Cybersecurity Lessons for Greater Resilience

From shadow IT to AI-assisted attacks, today’s threat landscape demands more than passive moats or reactive defences. As digital threats evolve, resilience isn't built on flashy tools or the latest trends. It’s forged in the quiet, often overlooked corners of infrastructure and culture. 

That means confronting security debt. It means designing for failures, managing human risk, and embracing simplicity, priorities that, according to Dave Lewis, the Global Advisory CISO at 1Password, and Joseph Carson, Former Chief Security Scientist and Advisory CISO at Delinea, lie at the heart of a strong security posture.
 

The Silent Entry Points 

When the public discusses cybersecurity breaches, they often imagine sophisticated hackers breaking through fortified defences using novel attacks and advanced code. In reality, breaches are usually far more mundane, typically stemming from overlooked vulnerabilities such as security debt, shadow IT, and systems designed without security in mind, says Lewis. 

Lewis recounted how, at one company, the intrusion detection system hadn’t been patched in years. Someone before him had just plugged it in and walked away, assuming the job was done. But it wasn’t doing anything. It wasn’t catching threats. What everyone thought was a working part of their defences was actually a ticking time bomb. 

“Shadow IT is just people trying to get their job done. I don’t fault them, but they need to understand the potential ramifications. If they install something that bridges external and internal networks, accesses production data, and isn’t patched or properly configured – suddenly, a malicious actor finds it and pops the system.” 

Agentic AI, Lewis cautioned, could be the next major loophole for businesses. These automated systems are often granted access to sensitive resources – credentials, API keys, internal data – without security ever entering the conversation. 

He likened the rush to adopt AI to the early days of cloud computing: full of promise, but ripe for missteps. In his view, the pace of innovation is exhilarating, and the potential productivity gains are real. But too often, organisations move too quickly, chasing the benefits while overlooking the risks. 

“I’m not saying don’t adopt these technologies,” said Lewis. “I’m saying: do it properly. Put the right controls in place from the beginning, so that if something catastrophic happens, you can say with confidence that you’re protected. You took the right steps, and you’ve built security in from day one.” 
 

Humans, the Forever Hunted 

If there is a permanent weak link in cybersecurity, it’s people. Carson described it as something that happens in waves. Attackers go after vulnerabilities in software and applications when those flaws first come to light – exploiting them fast, before anyone has time to patch. But once patches are rolled out and systems are locked down, threat actors shift focus back to people because it’s still the easiest way in. 

AI is only making that path smoother. Carson pointed out that attackers are now using artificial intelligence to craft increasingly convincing phishing and social engineering campaigns. “They’re using AI to generate messages that look authentic – so convincing that it’s becoming very difficult for humans to tell the difference between what’s real and what’s malicious,” he said. 

The use of AI is also helping attackers localise their campaigns with alarming precision. Carson noted that phishing and social engineering content can now be translated flawlessly into local languages – whether in text, audio, or even video. What was once a barrier is now a strength, allowing cybercriminals to target specific regions with native-level fluency. 

Ironically, even some cybercriminals, particularly those who used to handle the more manual, mid-level work, are finding themselves replaced by automation. Carson said: “We’re seeing chatbots and automation take over roles that used to be handled by middle-tier cybercriminals. They’re cutting costs and scaling their operations. Cybercrime is run like a business and AI is making it more efficient than ever.”  

Both Carson and Lewis say humans can be the strongest link – with the right security culture. Lewis stressed that the human element is at the core of any security program: “The human element is key. They are fundamentally the core of any security program. If you can’t win over the people within your own organisation, you’re not going to get to a secure state no matter what technology you have.” 
 

Building the Resilient System 

So how do we build resilient systems? Carson pointed out that attackers rarely go straight for top-level targets. “They get in, do reconnaissance, and look for weaknesses,” he said. “They go for low-hanging fruit so they can stay stealthy and undetected.” That’s why resilience starts with understanding what matters most. He recommends starting with a data and risk impact assessment to identify which digital assets are critical to the business and what the consequences would be if they were lost or stolen. 

From there, it’s about building in layers of protection and recovery: reliable backups, encrypting data in transit and at rest, and enforcing strong credential practices like multi-factor authentication and password managers. Finally, Carson stressed the importance of rotating credentials regularly to limit the impact of stolen access. 

But resilience isn’t just about what’s running – it’s also about knowing when to shut things down. “Projects are spun up with no sunset provision; no plan for when they go offline,” Lewis warned. “As a result, they linger, unmaintained and vulnerable.” Even hardware, he noted, can be functionally obsolete long before it’s fully depreciated. 

And with the rise of cloud infrastructure, the risks have shifted. “You spin up things fast but forget them just as easily. You need to track licenses and usage carefully. Otherwise, you're burning money on software you don’t even use.” 

For Lewis, the issue traces back to cultural inertia and underfunding. “We keep repeating old behaviours. Zone segmentation, passwords, we’ve been talking about this since 1962,” Lewis said. “Security often doesn’t get the resources. I’ve had budgets granted and then pulled days later.” Building resilient systems, he suggests, means not only designing with intent but backing that intent with sustained support.