The point of forecasting risk

 “Anyone Could Have Seen That Coming” Misses the Point of Forecasting

When I share a cyber risk forecast, one of the most common reactions I hear is:
“That feels generic. Anyone could have seen that coming.”

At first glance, that sounds like a critique. In reality, it reveals a misunderstanding of what a forecast is meant to do.

A good cyber risk forecast is not about surprising people with exotic attack scenarios. It’s about identifying when known risks become more likely, why that change is happening, and what decisions should move forward before events show up in headlines.

Hindsight always feels obvious

Once an incident occurs, it’s easy to say it was predictable. After a breach, a disruption, or a supply‑chain incident, patterns suddenly look clear. In hindsight, almost everything feels inevitable.

But here’s the test that matters:


If the risk was truly obvious in advance, organizations would already be prepared. Boards wouldn’t be asking why resilience wasn’t in place. CISOs wouldn’t be explaining why priorities shifted too late.

The reality is that most organizations are reacting to after‑the‑fact reporting, not acting on early decision signals.

Forecasting isn’t about novelty—it’s about timing

Boards don’t pay for originality. They pay for decision timing.

Industry reporting excels at explaining what just happened: which company was hit, what technique was used, and how the incident unfolded. That information is useful—but only once damage is already visible.

A forecast serves a different purpose. It focuses on risk acceleration:

  • When global events, geopolitical shifts, or operational conditions materially increase likelihood

  • When familiar threats move from background noise to board‑level concern

  • When the next 30/60/90 days require different priorities than the last quarter

That distinction is critical. The value of a forecast is not whether the risk sounds familiar—it’s whether it gives leaders permission to act early, with evidence.

Verification, not surprise

One of the clearest signals that a forecast is doing its job is what happens after it’s published.

When public reporting later aligns with what was forecasted weeks earlier, that reporting becomes verification, not news. Instead of reacting with surprise, leaders can say, “This is what we prepared for.”

That’s fundamentally different from consuming industry news in real time and trying to convert it into decisions under pressure.

Why CISOs subscribe—and why boards value it

CISOs don’t need more alerts, feeds, or technical commentary. They need a way to prioritize ahead of leadership questions, not respond to them afterward.

Boards value a forecast because it:

  • Connects cyber risk to business timing and operational exposure, not just threat actors

  • Supports defensible decision‑making before incidents escalate

  • Replaces reactive explanations with evidence‑based preparation

In short, it helps close the gap between “we read about it” and “we were ready for it.”

The real measure of a forecast

The goal of a forecast isn’t to shock or impress. It’s to reduce surprise, shorten decision cycles, and make preparation defensible.

If something “anyone could have seen coming” still catches organizations unprepared, that’s not proof the risk was obvious. It’s proof that decision support arrived too late.

A forecast exists to change that outcome.