Cyber Resilience Replaces Breach Prevention As The Defining Measure For Enterprise Security

Breach prevention still matters, but it's no longer how enterprise security gets measured. The new benchmark is cyber resilience: the ability to keep the business running when systems fail. And by that measure, most organizations are not ready. Research shows only 45% consider themselves cyber resilient in 2025, a gap that grows more urgent as security leaders finalize plans and budgets for the year ahead.

Theresa Lanowitz is a cybersecurity evangelist, former Gartner analyst, and former Chief Evangelist at LevelBlue, the managed security services provider spun off from AT&T Cybersecurity. With more than 1,000 keynotes and presentations delivered worldwide and a track record of shaping widely cited research on cyber risk and business impact, her perspective is grounded in how security failures actually play out inside organizations. For her, cyber resilience is a business discipline, not a technical checkbox.

"The question isn’t whether an organization will be breached. It’s when it happens, how quickly the business can come together and limit the loss of productivity," says Lanowitz. She frames resilience as an operational problem, not a technical one. Consider a hospital that loses its systems to a cyber incident or a faulty software update. Can it still admit patients? Does it have paper forms printed and ready? That kind of preparedness extends far beyond the security team.

• Everyone’s KPI: The biggest structural shift Lanowitz sees is that security can no longer stay siloed. Her advice to leaders is concrete: attach security KPIs to every leadership role. "It doesn’t matter if you’re on the development team, the operations team, the security team, or the line of business. You have a responsibility for security," she says. "When you attach those KPIs, people start budgeting for security from the beginning of every project, not bolting it on at the end." That alignment produces measurably better outcomes. Organizations where cybersecurity teams work closely with business units see stronger security culture and improved productivity across the applications they ship.

• The supply chain wakes up the boardroom: Application security was the top investment priority for most organizations in 2025, and the pressure is coming from the top. Lanowitz points to three forces converging: SBOM regulation, an expanding attack surface from generative AI, and a growing global awareness of what supply chain incidents cost. "40% of CEOs say the software supply chain is their number one security concern," she says. "But only 25% of organizations are actively assessing their exposure."

The gap is significant because software now arrives from multiple and unpredictable sources: legacy code, trusted third-party vendors, open source, and AI-generated output. Lanowitz warns that organizations must audit the security practices of their suppliers, including the subcontractors those suppliers rely on. "You may think a trusted provider is writing the code they deliver. In reality, they’ve subbed it out to another group and another group. You lose control at the nth party."

• Prompt is the new SQL: "If you look at what OWASP has done in the past, it was always about SQL injection. Now we’re looking at prompt injection," Lanowitz says. She notes that data leakage is often unintentional. "You could go to your favorite LLM and start putting in financial details, doing what if scenarios. And suddenly, that’s now sensitive information that is out there inside of that LLM." The accountability gap left by AI providers makes governance harder. Her response is that organizations need to be deliberate about which AI tools they permit, invest in year-round training rather than annual compliance exercises, and make governance part of daily workflows.

In 2026, Lanowitz sees resilience planning, supply chain accountability, and post-breach readiness moving from aspiration to expectation. She warns that the aftermath of major breaches is becoming its own threat category, as adversary groups monetize stolen intellectual property long after the initial attack.

The imperative for security leaders is to bring back disciplined software engineering practices, budget for security from the start of every project, and accept that resilience is not a security team deliverable. "We have to make sure everybody understands the importance of security, that we talk to one another, and that we get out of the silos that have been built up over decades," Lanowitz concludes.