Cyber Threat Predictions: How to Cut Through the Noise

3 min readJan 6, 2022

Another Year, Another Cyber Threat Prediction

Every year, cybersecurity experts (along with plenty of not-really-experts) release new cyber threat predictions, most of which are a waste of your time.

And look, I understand the goal. As cybersecurity and cyber threat intelligence (CTI) practitioners, we want to get the jump on the bad guys, but the truth is, these predictions are often so incredibly vague or obvious that they are barely worth mentioning.

But why are these predictions so popular around this time of year, and what should we be doing instead?

Predictions Are Sexy

When it comes to cybersecurity, everyone loves a good prediction, the scarier the better! The traditional intelligence industry, in fact, was built on the concept of conducting analysis to predict the most likely or most dangerous course of action an adversary may take.

But are cyber threat predictions really all that they’re cracked up to be? In most cases, the answer is no. The truth is, trying to predict the biggest cyber threats for the coming year is a pointless endeavor. With the ever-changing threat landscape and the number of new vulnerabilities, malware and adversary tactics, techniques, and procedures (TTPs) being developed every day, it’s impossible to say for certain what the biggest threats will be.

Foreboding Prophecies Make Great FUD Articles and Sound Bites

. . .especially when those predictions come from experts.

Cyber threat predictions make for great FUD (fear, uncertainty and doubt) articles., and as humans, we can’t help but be drawn to them. But as information security professionals, the cacophony of these predictions are little more than deafening noise.

How to Cut Through the Noise

So, how do we cut through the noise and get to the good stuff? Here are a few tips to help restore your sanity this time of year:

Beware of FUD articles — use your critical thinking skills!

Ultimately, it’s up to you to decide what cyber threats you should be paying attention to, but 9 times out of 10, those FUD articles and sound bites are a waste of your time.

Look for predictions from reputable, industry-leading sources.

Hint: If the predictions are not backed up data and detailed analysis, they’re likely not worth spending time on.

Ignore predictions that are vague or lack specific details.

Predictions like “Cyber threat actors will become increasingly sophisticated” or “Expect unpatched vulnerabilities to wreak havoc on business operations” are only there for the clicks.

Focus on the cyber threats that are most likely to adversely impact your organization.

Ensure your information security and CTI teams are well-trained
Provide your teams with the best tools your budget will allow.
Be sure they know what questions to ask (and the process for answering them)
Verify that they understand their specific roles in an event or incident

Leverage Your Relationships

In a trusted community of industry peers, have those conversations. Learn more about what your peers are seeing in their organizations and allow that knowledge to help inform your own defense strategy.

What You Should Do Now

Instead of wasting your time predicting which cyberthreats will arise this year — why not shift that focus to testing your response plans, training your company personnel on how to avoid becoming victims of social engineering, and implementing a real training plan for your information security and CTI teams, and get on the path to better protecting your organization?

Got questions about how to test your response plans? Message me on LinkedIn.

Need Cyber Threat Intelligence training? Check out The CTI Schoolhouse.