{"id":8474,"date":"2026-06-12T09:00:00","date_gmt":"2026-06-12T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8474"},"modified":"2026-06-12T09:00:00","modified_gmt":"2026-06-12T09:00:00","slug":"ai-is-exposing-the-biggest-weakness-in-cybersecurity-we-never-built-a-health-model-until-now","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8474","title":{"rendered":"AI is exposing the biggest weakness in cybersecurity: We never built a health model. Until now!"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For 30 years, cybersecurity has operated like an emergency room.<\/p>\n

Reactive. Crisis-driven. Always triaging. We are extraordinarily good at it \u2014 our detection is faster, our response playbooks are sharper, our incident teams are more capable than they have ever been. When something goes wrong, the modern security organization runs toward the fire with real skill.<\/p>\n

But here is the uncomfortable truth that artificial intelligence is now forcing into the open: An emergency room does not produce a healthy population. Healthcare does that \u2014 through prevention, continuous monitoring, early diagnosis and a model of the whole patient.<\/p>\n

Cybersecurity never built that model. We built the trauma bay and called it a profession.<\/p>\n

For a long time, we got away with it. The threat environment moved at human speed. The gaps in our thinking were survivable. AI has ended that grace period. It has not created a new weakness so much as it has illuminated the oldest one \u2014 and it is now moving faster than our reactive posture can absorb.<\/p>\n

We do not have a tooling problem. We have a missing-model problem. And until we name it, no amount of investment will fix it.<\/p>\n

We\u2019ve been asking \u2014 and answering \u2014 the wrong question<\/h2>\n

Walk into almost any boardroom and you will hear the same exchange. A director asks the CISO: \u201cAre we secure?\u201d<\/p>\n

It is the wrong question, and most of us have known it for years.<\/p>\n

\u201cSecure\u201d is binary. It is a snapshot. It is a yes-or-no answer to something that is actually a living, continuously changing condition. No physician would accept that question from a patient. A doctor does not ask \u201cAre you healthy?\u201d and expect a useful answer. They ask a better set of questions: How are you functioning? What do the vital signs say? What is trending in the wrong direction? What needs attention now, before it becomes a crisis?<\/p>\n

Cybersecurity has never adopted that mindset because it never had the model that requires it. We have frameworks for controls. We have frameworks for adversary behavior. We have no widely adopted framework for organizational health \u2014 for whether the enterprise, as a whole living system, is well.<\/p>\n

That gap was tolerable when threats were slow. It is not tolerable now.<\/p>\n

Why AI breaks the reactive model<\/h2>\n

AI changes three things at once, and each one punishes a reactive posture specifically.<\/p>\n

It compresses the timeline. <\/strong>Reconnaissance, exploitation, lateral movement and exfiltration that once unfolded over days now unfold in minutes. An emergency-room model assumes there is time between the symptom and the intervention. AI is closing that window. You cannot triage your way through an attack that completes before the triage begins.<\/p>\n

It industrializes the routine. <\/strong>AI makes competent attacks cheap and abundant \u2014 phishing that is grammatically perfect and contextually aware, deepfaked executives authorizing transfers, vulnerability discovery at machine scale. The reactive model assumes a manageable volume of meaningful events. AI removes that assumption.<\/p>\n

It introduces a new organ we do not know how to monitor. <\/strong>Every enterprise is now deploying AI systems into its own operations \u2014 including its security operations. These systems make decisions, take actions and carry risk. They are, in clinical terms, a new organ inside the body. And most organizations have deployed them with no intake assessment, no monitoring of their condition and no governance of their behavior. We have added an organ to the patient and never checked whether it is healthy.<\/p>\n

A reactive model has no answer to any of this. You cannot out-triage machine speed. The only viable response is to shift from reaction to health \u2014 to build the enterprise\u2019s adaptive capacity before the crisis, not after.<\/p>\n

What a health model actually looks like<\/h2>\n

This is the thinking behind the Clinical Cybersecurity Framework \u2014 a model I have developed over two decades in the CISO chair, and one that has resonated strongly enough with peers over the past months to convince me it is naming something the industry already feels.<\/p>\n

The premise is simple. An enterprise should be treated less like static infrastructure and more like a living organism \u2014 and once leaders see that anatomy clearly, the entire security conversation changes.<\/p>\n

Every enterprise has the same essential anatomy:<\/p>\n

ENTERPRISE SYSTEM<\/strong>CLINICAL EQUIVALENT<\/strong>Critical business servicesOrgansData flowsCirculatory systemIdentity and accessImmune systemInfrastructureNervous systemTelemetry and monitoringVital signsIncident responseEmergency medicineResilience and recoveryRehabilitationGovernanceClinical leadershipAI oversightAutonomous clinical supervision <\/div>\n
\n

Patrick Doliny<\/p>\n<\/div>\n

This is not a metaphor for its own sake. It is an operating model, and it does three things a controls checklist cannot.<\/p>\n

It makes diagnosis come before treatment. <\/strong>No competent clinician prescribes before examining. Yet cybersecurity routinely buys tools before it has assessed the patient. A health model requires a clinical intake first \u2014 an honest baseline of how the organization is actually functioning \u2014 and only then a treatment plan built for that specific patient.<\/p>\n

It makes health measurable and continuous. <\/strong>A patient\u2019s vital signs are monitored continuously, against known healthy ranges, with the direction of movement mattering as much as the current value. A health model holds cybersecurity to the same standard: Not an annual audit snapshot, but continuous monitoring of the organization\u2019s real condition.<\/p>\n

It gives every leader one shared question. <\/strong>A heart rhythm is universally legible \u2014 a clinician, an administrator and a frightened family member can all read the same monitor and grasp the same essential question: Is the rhythm steady, or is something wrong? Cybersecurity has never had that shared signal. Boards get threat counts and patch percentages; they do not get a pulse. A health model gives technologists, executives and directors one common language for the same reality.<\/p>\n

Where this fits with the frameworks we already have<\/h2>\n

This does not replace what works. It completes it.<\/p>\n

NIST explains controls \u2014 the disciplined architecture of safeguards. MITRE explains adversaries \u2014 how attackers think and move. Both are essential. Neither was built to answer whether the organization, as a whole, is well.<\/p>\n

NIST tells you whether the safeguards exist. MITRE tells you who is coming for them. A clinical model tells you whether the patient can withstand the encounter \u2014 and recover from it. That third question is the one AI is now asking with an urgency the industry has never faced. It is the missing layer, and it sits above the others, not against them.<\/p>\n

\n

Patrick Doliny<\/p>\n<\/div>\n

Why this matters for the CISO and the board<\/h2>\n

Adopting a health model changes the CISO\u2019s role and changes it for the better.<\/p>\n

It moves the CISO out of the position of the technician who reports incidents and into the position of the clinician who reports condition. \u201cAre we secure?\u201d has no good answer. \u201cHere is our organizational health, here are the vital signs trending the wrong way, here is the treatment plan and what it requires\u201d \u2014 that is a conversation a board can actually govern with.<\/p>\n

It also reframes resilience itself. Resilience is not the redundant infrastructure that restores data. Resilience, properly understood, is the process and outcome of adapting successfully to difficult conditions \u2014 through mental, emotional and behavioral flexibility. Backups restore data. Only adaptive people and well-governed systems restore an organization. A health model treats that adaptive capacity as something to be built and measured, not assumed.<\/p>\n

And it gives the enterprise a way to think about AI that matches the stakes. If AI is a new organ, it requires what every organ requires: An intake assessment before deployment, continuous monitoring of its condition, defined operating boundaries and clinical-grade governance. AI deployed without that is not a capability. It is an unmonitored risk inside the body it was meant to protect.<\/p>\n

\n

Patrick Doliny<\/p>\n<\/div>\n

It\u2019s time to stop running the emergency room<\/h2>\n

The reactive era of cybersecurity is ending \u2014 not because it failed, but because it was never the whole job. We built a superb emergency room and mistook it for a healthcare system. AI is the force that has made the missing piece impossible to ignore.<\/p>\n

The organizations that will lead the next decade will not be the ones with the most tools or the loudest alerts. They will be the ones that can answer a better question than \u201cAre we secure?\u201d<\/p>\n

They will be the ones that can say, with evidence: We know how this organism is functioning. We are monitoring its vital signs. We are treating what the diagnosis revealed. And we are building the adaptive capacity to absorb what comes next.<\/p>\n

It is time to stop running the emergency room and start practicing medicine.<\/p>\n

This article is published as part of the Foundry Expert Contributor Network.<\/strong>
Want to join?<\/a><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For 30 years, cybersecurity has operated like an emergency room. Reactive. Crisis-driven. Always triaging. We are extraordinarily good at it \u2014 our detection is faster, our response playbooks are sharper, our incident teams are more capable than they have ever been. When something goes wrong, the modern security organization runs toward the fire with real […]<\/p>\n","protected":false},"author":0,"featured_media":8471,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8474","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8474"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8474"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8474\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8471"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8474"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8474"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8474"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}