong teams set behavioral standards. Not as a lecture. As an operating agreement.
Security’s job is to reduce harm while keeping work moving, not to act as a gatekeeper. That means rules people can follow, and guardrails that make the right path easier than the wrong one.
Engineering’s job is to own what they ship, not to “help security.” If you build it, you own the blast radius.
Product’s job is to make exposure part of design, not to treat security as a late-stage checklist. If you can’t explain why a feature is worth the risk, you don’t understand the feature.
Vendor owners have a job too. They can’t outsource supplier risk to a questionnaire. They own the follow-up when a supplier says, “We’ll fix it next quarter.”
A small practice I love. Ask each team for three “no surprises” rules.
No privileged access without expiry.
No production change without rollback.
No new vendor without an owner and an exit plan.
Short list. Clear verbs. Real enforcement. That’s culture.
Operating rhythm: The week is where risk becomes real
If you only talk about risk during audits and incidents, you don’t have a culture of risk. You have a seasonal sport.
Forecasting lives in cadence. In the meetings you actually attend.
Weekly, run a short review with three questions.
What changed that affects exposure?
What almost went wrong?
What needs a decision?
Keep it tight. If it turns into status theatre, kill it and start again.
Monthly, practice one scenario. Plain, no fancy decks. If ransomware hits this service, what happens in the first hour? Who decides. What do you shut down, and what must stay alive?
Quarterly, test what you claim. Backups. Access controls. Vendor escalation. If you can’t test it, you don’t know it.
This rhythm teaches people that risk isn’t a surprise visitor. Risk is a resident. You don’t panic when you see it. You deal with it.
Imagine you once joined a team’s weekly review as a guest. Ten minutes in, an ops lead said, “We changed the identity provider settings yesterday. It felt odd.” No panic. No blame. Just a raised hand. Security asked two questions, engineering checked logs and they rolled back a risky toggle before lunch. Nothing made the news. Nobody got a medal. Everyone went home on time. That’s what a good rhythm buys you. Most weeks, quietly.
Measures that point forward: Count what moves before damage
Many dashboards tell you what already happened. Incidents. Downtime. Loss.
Useful, but late.
If you want forecasting, track measures that move before the mess. Let’s shift to being a little more proactive and presilience-focused, instead of testing our reactions and resilience as the go-to responses.
How long do critical patches sit on systems that matter?
How often do privileged access exceptions expire on time?
How many urgent changes bypass checks, and where?
How many near misses get reported, and how fast you learn?
Watch a team celebrate fewer incidents while near-miss reporting fell to zero. They thought they improved. In reality, people stopped speaking. Six weeks later, they got hit. The silence was the signal.
You don’t want perfect numbers. You want honest trends that trigger choices, not slides.
Leadership: The culture you reward is the culture you get
Leaders say they want transparency. Then they punish the first person who brings bad news. That one moment teaches the organization more than any policy ever could.
If you want forecasting and Presilience, protect the messenger. Praise early escalation. Treat risk as a trade, not as a personal failure.
Also, stop romanticising heroics. The midnight save feels good. It makes a great story. It also hides the root issue: poor planning, weak controls, unclear ownership and a habit of postponing boring work.
Boring work buys calm, discipline buys reliability but risk intelligence enables the right balance of compliance, resilience and presilience to manifest.
Think of board conversations where someone asked, “Why spend on resilience when nothing happened this quarter?” And you answered with a question. “Would you rather pay for brakes or for ambulances?” It landed because it was true.
A simple 90-day shift: Small moves, real change
If your team feels stuck, don’t start with a massive program. Start with a few moves that change behavior fast.
- First 30 days. Map your top repeat failures. Pick five signals to watch weekly. Name owners.
- Days 31 to 60. Fix one decision bottleneck. Write the rule. Use it.
- Days 61 to 90. Run one scenario practice a month. Learn one thing. Change one playbook. Close one gap.
You’re not chasing perfection. You’re building a habit. Habits compound.
If you do this well, something shifts. You stop being surprised by the same problems. People raise issues earlier. Engineers stop hiding bad news. Security stops shouting into the void. The organization feels calmer. Not complacent. Calm.
That calm is not luck. It’s culture. The right balance between prevention, reaction and proactivity ensures sustainable high performance.
And here’s the quiet mic-drop. When risk becomes a daily conversation, you don’t need to guess the future. You stop being shocked by the present.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?