AI is breaking the prevention first mindset: Why fast restoration now issues greater than ever
For most of my career as a CISO, the cyber industry seemed to operate on a simple and largely unchallenged assumption. If you invested enough in prevention, serious incidents could be avoided.
Strong perimeter controls, layered defenses, regular patching, and increasingly sophisticated detection tools were seen as the answer. When breaches did happen, they were treated as failures of execution rather than evidence that the model itself was flawed.
Chief Strategy Officer at Halcyon.
This mindset made sense in a different threat environment. Attacks were more linear and often opportunistic. Security teams had time to analyze alerts, escalate concerns, and intervene before attackers reached critical systems. Boards expected certainty, and prevention offered a narrative that was easy to understand and reassuring to fund.
What has changed is not just the volume of attacks, but their speed and adaptability. Ransomware in particular has exposed how fragile the prevention first model really is.
Even so, many organizations continue to double down on the idea that better tools will eventually close the gap. In my experience, that belief stays because it’s less comfortable to admit that a cyber compromise is no longer a question of if, but when.
Backups became the safety net that allowed this belief to survive longer than it should have. On paper, the logic is sound. If something goes wrong, restore from backup and move on. In reality, ransomware incidents consistently show how brittle this approach is under pressure.
Time sensitivity
What actually goes wrong is rarely a single technical failure. Backups may exist, but they are often incomplete, outdated, or untested in real life scenarios. More importantly, restoring data is only a small part of recovery.
Systems need to be rebuilt, networks re segmented, credentials rotated, and confidence restored that the attacker no longer has access. Many organizations discover far too late that their backups reintroduce the same weaknesses that were exploited in the first place.
Time is the most underestimated factor at the executive level. There is a persistent assumption that recovery is measured in hours because this is what dashboards suggest. In real incidents, the clock ticks very differently. Each decision is weighed against the risk of making things worse.
Teams hesitate, rightly, because bringing systems back online too quickly can trigger reinfection or further data loss. That hesitation stretches recovery timelines far beyond what leadership expects.
I believe that AI has fundamentally changed the dynamics on the attacker side, and this is where the pressure on recovery becomes acute. Attackers are no longer constrained by human pace.
Automation allows them to move laterally, escalate privileges, and exfiltrate data almost immediately after initial access. Defensive teams may detect activity quickly, but detection does not equal control when recovery processes remain slow, manual, and fragmented.
The industry has spent years optimizing for early warning. Far less attention has been paid to what happens next. AI driven attacks compress the window between compromise and impact so dramatically that the ability to recover quickly becomes more important than the ability to prevent perfectly.
Resilience defined by confident efficient recovery
A good resilience posture today looks very different from what many organizations still plan for. It assumes that some attacks will succeed and focuses on limiting blast radius and downtime. It prioritizes clean, isolated recovery environments that can be trusted under pressure.
It requires recovery processes that are rehearsed regularly, not documented once and left untouched. Most importantly, it demands that boards understand resilience as a business capability, not a technical afterthought. Recovery objectives need to be realistic and meaningful.
Restoring a server is not the same as restoring operations. The organizations that recover fastest are those where roles are clear, decisions are pre authorized, and leadership has practiced operating in crisis conditions.
The most dangerous mismatch I see today is between AI driven attacks and human decision making. Attackers operate continuously, adapting in real time, without fatigue or organizational friction. Defenders rely on committees, approvals, and escalation paths that slow everything down at the worst possible moment.
When incidents happen, uncertainty spreads quickly, and without preparation that uncertainty turns into paralysis.
If there is one conclusion I have drawn from watching ransomware evolve, it is this. Resilience is no longer defined by how well you keep attackers out. It is defined by how quickly and confidently you can recover when they get in.
Organizations that recognize this shift and invest accordingly will remain operational. Those that cling to prevention as their primary strategy will continue to be surprised when recovery takes far longer than anyone expected.
We’ve featured the best online cybersecurity course.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro