What I got wrong — Peter Bassill

An honest account of the calls I have made in the past three years that did not land — what I was reading into the evidence that was not there, and what I would do differently.

It is comparatively easy to write the public version of one's professional opinions — board briefings, advisory papers, the blog you are reading — when the opinions have been right or have at least not been visibly wrong. It is harder to write about the calls that did not land. This post is the second of those. There are three of them I want to be honest about, because I think the discipline of writing them down is worth more than the discomfort of having done so. The version of this post that lists only the calls I got right would be safer. It would also be of less use to anyone.

What I got wrong: the timing on AI

In the autumn of 2023, when generative AI was starting to be on every board agenda, I was telling boards I sat with that the operational impact on cyber operations — both attack and defence — would be material within eighteen months. I was confident enough about it that several boards adjusted their twelve-month planning accordingly.

The materially-impactful tooling did arrive, but on a longer timeline than I had projected. The 2024 calendar year was, for most defenders and most attackers, the year of AI in the marketing slides rather than AI in the daily workflow. The shift into daily-workflow integration happened across late 2024 and through 2025, slower and more gradual than I had said it would.

What I was reading into the evidence: I was looking at the cadence of public research papers and assuming that operational adoption would follow at roughly the cadence I had seen for cloud (12-18 months from credible papers to mainstream practitioner use). The cadence for AI was longer, because the operational integration required tooling that did not exist yet, workflows that practitioners had not yet developed, and trust that takes longer than 12 months to build.

What I would do differently: I would have distinguished, in my board briefings, between the threat surface is changing (true on the original timeline) and the threat manifestation is changing (slower than I said). Boards needed both pieces. I gave them one and let them infer the other, which is not the same thing.

What I got wrong: the ransomware tail

In 2022 I was advising boards that ransomware as a category was likely to peak and then decline as a primary monetisation route for organised cyber crime, on the grounds that law enforcement action, payment-channel friction, and improved backup discipline would shrink the addressable market. I had reasons for the call. The reasons were not wrong; the conclusion was.

What actually happened over 2023, 2024, and 2025 was that ransomware diversified rather than declined. Double-extortion (encrypt and leak) became the floor rather than the ceiling; triple-extortion (encrypt, leak, DDoS or harass) emerged; supply-chain compromise gave attackers leverage they had not previously had; and the group structure became less hierarchical and more federated, which made law-enforcement disruption harder to scale. By April 2026, ransomware had the worst single month on record — not a declining trend.

What I was reading into the evidence: I was modelling the criminal market as a single market with a single equilibrium. It was, in practice, several overlapping markets with different incentive structures, and shrinking one of them did not shrink the others. I was also underweighting the resilience of criminal organisations to law-enforcement disruption — they adapted faster than I had projected.

What I would do differently: I would have framed the prediction less confidently, distinguished between the dominant variant and the category, and built in the possibility that disruption would diversify the threat rather than reduce it. The call was the kind of confident contrarian call that gets attention when right and looks foolish when wrong; I would frame future ones more carefully.

What I got wrong: the regulator pace

For most of 2022 and 2023 I was telling boards that UK cyber regulation would move slowly — that the ICO would remain the dominant enforcer, that sectoral regulators would issue guidance rather than penalties, and that the Cyber Security and Resilience Bill would arrive late and weaker than its second-reading drafting suggested.

The regulators moved faster and harder than I had projected. Capita's £14m fine in March 2025 was the moment my framing broke. The fine was larger than I had predicted, the wording sharper, and it was followed by Advanced Computer Software and then by South Staffordshire Water in 2026 in a pattern that, in retrospect, was the regulator deliberately drawing a line.

What I was reading into the evidence: I was extrapolating from historical regulator behaviour rather than from the changing political and economic context. The ICO was under political pressure, in part because of high-profile incidents through 2023 and 2024 that had visible national impact, and that pressure shifted its enforcement posture faster than the prior trend would have suggested. I missed the structural change.

What I would do differently: I would have updated my view in early 2024, when the regulator started signalling shift in its published guidance, rather than waiting for the first large fine to land. Predictions about regulator behaviour are predictions about a political-administrative system, and I treated them as predictions about a stable bureaucratic one. That was a category error.

What the pattern is

If I look at these three together, the pattern is the same in each. I anchored on the trend that was true at the moment of analysis, and underweighted the chance that the trend would inflect. The AI shift, the ransomware diversification, the regulator pace — each was a regime change that I read as a continuation. The mistake was not the analysis. The mistake was the implicit assumption that the regime was stable enough for analysis-of-trend to be a sufficient method.

The honest implication for how I work now is that I try to ask, when I make a call publicly, what would have to be true for this to be wrong? and to write the answer down where I can find it later. It is the cheapest single discipline I have added to my work in the past three years. It is also the one that has corrected the largest number of bad calls before they reached a board paper.

Why this matters at all

The reason any of this matters is that boards take cyber advice from people like me and act on it. The advice has consequences. If the advice is wrong, those consequences fall on real customers, real services, and real people. The discipline of writing down the calls that did not land is, in part, a public service obligation — the next director who reads me will know which of my framings to weight less. And it is, in part, a personal hygiene exercise — the act of writing forces me to look at the patterns I would rather not.

I will get the next set of calls wrong too. The trick is to get them wrong less expensively. Writing it down is part of the trick.