Home » Topics » Cybersecurity » Anti-fragility – what is it and why should it be the goal for your organisation?

Anti-fragility – what is it and why should it be the goal for your organisation?

Anti-fragility strengthens your organisation against future cyberattacks

Avatar photoby Trevor Dearing

Organisations must be prepared to learn from the cyberattacks that they experience. That's where anti-fragility comes in

  • Anti-fragility is ‘the ability to thrive in the face of disruption’. It defines systems that thrive and improve from stress, volatility, disorder and shocks, rather than just resisting them.
  • An anti-fragile approach actively benefits from each attack, identifying weaknesses, addressing them, and adapting as needed.
  • Compliance doesn’t equal protection. Instead, organisations must look beyond regulatory mandates, formalising a post-incident learning, anti-fragility strategy in order to make proactive and ongoing security improvements. 

The last year has made it clear that cybersecurity is far more than a technology problem, it is an economic one as well. Cybercrime is estimated to cost the global economy more than $10 trillion every year. If cybercrime were an economy of its own, it would be the world’s third largest, bested only by the US and China.

From the M&S cyberattack that saw the retailer lose over £300 million in sales to the Jaguar Land Rover attack that is estimated to have cost the UK economy over £1.9 billion, recent headlines have told a clear story: cybercrime is now a systemic risk that demands attention.

That attention must be given in the year ahead. Resilience has long been treated as a byproduct of cybersecurity, rather than a fundamental business outcome, and in 2026, that must change. Organisations now recognise what’s at stake, be it catastrophic financial losses or reputational damages, regulatory hurdles, or a host of other issues.

The conversation has thankfully been moving in the right direction, from attack prevention to breach containment and continuity. But I’d argue we’re not aiming high enough. Today, true resilience is not about just being able to withstand crises, but harnessing them to become stronger.

What is anti-fragility?

That ability to thrive in the face of disruption must become the basis for improved resilience. Modern organisations shouldn’t strive for survival, but for continual improvement.

In the cyber sphere, that is crucial. Threat actors are constantly changing tack, targeting new CVEs, and executing increasingly complicated supply chain attacks. Resilience must therefore move in tandem as an ongoing process of learning and adapting.

That is the crux of anti-fragility. It defines systems that thrive and improve from stress, volatility, disorder and shocks, rather than just resisting them.

If a security model is only designed to recover, it remains just as vulnerable as before. But an anti-fragile approach actively benefits from each attack, identifying weaknesses, addressing them, and adapting as needed.

No company can ever guarantee that it will have zero incidents. It’s simply not realistic. Data from the National Cyber Security Centre shows the UK is now experiencing four nationally significant cyberattacks every week, while 43 per cent of businesses experienced a cybersecurity breach in the last year.

In that context, the focus needs to move from putting out digital fires as quickly as possible to understanding why and how they started in the first place. Only that approach will ensure they can be prevented and put out more quickly and effectively in the future.

Firms must look beyond legislation to make the necessary strategic improvements

Increasingly, organisations are recognising the value in anti-fragility as a strategy and more will adopt it next year. However, getting there means going beyond regulatory compliance. Compliance lays the foundations from which successful cybersecurity can be built, yet many currently see it as the finished structure.  

There are several problems with that. Security legislation frequently lags behind the threat landscape, and so the gap between a new threat emerging and a new law coming in to address it can stretch over the course of years. Organisations must therefore understand that compliance doesn’t equal protection. Instead, they must look beyond regulatory mandates, formalising a post-incident learning, anti-fragility strategy in order to make proactive and ongoing security improvements. 

A breach containment strategy should be at the heart of this. It’s an approach to limit the scope and impact of a cyberattack by aiming to prevent the lateral movement of attackers.  

At the heart of containment is microsegmentation and Zero Trust, which focus on reducing the impact through strict access controls. By proactively segmenting networks, isolating workloads, and limiting unnecessary permissions, critical operations can continue to run even during and after a cyber incident.  

Every attempted breach can be analysed, providing insights that can help to find weak points, bolster the protection of critical assets, and strengthen defences in a more adaptive, intelligent way.  

AI security graphs play a critical role by providing a comprehensive view of how elements within a network environment connect and interact. The AI element helps to correlate thousands of signals across environments to expose relationships between workloads, users, and systems. This shows potential attack paths and vulnerabilities – where attacks are likely to begin and how they could move through the environment. 

For companies, that ability to turn data into insight and act upon it can become a genuine differentiator. Cybersecurity in 2026 will be defined not by those avoid incidents, but those who learn from them.  

Resilience is the new baseline, while anti-fragility is the goal. Organisations that treat every attack as an opportunity to improve will outpace those that simply recover. That means implementing the right security policies, leveraging the right tools, formalising post-incident learning, and turning key data into actionable insights. 

For those that get it right, anti-fragility will enable companies to turn disruption into strength. 

Trevor Dearing is director of critical infrastructure at Illumio.

Read more

Prioritising cyber resilience in a cloud-first world – Despite complexity and cost, it’s certainly worth devoting time to your organisation’s cyber resilience strategy. Here’s what to do

Ransomware has evolved – so must our defences – Ransomware threats are advancing. Jamie Moles goes into what a triple extortion threat is and how to protect your organisation against them

Why slow recovery is the real threat of ransomware events – With ransomware attacks, it’s a case of when (not if) you’ll be hit and, crucially, how long recovery takes. Here’s how to bounce back quicker

Related Topics

Cyber Resilience

Related Stories

Cybersecurity

Cyber Action Plan and what it means for supply chains

The government has unleashed proposals for a Cyber Action Plan. It's still light on detail, but we outline how it could affect supply chains

Cybersecurity

Ransomware has evolved – so must our defences

Ransomware threats are advancing. Jamie Moles goes into what a triple extortion threat is and how to protect your organisation against them

Cybersecurity

Ransomware payments to be banned – the unanswered questions

The government has announced a ban on ransomware payments from public sector organisations. We explore the loose ends to be tied

Cybersecurity

Prioritising cyber resilience in a cloud-first world

Despite complexity and cost, it's certainly worth devoting time to your organisation's cyber resilience strategy. Here's what to do