The 78% Question
“Every quarter just get a little bit better.” Illustrated by VEO
“There’s an overspend on security by about 78% versus resilience.”
That observation, from Senior Cybersecurity Consultant – Portfolio Steve Kenniston at Security Field Day 15, sat at the centre of Dell Technologies’ session on cybersecurity maturity. The instinct to fund prevention is mature. The discipline of funding recovery is not.
For most of the last decade, the cybersecurity conversation has been diagnostic, retrospective, defensive. Most executive briefings still begin with an enterprise that has already been breached. But over the last four months, two new conversations have arrived without a breach to trigger them: AI security and quantum.
“I would say in the last 24 months, I’ve probably given a couple hundred presentations, maybe five questions about quantum. In the last four months, I’ve given probably 20 presentations and there’s been probably 10 questions about quantum.”
What is moving underneath it is the more interesting shift. The conversation is not only arriving earlier; it is changing posture. From defence to resilience. From “keep them out” to “recover well when they get in.”
The 78% Reframe
The 78% figure, from a Dell survey, is the structural insight of the session.
The analogy used was banking. Strong PINs, fraud detection, and identity verification are security controls. Diversified accounts, transaction reversals, and recovery posture are resilience controls. Most institutions invest heavily in the first set, and assume the second will be there when needed. Most enterprises do the same with their data estates.
The reframe matters because the question executives ask is the wrong one.
Are we secure? invites a binary answer—that is already false the moment it is given.
Are we resilient? invites a posture—how quickly, with how much data integrity, into how clean an environment, under what level of forensic confidence.
None of those answers are binary, and none of them are produced by a control catalogue. They are produced by architectural discipline applied over time.
This is what the conversation has shifted around. Once an executive accepts it, the catalogue of follow-on questions—AI, quantum, agents—reorders itself around recovery rather than around prevention.
Why AI Pulled the Conversation Forward
The trigger is not the technology. It is a figure customers cite back to their vendors:
75–80% of AI projects stall because security was brought in too late.
It is a number executives have already heard, and they are bringing it into the conversation themselves.
What sits underneath is not a workload problem. It is a governance problem with new failure modes. Prompt injection is not a category of input validation that already exists. Training data lineage is not a procurement question anyone has policy for. Output handling, when the output is unstructured and persuasive, breaks the assumptions of every downstream system designed around predictable schemas.
🛠️ Architectural View: An honest posture
The defensive technologies a mature enterprise already owns—identity, segmentation, supply chain controls, policy enforcement—apply where they apply, but they do not cover the new surface. They were not designed to. Which makes AI security the place where prevention-first thinking breaks first, and where resilience-by-default becomes the only honest posture: assume the surface is incompletely defended, design for graceful failure, design for clean recovery.
The Asymmetry of Q-Day
Quantum is the harder conversation, because the threat model is not symmetric with the timeline.
“With Y2K it was pretty predictable. It was the date. When does Q day hit? Who knows.”
Two threat patterns sit underneath that uncertainty. Harvest now, decrypt later is well known: adversaries are already collecting encrypted traffic against the day a sufficiently capable quantum machine can break it. The newer pattern is trust now, forge later—the moment harvested credentials become decryptable, has anyone actually rotated them in the past five years? Probably not.
Regulators are not waiting for a date. Canada set April 2026 as the deadline to create initial migration plans. The EU expects discovery, assessment, and initial transition plans complete by 31 December 2026. The United States requires CNSA 2.0 algorithms for all new National Security Systems acquisitions from 1 January 2027 (CNSSP 15). The UK target is to complete discovery and assessment and create initial migration plans by 2028. Australia recommends organisations have a refined plan for their transition to PQC by end of 2026.
The most candid moment in the session was the admission underneath that timeline. A major infrastructure vendor cannot certify its own arrays as PQC-ready until every drive, controller, and HBA inside them is also ready. The crypto inventory is the work. Roadmaps cannot be honest until that work is done.
For executives now asking the question, that admission is the answer. The right response to
“is the platform quantum-safe?”
is not a date. It is a discovery and assessment programme, executed against a cryptographic bill of materials, beginning now. Resilience again, in a different costume.
What Comes Next: Agents
The session closed where the next conversation will begin.
“How do I make sure it carries my permissions? Because it’s acting for me.”
Permission inheritance. Identity continuity. The human-in-the-loop question of whether the person granting the permission understood what they were granting. None of these are solved. None are even consistently named yet.
The organisations that get agentic AI right will not be the ones with the best models. They will be the ones who designed the recovery questions before deployment: how to revoke an agent, how to audit what it did on someone’s behalf, how to recover the systems it touched if its judgement turns out to be wrong. Prevention thinking will be tested here too. Resilience thinking is what survives.
Closing Reflections
Two shifts, in one conversation. The first is when it happens—earlier, before the breach rather than after. The second is what it is about—recovery rather than prevention. They look similar from a distance and behave nothing alike in execution.
The executives who hear both shifts move first. The ones who have noticed that the hardest part of AI transformation is not the AI but the foundations the AI will sit on top of are already calling. Not because they have been breached. Because they have read the room, and the room has changed.
“Every quarter just get a little bit better.”
That is the discipline.
🔍 Links for Further Reference
Watch the full Security Field Day 15 session:
