I've been circling a question all week, and I can't shake it. It surfaced again and again in the conversations I've been part of — on conference floors, and far more pointedly behind closed doors, where cybersecurity leaders speak more plainly than they ever do on a main stage, on podcasts, or in meetings.
In cybersecurity, we talk endlessly about prevention. Stop the breach. Block the attacker. Build the defensive "walls higher". And most of our budgets, our metrics and our boardroom conversations are quietly built on a single assumption: that the goal is to keep bad things from happening at all.
But what if that's the wrong optimisation problem?
What if, in an age where AI is collapsing the cost and speed of offensive capability, and where conflict itself has slipped into a permanent grey zone, the smartest defenders won't be the ones trying to stop every attack, but the ones who change the conditions that make attacks valuable, scalable and persistent in the first place?
That's a fundamentally different lens. And history suggests it's often the one that wins.
Some of the greatest leaps in human safety didn't come from solving a problem head-on. They came from redesigning the system around it.
Take car crashes. We never did manage to stop people having accidents. What we did instead was make accidents survivable — seatbelts, crumple zones, airbags, better road design, speed controls, faster emergency response. We backed it with law (at least in the UK) — the requirement to wear a seatbelt, then to belt up in the back seats too, and the annual MOT that no car can dodge if it wants to stay on the road. The question quietly shifted from "prevent every crash" to "make crashes matter less" — and we built the rules to make that shift stick. Deaths fell dramatically.
Or public health. We didn't conquer polio by treating each paralysed child one by one. We did it by vaccinating children at scale — changing the environment so the virus had nowhere left to spread, and pushing a disease that once terrified every parent to the very edge of eradication.
Public health even has a name for this mindset: harm reduction. Forged in the HIV epidemic of the 1980s, it starts from an uncomfortable truth — that some risky behaviour won't stop on command — so instead of demanding abstinence, it works to reduce the damage that behaviour does. Needle exchanges never set out to end drug use; they stopped it spreading disease. It sounds modest, but the idea is quietly radical: you make more progress by accepting what you cannot eliminate and shrinking its consequences than by chasing a purity you'll never reach. Swap "drug use" for "intrusions," and you have the cybersecurity argument almost word for word.
The same logic shows up again and again. Some of the most effective anti-gang work succeeded not by increasing punishment, but by offering young people alternative routes to identity, belonging, income and status. Aviation stopped blaming individual pilots and built layered resilience instead — checklists, redundancy, simulation, crew resource management, a culture of reporting incidents (e.g., Just Culture) rather than hiding them.
And it's happening in our own field too: the most promising answer to phishing isn't training people to spot ever-cleverer fakes — it's the passkey. By binding your login to the genuine website and keeping the secret on your device, passkeys make a whole class of credential theft phishing-resistant. We stopped relying on human vigilance and changed the environment instead. It's no accident that this is exactly what the GCHQ Director urged the public to adopt.
In every case, the shift was the same: from prevention-focused thinking to systems-focused thinking.
Not "how do we stop bad actors?" but "how do we build systems where compromise matters less?"
This brings me to the place that has been on my mind all week, Bletchley Park.
It's no small thing that GCHQ chose its wartime home as the stage for its first Annual Lecture last month. Bletchley is where, as Director Anne Keast-Butler reminded her audience, a determined team turned codebooks into catalysts and altered the course of history. (Three quarters of that team, incidentally, were women — a detail I'll never tire of repeating!)
But the popular version of that story is misleading. We tell it as:
"The codebreakers cracked Enigma and won the war."
It's clean, linear, and as a problem solved. But the reality is far more interesting, and far more relevant to us now.
Even after breaking Enigma, the Allies couldn't stop every attack, sink every U-boat or prevent every loss. One of the hardest strategic decisions they faced was not acting on intelligence they held, because doing so would reveal that the code had been broken. The intelligence only became powerful when it was woven into a larger system: rerouting convoys, shaping logistics, managing timing, running deception operations, building industrial resilience and shortening their own decision cycles.
The goal was never perfect prevention. It was strategic advantage and resilience. Victory didn't come from eliminating every enemy action. It came from making the enemy unable to achieve anything meaningful.
That, to me, is the lesson cyber keeps forgetting.
If AI dramatically lowers the cost, speed and scale of offensive cyber capability — and everything in front of us suggests it will — then defenders are heading towards the same uncomfortable truth the Allies faced. You cannot stop every intrusion. You will not build an impenetrable wall, however much you spend.
So the winning strategy starts to look less like fortification and more like resilience:
We already do this brilliantly in one corner of our lives, and barely notice. We never stopped criminals stealing card data — breaches happen constantly — but chip-and-PIN and tokenisation made the stolen data largely worthless. The thief still gets in; the loot is junk. That is the civilian echo of the Bletchley logic: not preventing every breach, but leaving the attacker unable to achieve anything meaningful with it.
This isn't defeatism. It's maturity. It's the difference between a brittle system that shatters on first contact and an anti fragile one that bends, absorbs and keeps going.
Here's where the geopolitics becomes impossible to ignore, and why this question is dominating closed-door leadership conversations rather than the keynote stages.
We are no longer in peacetime, but nor are we at war in any way our institutions were designed to recognise. We are in the grey zone — what Anne Keast-Butler described from the Bletchley stage as a "space between peace and war." It is the deliberate territory of hybrid conflict: sabotage, disinformation, economic coercion and cyber operations, all calibrated to sit just below the threshold that would trigger a conventional response. Russia is scaling up its daily hybrid activity against the UK and Europe; the targets are critical infrastructure, supply chains, democratic processes and public trust itself.
The grey zone is precisely where prevention thinking falls apart. There is no declaration, no front line, no single decisive moment to defend. You cannot "win" by stopping a discrete attack, because the campaign is continuous, deniable and designed to exhaust you. The adversary's advantage is patience and ambiguity. Which means the only durable counter is, once again, resilience and coordination — the ability to absorb constant pressure without fracturing, and to act faster together than the adversary can act against you.
This is the thread running through the conversations leaders are actually having right now. Infosecurity Europe has just wrapped at the ExCeL, and beyond the show floor, the more revealing exchanges happened in rooms with the doors shut. One of the most striking was Black Hat's invitation-only Cyber War Games Connect, which brought together a highly curated group of leaders from government, defence, critical infrastructure and industry across the UK and Europe to wrestle with modern geopolitical conflict and the coordination it demands — with cyber as a core element rather than a footnote. (There'll be more to share from them on that soon.)
I'd gently point out what a war game actually is. It is not an attempt to prevent the attack. It is a rehearsal of the response — building the muscle memory, stress-testing the coordination, finding the seams between organisations before an adversary does. It is systems-thinking made tangible. The fact that this is where serious people are now investing their time tells you the centre of gravity has already moved.
And this is exactly why Keast-Butler's message landed the way it did.
She described a "moment of consequence" — a world of increasingly brazen adversaries, where AI has become, in her words, an unstoppable force, and the UK and its allies face a "narrowing window" to stay ahead of a science-and-tech superpower in China. She called for cybersecurity to become "ten times more urgent."
This isn't fearmongering. It's the texture of modern conflict. We still picture war as tanks, troops and missiles. But today it can arrive silently — through infrastructure, supply chains, hospitals, elections and public trust. Cyber is no longer an IT issue. It's a national resilience issue.
The line that stayed with me was her call for urgency "from boardrooms to living rooms." Because it names a truth we often dodge: in a grey-zone conflict, the perimeter is everywhere and everyone. Governments and intelligence agencies, however extraordinary, cannot secure every business, every supplier, every family device and every account on their own. Resilience has to be distributed, because the attack surface already is.
And here's the genuinely good news. A systems lens doesn't make individuals powerless — it makes their actions count for more. Many attacks remain entirely preventable at the source. Strong, unique passwords. The passkeys I mentioned earlier, wherever they're offered. Multi-factor authentication everywhere. Patching kept current. Frameworks like Cyber Essentials for organisations. None of it is glamorous, but all of it raises the cost of attack and shrinks the attacker's advantage — which is precisely the game we're now playing.
For leaders, the implication is sharper still. Cybersecurity can no longer be a compliance tick-box delegated entirely to IT. It has to become part of leadership, culture and operational resilience — owned in the boardroom, rehearsed like the war game it has become, not buried in a risk register.
There's a deeper version of this, and it's the part we too often skip. Most of what we call cybersecurity is really damage control — patching flaws that should never have shipped, asking users to compensate for products that were insecure the day they were sold. But the car didn't get safer only because we taught people to brake better. It got safer because crumple zones and airbags were engineered in at the design stage. The equivalent for technology is secure by design: building products so there are simply fewer flaws to exploit in the first place. Fewer bugs shipped means fewer bugs to patch, a smaller attack surface, and less for everyone downstream to defend. You move the fix to the source.
And this is no longer a thought experiment. We don't let a car on the road on the promise it won't crash; we require an MOT before it can be driven — and we're finally starting to ask the same of technology. Since 2024, UK law has banned lazy defaults like universal factory passwords on connected devices and forced manufacturers to declare how long they'll support them. The EU's Cyber Resilience Act goes further: from 2027, products with digital elements will have to meet secure-by-design requirements to be sold in Europe at all. The significance isn't the detail — it's the shift. Security is moving from an optional differentiator to a condition of market access: a standard you meet before you trade, rather than a fine you pay after you're breached. That changes the environment around the problem, which is rather the point.
So I'll leave you where I started, but with the question reframed.
For a century, the most transformative safety breakthroughs came from people brave enough to stop fighting the problem directly and start redesigning the conditions around it. Bletchley understood it. Public health understood it. Aviation understood it.
In a grey-zone era — where the conflict is permanent, deniable and below the threshold of war — that instinct stops being a clever strategy and becomes the only one that holds. Cybersecurity's next decade may belong to those who stop asking "how do we stop every attack?" and start asking "how do we build a world where compromise matters less?"
That's not surrender. It's strategy. And as the window narrows, it may be the most important shift we make.
Pick the question you want to answer and tell me over on LinkedIn where I'm discussing this:
The Resilience Curve
Anne Keast-Butler's GCHQ Annual Lecture (Bletchley Park, 27 May 2026)
Bletchley Park & Enigma — including the discipline of not acting on every decrypt
Aviation safety — Crew Resource Management & Just Culture
Polio — vaccination preventing paralysis and pushing the disease to the edge of eradication
Hybrid warfare & the grey zone
Regulation, baseline standards & the "MOT for cyber" idea
related posts:
I didn’t expect to learn anything about cybersecurity last week from a dog. I was fostering a rescue Podenco called Robbie. He’d arrived from Spain via a circuitous route — starvation as a hunting dog, abandoned and left as a stray, picked up by a farm household, a rescue centre with 37 other freely roaming
Read MoreI’ve been noticing something for a while. Fear-based security presentations change one thing reliably — the budget. Everything else stays exactly the same. I’ve seen it in boardrooms where the threat landscape briefing produced budget approval and cultural indifference. I’ve seen it in security awareness sessions where the phishing video produced genuine shock and identical
Read MoreBank holiday Monday, last week. A day I’d mentally reserved for the garden and the slow, unhurried thinking time that rarely survives contact with a normal working week. I was pulling weeds. Not thinking about anything in particular, aside from the new dog I’m about to foster. And then, somewhere between the fading bluebells and
Read More