Frontline lessons: What cybersecurity leaders can learn from attacks

In cybersecurity, confidence can be a liability.

I’ve seen organizations of all sizes assume they’re safe — until an attack proves otherwise. As threats grow more sophisticated, companies pour time and money into defending their systems. But too often, they focus on the wrong things, like fixing vulnerabilities that are not critical to operations, and reality catches them off guard.

Cyber resilience isn’t about checking boxes — it’s about whether your business can survive, recover, and thrive after an attack. And it requires entirely different approaches, programs and solutions to the ones that have been relied on to date.

After more than a decade in technology — from operations to the C-suite — I’ve heard the same stories on repeat: companies blindsided by breaches they believed could never happen. The truth is that most organizations are not as prepared as they think — or their reporting might tell them. What separates those who emerge stronger from those who falter often comes down to three critical lessons drawn from real-world attacks.

1. The illusion of security

“We thought we were secure—until we weren’t.” It’s one of the most common refrains after a breach. Many companies operate under false confidence, relying on outdated assumptions that leave them vulnerable:

• “We’re too small to be a target.” In reality, smaller organizations are increasingly targeted as steppingstones to larger enterprises. Particularly if they’re a part of a critical infrastructure supply chain.
• “We’re compliant, so we’re secure.” Compliance frameworks offer essential minimum baselines — but passing an annual audit doesn’t mean you’re continuously protected.
• “Our perimeter defenses are enough.” Today’s attackers exploit all kinds of misconfigurations, third-party access, and weak internal controls — not just external firewalls.

Compliance audits provide a snapshot; resilience is an adaptive system. Organizations need to move beyond just security audits to focus on continuous exposure risk monitoring, rapid response capabilities, and disaster recovery planning. 

Modern security demands layered defenses: micro and macro network segmentation, zero-trust architectures, and industry-specific attack exposure monitoring to address vulnerabilities before attackers do.

For example, the significant, real-world implications of validating that routers on critical networks are configured correctly is something I’ve talked a lot about recently with customers, following the Volt Typhoon attacks on United States critical infrastructure that were discovered in 2023.

2. The unseen entry points

Attackers don’t break-in the way you think. Hollywood-style hacks like a zero-day exploit are relatively rare, compared to attacks exploiting known vulnerabilities. Too often, preventable attacks stem from a simple but overlooked vulnerability in the supply chain or a simple misconfiguration. It’s most often the little things.

Attackers target third-party vendors with weaker defenses and use them as a backdoor into other networks. And they exploit gaps — unpatched systems, weak authentication, poor segmentation — wherever they exist. 

To stay ahead, companies need real-time visibility of exposure risk across the network, so they can prioritize remediation of their most exploitable misconfigurations and vulnerabilities. But to prioritize effectively, the network needs to be designed with appropriate layers of segmentation so that if attackers get in, you’ve made it as difficult as possible for them to move laterally and access business critical systems and data. You can then focus on mitigating risks in those business-critical segments. It’s also essential to implement supply chain security audits and enforce minimum cybersecurity standards, including network segmentation assessments, for third-party partners.

3. Security is a mindset, not a moment

Resilience beats reaction every time. Too many organizations believe that having an incident response plan is enough. But by the time a breach occurs, it’s already too late. You’re losing money, time, customer trust — and sometimes, you never fully recover.

The most resilient organizations don’t just respond well. They build security into everything they do. Cybersecurity should be part of business operations, not just IT and it needs to be a C-suite priority. Employees should be trained continuously not just annually. Phishing simulations and clear reporting protocols empower employees to act as a frontline defense. And leadership must prioritize cyber risks the same way they do financial or reputational risks.

What true cyber resilience looks like

Every organization is a potential target, and complacency when it comes to security can be dangerous. Organizations that focus solely on compliance, perimeter security or reactive response plans will always be one step behind attackers.

To build true resilience, security leaders must:

• Move beyond just annual audits: Making the shift from annual to regular to continuous assessment is pivotal to developing cyber resilience.
• Secure the ecosystem: Hold vendors to your own rigorous security standards by contractually ensuring they also undertake regular assessments.
• Elevate security to strategy: Make cybersecurity a standing item in boardroom discussions.
• Empower people: Build a culture where every employee is a security asset.

In the end, resilience isn’t about being unbreakable — it’s about being unshakable. The companies that will thrive in the face of constant cyber threats are those that embed security into who they are, not just what they do.