Navigating the Seas of Hindsight


Decisions play a crucial role in shaping an organization’s defense against cyber threats. Yet, as time passes and new information comes to light, it’s common for decisions to be criticized with the power of hindsight. In this blog post, I’ll explore the phenomenon of retrospective criticism in infosec and emphasize the importance of understanding decisions within their historical context.

The Nature of Hindsight Criticism

Infosec decisions are often made under a veil of uncertainty, where the landscape of threats and technologies is constantly changing. Despite the best efforts and intentions, what might seem like an obvious misstep in hindsight could have been a calculated decision made based on the best information available at the time. Hindsight criticism can be a double-edged sword, offering valuable lessons while potentially undermining the confidence of security professionals.

The Influence of Emerging Threats

In the dynamic world of cyber threats, new vulnerabilities and attack vectors are continually discovered. What might have seemed like a solid decision could later be criticized for not considering a threat that was not even known at the time. For instance, a company’s choice of security software might have been effective against known malware, only to face scrutiny when a new, previously unseen strain emerges.

Technological Evolution and Constraints

Infosec decisions are heavily influenced by the technology available at the time. Solutions that are cutting-edge today might have been unavailable or cost-prohibitive in the past. Criticizing a decision for not adopting advanced security measures years ago ignores the reality of technological evolution and budgetary constraints that organizations face.

Context Matters

To truly understand the merit of an infosec decision, it’s essential to consider the context in which it was made. Decisions are shaped by factors such as available resources, time pressures, and business priorities. For instance, a decision to delay patching a critical vulnerability might have been driven by the need to avoid disrupting a crucial product launch.

Applying Statistics and Risk Assessment

In the world of infosec, decisions often involve assessing risks and weighing potential outcomes. However, the outcome of a decision does not always align with the statistical likelihood. For example, a decision to allocate fewer resources to a specific security control might be deemed “wrong” if a breach occurs, even if the statistical likelihood of that breach was low.

Learning Without Blame

Retrospective criticism can lead to a culture of blame, where security professionals fear making decisions for fear of later criticism. Instead, the focus should be on fostering an environment of continuous learning. Just as athletes review game footage to improve their performance, infosec professionals should use retrospective analysis to enhance their strategies without assigning blame.

In the ever-evolving world of infosec, decisions are not made in a vacuum. They are shaped by a complex interplay of factors, including emerging threats, technological limitations, and business priorities. Criticizing past decisions without considering the context and information available at the time overlooks the challenges faced by security professionals. By understanding the intricacies of decision-making and embracing a culture of learning, organizations can truly enhance their cybersecurity strategies and better defend against the evolving threat landscape.

Your Home Page for Information Security News

About Joe Sullivan 35 Articles
Joe Sullivan has worked in information security for over two decades. He holds numerous certifications and has worked in various roles during that time. Joe is a SANS instructor and senior security consultant for TrustedSec. Joe regularly contributes to SecFlux and shares some of his experiences, knowledge, and insight into current cyber events.