AI/ML, AI benefits/risks

Building an anti-fragile security operations program in the AI era

Dark circuit board with glowing shield

COMMENTARY: A few years ago, I was working with a Fortune 100 bank's security team when they experienced what should have been a routine incident. A new malware variant had been detected in their environment—nothing catastrophic, but certainly something requiring investigation. What struck me wasn't the incident itself, but how two different teams within the same organization responded.

The first team followed their established playbook: isolate, contain, and remediate. They executed flawlessly, restoring normal operations within hours. Mission accomplished.

The second team did all of that — but then something interesting happened. They used the incident as a learning opportunity. They reverse-engineered the attack vector, updated their detection rules, shared intelligence across business units, and even collaborated with industry peers to understand the broader campaign. Six months later, when a similar attack hit their industry, they were the only organization that detected it immediately because they had already built immunity.

The first team was robust. The second team was anti-fragile.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

This distinction — between systems that merely withstand volatility and those that actually benefit from it — is revolutionizing how forward-thinking security teams operate in the AI era. We're living through a fundamental shift in how we think about security operations, and it's time we stop thinking about security as something that merely survives chaos and start thinking about how we can actually thrive because of it.

The spectrum: From fragile to anti-fragile

To understand where we need to go, let's first understand the nature of organization systems.

Fragile systems break under stress. These are the security programs that collapse when faced with a sophisticated attack, a major compliance audit, or even just rapid organizational growth. Unfortunately, more organizations than we'd like to admit fall into this category.

Robust systems can withstand shocks and maintain their function under stress. This is where most mature security programs aspire to be. They have solid incident response plans, well-tuned detection systems, and the ability to weather most storms. They're built to endure.

Anti-fragile systems are fundamentally different. They don't just survive volatility — they thrive because of it. Every attack teaches them something new. Every alert makes them smarter. Every incident strengthens their overall posture. They're built to improve.

Here's the crucial distinction: robust systems aim for stability and consistency. Anti-fragile systems actively seek to convert disorder into advantage. When a robust security program faces a new type of attack, it adapts and returns to equilibrium. When an anti-fragile security program faces that same attack, it emerges stronger and more capable than before.

Think about it this way: your immune system isn't just robust — it's anti-fragile. Each pathogen it encounters makes it better prepared for the next threat. Your security operations should work the same way.

The new reality we're operating in

The landscape we're defending has fundamentally changed. Threat actors are weaponizing AI at scale. Our organizations are simultaneously managing cloud, hybrid, and air-gapped footprints while juggling increasing compliance burdens and budget constraints. When even an organization like Google, with its mighty security team can get hacked due to security threats that lay dormant and undetected in their well resourced organization, it means that the ground beneath us is shifting. 

Meanwhile, everyone in the enterprise you are safeguarding — developers, business users, as well as attackers and threat actors are using AI as a force multiplier. This isn't just about adapting security operations to new tools. This is about recognizing that the volatility and complexity of our environment can become our greatest strategic advantage if we approach it correctly.

The four pillars of anti-fragile security operations

After years of working with security teams across government and commercial sectors, from my time at Sandia National Labs to leading security research at Splunk and building security GTM at Databricks, I've identified four core pillars that distinguish truly anti-fragile security programs:

Pillar 1: Human as the No. 1 data asset

This might sound counterintuitive in an era of AI and automation, but hear me out. Your team's intuition, experience, and institutional knowledge represent your most valuable data asset. The key is capitalizing on it systematically. The robust approach is to bring consistency to your teams’ response, measure your team to standards and upskill your staff. The reality is that we can never catch up to the skills and talent shortage realistically. The anti-fragile approach here would be to make lemonade out of lemons — use AI to bring the knowledge of every team member to every problem. Use the technology to uplevel and upskill your team.

Bring the whole team to every alert. Not literally — that would be chaos — but ensure that the collective knowledge and intuition of your team is accessible and applied to every security event. This means creating knowledge loops where insights from one analyst investigating an alert become immediately available to everyone else.

Your team's hunches, their sense that "something feels off," their ability to connect seemingly unrelated dots — these aren't soft skills. They're hard data that can be captured, codified, and amplified through the right systems and processes.

Pillar 2: Alerts are signal, not noise

In traditional security operations, alerts are often treated as problems to be solved or tickets to be closed. The robust approach would be to filter alerts or only look at the ones that are most likely to signal threats. As has been experienced very often lately, the initial attack or lateral movement of threat actors that remain dormant for a while are hard to detect. 

With an anti-fragile approach, every alert is a learning opportunity and a source of intelligence

Learn from every alert. Whether it's a true positive, a false positive, or something in between, each alert contains signal about your environment, your adversaries, and your detection capabilities. The goal isn't to filter alerts — it's to extract maximum learning from each one.

Expand use case coverage. Each alert that teaches you something should inform how you can detect similar or related threats in the future. This isn't just about tuning rules — it's about systematically growing your detection surface area based on real-world intelligence.

Grow security domain expertise. Every investigation deepens your team's understanding of your environment and threat landscape. Capture this knowledge systematically so it compounds over time.

Pillar 3: Analyze data where it lives

One of the biggest mistakes I see organizations make is trying to centralize all their data before they can analyze it. This creates bottlenecks, introduces delays, and often means you're working with stale or incomplete information.

Instead, bring the analysis to the data. Map data into knowledge graphs that preserve relationships and context. This approach allows you to maintain the speed and agility necessary for effective threat response while ensuring you have the complete picture when you need it.

This isn't just a technical architecture decision — it's a strategic one that determines whether your security program can scale with your organization's growth and complexity.

Pillar 4: Regulation as competitive advantage

Most organizations treat regulatory compliance as a burden — something that slows them down and constrains their options. Anti-fragile organizations flip this perspective entirely.

The robust approach is to build for stability. Most organizations use regulatory frameworks as forcing functions for operational maturity. However, there are almost 500 new regulations in the works, around AI and data privacy being debated in various states within the US alone. Just building for the robust approach makes sense, but will put an organization in constant chasing mode.

The anti-fragile approach is to build for optionality. Design your security program so that compliance requirements actually expand your capabilities rather than limiting them. When you build systems that exceed regulatory requirements by design, you create optionality for future growth and expansion.

When regulation becomes a source of competitive advantage rather than competitive burden, you know you're building something anti-fragile.

Converting volatility into advantage

The key insight behind anti-fragile security operations is that volatility — the unpredictability, the constant change, the emergence of new threats — isn't something to be eliminated. It's something to be harnessed.

Every new attack vector that emerges makes your detection systems smarter. Every false positive that gets investigated deepens your understanding of your environment. Every compliance requirement that gets implemented creates new opportunities for operational excellence.

This doesn't happen automatically. It requires intentional design of systems and processes that can extract value from chaos rather than just surviving it.

The path forward

Building an anti-fragile security program isn't about implementing a specific technology or following a particular methodology. It's about adopting a fundamentally different mindset — one that sees volatility as opportunity and uncertainty as a competitive advantage.

As we continue to navigate the AI era, the organizations that will thrive are those that don't just adapt to change, they get stronger because of it. Their security programs don't just protect against threats, they learn from these threats and become more capable with each encounter.

The question isn't whether your security program can withstand the next major threat or compliance change. The question is: will it be stronger because of it?

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.
Monzy Merza

Monzy Merza, co-founder and CEO of Crogl. With more than 20 years in cybersecurity leadership across government and commercial organizations, he’s served as VP of Security GTM at Databricks and VP, Head of Security Research at Splunk. Before that, he worked at Sandia National Laboratory.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds