UpTrajectory Review
The article from CSO Online critiques the current state of cybersecurity, likening it to an emergency room that focuses on reactive measures rather than proactive health models. It argues that while cybersecurity has become adept at responding to crises, it lacks a comprehensive approach that emphasizes prevention and continuous monitoring, especially in the age of artificial intelligence. The piece highlights the urgency for a paradigm shift in how organizations assess and manage their cybersecurity posture.
For small business owners, this insight is particularly relevant as it underscores the need to rethink cybersecurity strategies. Instead of merely reacting to incidents, businesses should adopt a more holistic approach that includes regular assessments and proactive measures. This shift could mean investing in ongoing training, better monitoring tools, and a culture that prioritizes cybersecurity as a continuous process rather than a one-time checklist. The emphasis on asking the right questions about security reflects a broader need for businesses to engage in deeper, more meaningful conversations about their cybersecurity health.
“We do not have a tooling problem. We have a missing-model problem.” — CSO Online
Takeaway: Shift your cybersecurity strategy from reactive to proactive by adopting continuous monitoring and assessment practices.
From the original item — CSO Online:
For 30 years, cybersecurity has operated like an emergency room.
Reactive. Crisis-driven. Always triaging. We are extraordinarily good at it — our detection is faster, our response playbooks are sharper, our incident teams are more capable than they have ever been. When something goes wrong, the modern security organization runs toward the fire with real skill.
But here is the uncomfortable truth that artificial intelligence is now forcing into the open: An emergency room does not produce a healthy population. Healthcare does that — through prevention, continuous monitoring, early diagnosis and a model of the whole patient.
Cybersecurity never built that model. We built the trauma bay and called it a profession.
For a long time, we got away with it. The threat environment moved at human speed. The gaps in our thinking were survivable. AI has ended that grace period. It has not created a new weakness so much as it has illuminated the oldest one — and it is now moving faster than our reactive posture can absorb.
We do not have a tooling problem. We have a missing-model problem. And until we name it, no amount of investment will fix it.
We’ve been asking — and answering — the wrong question
Walk into almost any boardroom and you will hear the same exchange. A director asks the CISO: “Are we secure?”
It is the wrong question, and most of us have known it for years.
“Secure” is binary. It is a snapshot. It is a yes-or-no answer to something that is actually a living, continuously changing condition. No physician would accept that question from a patient. A doctor does not ask “Are you healthy?” and expect a useful answer. They ask a better set of questions: How are you functioning? What do the vital signs say? What is trending in the wrong direction? What needs attention now, before it becomes a crisis?
Cybersecurity has never adopted that mindset because it never had the model that requires it. We have frameworks for controls. We have frameworks for adversary behavior. We have no widely adopted framework for organizational health — for whether the enterprise, as a whole living system, is well.
That gap was tolerable when threats were slow. It is not tolerable now.
Why AI breaks the reactive model
AI changes three things at once, and each one punishes a reactive posture specifically.
- It compresses the timeline. Reconnaissance, exploitation, lateral movement and exfiltration that once unfolded over days now unfold in minutes. An emergency-room model assumes there is time between the symptom and the intervention. AI is closing that window. You cannot triage your way through an attack that completes before the triage begins.
- It industrializes the routine. AI makes competent attacks cheap and abundant — phishing that is grammatically perfect and contextually aware, deepfaked executives authorizing transfers, vulnerability discovery at machine scale. The reactive model assumes a manageable volume of meaningful events. AI removes that assumption.
- It introduces a new organ we do not know how to monitor. Every enterprise is now deploying AI systems into its own operations — including its security operations. These systems make decisions, take actions and carry risk. They are, in clinical terms, a new organ inside the body. And most organizations have deployed them with no intake assessment, no monitoring of their condition and no governance of their behavior. We have added an organ to the patient and never checked whether it is healthy.
A reactive model has no answer to any of this. You cannot out-triage machine speed. The only viable response is to shift from reaction to health — to build the enterprise’s adaptive capacity before the crisis, not after.
What a health model actually looks like
This is the thinking behind the Clinical Cybersecurity Framework — a model I have developed over two decades in the CISO chair, and one that has resonated strongly enough with peers over the past months to convince me it is naming something the industry already feels.
The premise is simple. An enterprise should be treated less like static infrastructure and more like a living organism — and once leaders see that anatomy clearly, the entire security conversation changes.
Every enterprise has the same essential anatomy:
| ENTERPRISE SYSTEM | CLINICAL EQUIVALENT |
| Critical business services | Organs |
| Data flows | Circulatory system |
| Identity and access | Immune system |
| Infrastructure | Nervous system |
| Telemetry and monitoring | Vital signs |
| Incident response | Emergency medicine |
| Resilience and recovery | Rehabilitation |
| Governance | Clinical leadership |
| AI oversight | Autonomous clinical supervision |
Patrick Doliny
This is not a metaphor for its own sake. It is an operating model, and it does three things a controls checklist cannot.
- It makes diagnosis come before treatment. No competent clinician prescribes before examining. Yet cybersecurity routinely buys tools before it has assessed the patient. A health model requires a clinical intake first — an honest baseline of how the organization is actually functioning — and only then a treatment plan built for that specific patient.
- It makes health measurable and continuous. A patient’s vital signs are monitored continuously, against known healthy ranges, with the direction of movement mattering as much as the current value. A health model holds cybersecurity to the same standard: Not an annual audit snapshot, but continuous monitoring of the organization’s real condition.
- It gives every leader one shared question. A heart rhythm is universally legible — a clinician, an administrator and a frightened family member can all read the same monitor and grasp the same essential question: Is the rhythm steady, or is something wrong? Cybersecurity has never had that shared signal. Boards get threat counts and patch percentages; they do not get a pulse. A health model gives technologists, executives and directors one common language for the same reality.
Where this fits with the frameworks we already have
This does not replace what works. It completes it.
NIST explains controls — the disciplined architecture of safeguards. MITRE explains adversaries — how attackers think and move. Both are essential. Neither was built to answer whether the organization, as a whole, is well.
NIST tells you whether the safeguards exist. MITRE tells you who is coming for them. A clinical model tells you whether the patient can withstand the encounter — and recover from it. That third question is the one AI is now asking with an urgency the industry has never faced. It is the missing layer, and it sits above the others, not against them.
Patrick Doliny
Why this matters for the CISO and the board
Adopting a health model changes the CISO’s role and changes it for the better.
It moves the CISO out of the position of the technician who reports incidents and into the position of the clinician who reports condition. “Are we secure?” has no good answer. “Here is our organizational health, here are the vital signs trending the wrong way, here is the treatment plan and what it requires” — that is a conversation a board can actually govern with.
It also reframes resilience itself. Resilience is not the redundant infrastructure that restores data. Resilience, properly understood, is the process and outcome of adapting successfully to difficult conditions — through mental, emotional and behavioral flexibility. Backups restore data. Only adaptive people and well-governed systems restore an organization. A health model treats that adaptive capacity as something to be built and measured, not assumed.
And it gives the enterprise a way to think about AI that matches the stakes. If AI is a new organ, it requires what every organ requires: An intake assessment before deployment, continuous monitoring of its condition, defined operating boundaries and clinical-grade governance. AI deployed without that is not a capability. It is an unmonitored risk inside the body it was meant to protect.
Patrick Doliny
It’s time to stop running the emergency room
The reactive era of cybersecurity is ending — not because it failed, but because it was never the whole job. We built a superb emergency room and mistook it for a healthcare system. AI is the force that has made the missing piece impossible to ignore.
The organizations that will lead the next decade will not be the ones with the most tools or the loudest alerts. They will be the ones that can answer a better question than “Are we secure?”
They will be the ones that can say, with evidence: We know how this organism is functioning. We are monitoring its vital signs. We are treating what the diagnosis revealed. And we are building the adaptive capacity to absorb what comes next.
It is time to stop running the emergency room and start practicing medicine.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?