Envisioning Alternate Futures Will Change Our Thinking About Cybersecurity
Keywords:cybersecurity, Alternate Futures, foresight, scenario, resilience, strategy, planning, sectors, social, technological, economic, environmental, political
The world is changing in new and profound ways. These shifts will substantially alter how the cybersecurity workforce will do its job in the future and will require innovative, shared thinking and decisions. Today, efforts to understand the future cybersecurity environment are focused on exercising known technological threats at the sector or organizational level. This is limiting and could too narrowly focus planning and decisions, as it is not reflective of broader, macro-level global shifts across social, economic, environmental, and political changes. An organizing construct is needed to understand how this broader risk environment may impact the future of cybersecurity. ‘Alternate Futures' is a method within the broader discipline of foresight to consider a range of futures (e.g., probable, possible, preferable) twenty to thirty years from now across an organizational, cross-discipline, or global domain, and to create or alter our strategies, goals, plans, and actions to achieve desired outcomes. Alternate Futures is a method by which we: identify macro-level factors that will impact our world (e.g., social, technological, economic, environmental, political, legal), create scenarios for changes brought about by these factors (e.g., how will our world benefit or be worse off?), identify key drivers of change that could invoke these scenarios (e.g., changes in global interdependencies, government budgets, access to information, demographic shifts), and identify strategic needs that will ensure we are successful if any of these alternate futures unfold. Results from a small study we conducted of cybersecurity professionals across a range of roles aligned to NIST's Cybersecurity Workforce Framework indicated that they saw significant value in thinking more broadly and over a longer timeframe, as it would help to identify areas of risk convergence across multiple business functions, support CSO/CTO/CISO and governance board decision making processes, provide the cybersecurity community with a shared sense of direction and urgency to drive action toward meeting future needs, and ultimately to prepare the cybersecurity community for whatever challenges and opportunities the future holds. To achieve these outcomes, we recommend creating cross-sector and cross-business line communities to facilitate thinking around Alternate Futures.