Horizon Scanning: A Beginner’s Guide


“Horizon scanning is a technique for detecting early signs of potentially important developments through a systematic examination of potential threats and opportunities, with emphasis on new technology and its effects on the issue at hand.”

With the world interconnected than ever before, an event in one place has the power to impact people across the world. Recently when a ship was stuck in the Suez canal, it resulted in shipping delays and the loss of millions of dollars. This event further created sub-events of its own and impacted in ways we are yet to identify. Volatility in Dow Jones affects the Asian markets and climate crisis in a country has the potential to increase the prices for consumers across the world.

Despite the efforts of witches and mages throughout the ages, the future can never be accurately foretold. In our modern world, our organizations turn to risk management as the latter-day shaman to divine the potential pitfalls and opportunities lurking in the midst of tomorrow. While there are a number of techniques out there, it is horizon scanning that has become the buzzword of the modern organization.

A policy paper “Interim cybersecurity science and technology strategy” published by the Government of the UK mentions Horizon scanning as one of the main techniques to remain effective in the world order. It also emphasizes that UK Government needs to mainstream the use of horizon scanning to inform cybersecurity policymaking. It ends by establishing trust in this risk management technique by mentioning “We will design in independent assurance to make sure that our horizon scanning capability is truly comprehensive and of a world-class capability and to ensure that NCSC’s views are properly incorporated into policymaking.” 

Another policy paper titled “Cyber Threats and NATO 2030: Horizon Scanning and Analysis” is in a way of applying this technique and showing the risks that we could face from a cybersecurity perspective.

Horizon Scanning

Given the focus of governments over this technique, especially for establishing its cybersecurity strategy, it calls for a deep understanding of this technique. Horizon scanning can be a good technique for people to look at complexity, challenge assumptions, and review multiple ways that events could unfurl to increase the resilience and reliability of their organizations.

It is not about trying to predict the future but rather reviewing options to make evidence-based decisions. 

Horizon scanning is a systematic method for:

• spotting potential causes of uncertainty

• ensuring adequate preparation

• exploiting opportunities and

• surviving threats

The operationalization of the process above may take the shape illustrated in the following graphic: 


Some of you may opinion that this is just an old approach to risk management. You identify the key stakeholders and discuss with them to identify the risks faced by the organization. However, look closely and you may identify the differences. The focus of this approach is for you to look at the horizon. 

We need to understand two terms at this point to further deep dive into this process. 

Risk can only be managed when the information needed for ‘management’ is available; explicit consideration of this requirement is an important part of the process. As the detail of the risk becomes clearer, the relationship between the possible risk event and the timing of usable management information also becomes clearer.

Where the rate of information needed to manage risk (either a threat or an opportunity) is available in good time before the event is expected, detailed management steps can be put in place using plans and processes. This is typically the kind of risk with detailed information and associated plans found in risk registers.

This early availability of management information is termed slow risk clock speed, as it is an ‘information rate’ issue being addressed. It means organizations have processing time on their side, discussion can occur, and plans may be implemented as a project. 

On the other hand, the management information for other risks can come in quick succession, at or close to real-time, and these are termed fast risk clock speed risks. 

Let’s understand this via some examples. 

A) Microsoft announces that it will retire support for Windows XXX version by year XXXX. As an information security professional, you pass on this risk to the management and they plan for this risk by procuring new licenses which would entail a cost of XX $. A slow simple risk that comes with a great processing time and the entire migration to a new Windows version can be treated as a project.

B)Your organization gets hit by a ransomware attack due a to zero-day vulnerability in software that you have deployed. This is real-time and you do not have the luxury of time and this cannot be treated as a long-term project.

These examples will help you understand the difference between slow risk clock speed and fast risk clock speed.

No degree of investigation or planning will make up for the real-time availability of the information. Fast risk clock speed risks such as that described above require a different management style and duly qualified experts must be on hand to assess and manage the risks by making critical decisions and using their expertise in real-time. Considering the rate of information availability (i.e. risk clock speed) is far more useful from a risk management perspective than just considering the velocity of the risk.

Horizon scanning is a technique that focuses on dealing with fast clock speed risks that helps you understand and be ready with a response even though you do not have the luxury of time. It helps you assess the landscape so that you are well prepared for such risks and have devised a strategy for dealing with fast clock speed risks.

Look Beyond

An important element of horizon scanning that sets it apart from normal risk assessment work is that it considers information that cannot normally be sourced from within the organization (i.e. from internal data sources and in-house management).

Seeking out information outside of your organization is vital: it may reveal that the industry you are in is moving in another direction and that you need to change the course for your business to survive. Therefore, when conducting a horizon-scanning exercise, it is vital to identify where to go to get information that cannot be sourced internally.

  • Threat Landscapes
  • Opportunities
  • Industry Leaders
  • Cutting Research
  • Customers
  • View from the ground floor
  • Technology perspective

While you may be performing horizon scanning in your organization in a different manner, it is imperative that you publish these results to the board on a timely basis.  A 2019 BSI Horizon scanning report lists cyber threats as the topmost risk faced by organizations and governments around the world. 

"Cyberattack tops the list of future challenges: The cyberattack was the fourth greatest disruption over the past twelve months but has now jumped to first place in the list of future threats. There were many high-profile attacks over the past twelve months on companies that would be expected to thwart attacks, which have meant the issue is now becoming a crucial part of the boardroom agenda."

In Summary,

Horizon scanning leads to the early detection of emerging issues and weak signals and helps towards ensuring there is a rapid, systematic process of pattern recognition to understand positive and negative signs. The impact of change is often highly unpredictable, and the design of effective horizon scanning interventions is grounded in principles and foundations that assert the importance of mapping the landscape, monitoring change, using future techniques, and validating findings. However, this is not to be seen as a technical process; it is a mindset that helps people to think through options and risks they face. For horizon scanning to work well, it is essential to engage multiple stakeholders across disciplines and departments to think through and discuss disruptive change.

There will be events such as Covid that may/may not be predicted by such scanning techniques, however, it does help you gauge the risks over the horizon and devise strategies to prepare accordingly.

If you have been using this technique or a flavor of it, share your experiences in the comments section below. 

References: 

https://www.bsigroup.com/globalassets/localfiles/en-ca/Resources%20ca/Business%20Continuity/bci-horizon-scan-report-2019-ca.pdf

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/663181/Embargoed_National_Cyber_Science_and_Technology_Strategy_FINALpdf.pdf

https://ccdcoe.org/uploads/2020/12/Cyber-Threats-and-NATO-2030_Horizon-Scanning-and-Analysis.pdf

https://www.theirm.org/media/7423/horizon-scanning_final2-1.pdf

Comments

You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Identification, Authentication, Authorization, and Accountability

How to Pass SSCP Exam in the First Attempt

The Endorsement Process - CISSP, SSCP & other (ISC)2 certifications