Let's take an example: Double Pendulums
Just predict where they'll swing. Really easy right? You can model the entire pendulum with two nodes and two edges. Simple.
Give it a try: https://www.myphysicslab.com/pendulum/double-pendulum-en.html. Hit the pause button in the upper-right, drag the pendulums to the top where they can drop. Put your finger on the screen where you think they'll be in 5 seconds, hit play, and count to 5. How did it go?
Hmmm. Let’s try it again. Maybe if you saw it happen first. Hit pause, drag them back up, put 1 finger where it starts, run to the count of 5, and put another finger (same hand) where it ends. Now drag the pendulum back up to the first finger, hit play again, and count to 5. Is the second pendulum anywhere near your second finger?
You can't predict the future
If you were right you were wildly lucky. Check out 7 pendulums who's only difference is approximately 1/3rd of an ounce. It's due to chaotic motion. Even in a system with just two nodes where we know all the variables, it gets unpredictable very quickly. Now imagine if your system is something like this:
In this image the color code is as follows:
- the upper-left brown is the internet.
- the five fuchsia nodes to the right are user systems
- the upper green are the DMZ
- the blue-green and dark grey are servers
- orange are management systems
- light pink is infrastructure
- grey is a security system
- light blue at the bottom is a protected enclave.
That's about two dozen systems. An _extremely_ small IT estate. And we have little idea what all the variables it may contain. Compare that to the two pendulum model. If we can't predict two pendulums what chance do we have with this?
Try to imagine predicting the business climate and how the world will change over the next 20 years. You need to make choices now that will govern your success then. Can you (or anyone) do that?
The answer is, of course, no. Lots of people are making many decisions and some will be right, and some will be wrong. However, for the most part it's not due to the individuals making them.
So what's a person to do?
Give up? Give in? Nah, don’t do that.
In spite of all the uncertainty and the multitude of variables involved, the reality is that most useful systems do not tend to devolve into chaos. If they did they wouldn't be useful. Instead, they normally remain in common, steady states. Except for moving from one steady state to another when something changes.
And that's what you should do. Bet on the average. The common state. The place where most things end up. Don't look at people who succeeded (or failed) spectacularly. It was spectacular because it wasn't common. They couldn't predict the future and neither can you. You can bet on the most common outcome though. (As Sir Francis Galton - or Dan Kahneman if you prefer - would call it, Regression to the Mean.) For security, this means filter email, filter web content, use two- factor authentication, and manage assets.
The other thing you can do is prepare to change along with the situation. This requires creative people who can devise innovative solutions when there is some new input, as opposed to rather following the usual processes. This is one of the reasons why quality security operations are essential. Something engineered and built over several years will never cope with a significant shift in information security unless it also shifts.
And in conclusion, don't beat yourself up over it
What happened in the past did not predictably lead to today, for you or anyone else. And not only does the past not predict the future, but the future doesn’t require the past. Inverse evolutionary techniques such as Inverse Generative Social Science demonstrate that things could have started completely differently, and we still could arrive right where we are today. The best you can do is invest in the average and be creative enough to handle the unanticipated.