For 30-some years, cybersecurity has focused on prevention and defense, on stopping attackers from getting into
networks and
PCs, from stealing passwords and
personal information, and from locking up files and
holding them for ransom.
Prevention is very important, but it can never be totally achieved. Every system can be broken into if an attacker is determined enough, if not via a
security vulnerability then by using a stolen password or by
simple human error.
Today, the Byzantine complexity of
open-source-code dependencies gives attackers multiple points of entry into software supply chains. Intrusions into proprietary code have
spread malware through legitimate software updates. The quality of code written by large-language-model artificial intelligence (
LLM-based AI) is rapidly improving — and
cybercriminals are starting to use it.
All these trends only push the unattainable dream of 100% cybersecurity protection farther into the distance.
“AI can increase the persistence and aggression of common types of attack, quickly generate new and sophisticated malicious code that is harder to trace, and create voice and image clones —
deepfakes — for more persuasive fraud schemes,” writes Theresa Lanowitz, Chief Cybersecurity Evangelist and Head of Thought Leadership at LevelBlue, in LevelBlue’s recently released
2025 Futures Report.
Citing the sudden appearance in January 2025 of the powerful, cheap, open-source Chinese LLM
DeepSeek, Lanowitz worries that “a new disruptive phase of AI” will supercharge threat actors.
It’s clear that
cyber resilience and company survival are just as important as cybersecurity-based prevention and defense. It won’t matter how many attacks you block because a few will inevitably get through, and you want to be sure your organization can quickly recover from them.
Or, to take the fortune-cookie angle: A mighty oak will resist hurricane winds until it breaks and topples over, while a slender palm tree will bend in the storm and live to see another day. Be the palm tree.
Cyber resilience is not cybersecurity
As Lanowitz told us, “cyber resilience mean[s] how the whole organization comes together when there is some type of interruption to that whole IT estate” — an organization’s networks, endpoints, cloud assets, software and databases — “whether it’s a cybersecurity
breach, a man-made incident or a natural disaster.”
The amount of cyber resilience your company has will determine how quickly it recovers from an IT outage, whether partial or total. Cybersecurity is definitely part of cyber resilience, but the effort takes the entire company, including human resources, legal counsel, and public relations, to be successful.
As I write this, a major British retailer is slowly recovering from a ransomware attack that happened a month ago, on about April 20. The website is still not taking online orders, and the company
expects disruptions to last into July.
It hasn’t been disclosed exactly how this happened, and the company
isn’t revealing many details yet. But it seems that several British companies were recently hit by
Scattered Spider, the same group that nearly paralyzed MGM Resorts International for several days in September 2023.
What’s certain is that neither the British retailer nor MGM Resorts were cyber resilient. They were not prepared to recover from massive IT outages or possible corruption or loss of data. MGM Resorts survived but
incurred possibly $100 million in lost business and other associated costs.
The British retailer’s lack of cyber resiliency is all the more damning because it could have learned from the MGM Resorts incident yet didn’t adequately prepare. It should have
aligned all teams within the company towards common business goals,
broken down obstacles within the company, and followed
several well-trod steps toward cyber resilience.
How cyber resilient organizations lead the way
Unfortunately, many companies are similarly unprepared. In a recent survey of 1,500 C-suite and senior executives in 14 countries conducted for the LevelBlue 2025 Futures Report, most respondents said their organizations were simply not ready for the new wave of AI-powered and
supply-chain attacks.
Only 29% of the executives surveyed said they were prepared for AI-powered attacks, even though 42% expected to see some in the coming year. Likewise, only 32% said they could handle deepfake attacks, while 44% expected to encounter them.
Nearly half of respondents — 49% — said they had only low or moderate visibility into their own software supply chains. Yet only 30% would agree that AI adoption had increased supply-chain risks, and a mere 25% planned to ask
third-party suppliers about their security in the coming year.
There’s also a certain disconnect in the survey results, with fears about AI tempered by overconfidence in one’s own abilities. Fifty-four percent of respondents claim to be highly competent at using AI to enhance cybersecurity, and 52% feel just as confident in their abilities to defend against attackers who use AI.
However, there’s a substantial difference between the bulk of the respondents and those few — about 7% of the total of 1,500 — that LevelBlue classified as already having achieved cyber resilience.
“An organization with a cyber-resilient culture is a place where everyone, at every level, understands their role in cybersecurity and takes accountability for it — including protecting sensitive data and systems,” the 2025 Futures Report explains.
Most notably, none of the 100 or so organizations that LevelBlue deemed cyber resilient had experienced a breach in the 12 months preceding the survey.
Ninety-four percent of the cyber-resilient elite said they were making investments in software-supply-chain security, versus 62% of the total group. The numbers were nearly identical — 91% versus 63% — when it came to investments in
advanced threat detection.
And 79% of the cyber-resilient group felt comfortable taking innovation risks, compared to 61% of the overall group, due to a flexible approach to cybersecurity.
When asked about the driving factors toward better software-supply-chain visibility in their organizations, 35% of the cyber-resilient respondents cited awareness of known vulnerabilities, while only 28% of the larger group listed it. Thirty-four percent of the cyber-resilient group mentioned rating suppliers on security, against 24% of the total.
Even the leaders fell behind in one key aspect. Asked about which cybersecurity measures their organizations were making or had made significant investments in, only 35% of the total group mentioned the very effective adoption of a
zero-trust network architecture — and only 45% of the cyber resilient did.
Nevertheless, the authors of the LevelBlue report felt that the cyber resilient group would continue to lead the way, and they expected to see that group grow larger in future years. In other words, we need to see far fewer three-month recovery timelines.
“The cyber-resilient organizations in our research are more committed to taking a proactive approach to improving their cybersecurity,” states the report. “Far more are investing in cyber-resilience processes across the business and generative AI for protection against social engineering attacks.”
