It's Software, Not Magic: Navigating the Vulnerability Speed Wave and Shadow AI
🎧 Listen now to The Resilience Room What does a 31-year career at one company look like in cybersecurity? For Lee Stephens, it looks like research, marketing, sales, operations, and consultancy — and never a dull moment. In this episode of The Resilience Room, Lee sat down with host Sam Dickison to cut through the noise on ransomware, the collapsing patch window, Shadow AI, and the looming quantum reckoning. The Retail Ransomware Wake-Up Call Last year's wave of attacks on the UK retail sector made cybersecurity front-page news. For Lee, the most striking thing wasn't the sophistication of the attacks — it was the opposite. "What came home was actually the simplicity of the attacks. Those really fundamental, boring basics are absolutely critical — and involved in so many of the incidents we deal with." While the media spotlight has moved on to AI, the threat landscape hasn't changed nearly as much as the news cycle suggests. The fundamentals remain the same: strong unique passwords, kept systems, tested backups, and a plan for a bad day. As Lee puts it, you don't need to outrun the bear — just don't be the slowest runner. The Vulnerability Speed Wave: Your 90-Day Patch Window Is Gone Here's the stat that should reframe every conversation about patch management: 2021: Average time from CVE disclosure to active exploit — one year 2025: Shrunk to one month 2026: Now at one week and one day 2027 projection: Potentially an hour — or a minute This geometric progression is being driven by AI-assisted vulnerability research on both sides. The traditional 90-day patch window is functionally dead, and some vendors are already moving to fortnightly cycles. Speed is now a security control in its own right. AI in the SOC: Real Benefits, Realistic Limits SOC analyst burnout is real. The volume of alerts, the repetitive triage work — AI-assisted automation has genuine potential to help. But fully autonomous SOCs? Lee remains cautious. "At times AI feels like magic. It's not magic, it's software. And from thirty years ago when I did my computer science degree: garbage in, garbage out." His recommendation: don't chase the ten-times transformation. Chase the ten percent improvement and compound it. Organisations that have tried to automate everything often find they're spending more time maintaining automations than the work would have taken. Shadow AI: The New Shadow IT Problem Most people using unofficial AI tools aren't being malicious — they're trying to get their job done. But the risk is real, especially around feeding confidential data into models without proper data handling agreements. Some of Lee's clients require all data to remain in the UK at all times, which effectively rules out certain major tools that can't guarantee that under peak load. His cautionary scenario: a team uses AI to diagnose an infrastructure problem. The output gets translated for customers, then condensed for a senior exec. Each iteration drifts further from reality — and when the fix doesn't work, multiple conflicting versions of "the truth" are already in circulation. "AI has no conscience, it doesn't care. It's a prediction engine. It's software. Not magic — software." The solution is culture and training as much as technical controls, combined with IT teams designing better corporate solutions so people don't need to go off-piste in the first place. What's Next: Quantum's Y2K Moment Quantum computing has been "just five years away" for decades — but the trend lines are genuinely moving. More qubits, better coherence times, major advances every few months. The security implication is stark: the maths underpinning asymmetric encryption is trivially easy for a quantum computer to solve, which means every piece of encryption on the planet eventually needs replacing. NIST has published post-quantum cryptography standards, and vendors are beginning to implement them. But the migration is a massive undertaking. "It's akin to a Y2K moment where everybody needs to upgrade — for really no benefit at all, just to stay standard. The only disadvantage is we don't know when the moment is." The organisations best placed will be the ones who've already done their cryptographic inventory and know what they'd need to upgrade and in what order. Whether the topic is ransomware, patch windows, AI, or quantum — Lee's message is consistent: there's no silver bullet, no magic. Just fundamentals, applied consistently, with humans staying in the loop. After 31 years, it's the message that keeps working. The Resilience Room is hosted by Sam Dickison. New episodes explore the human and technical realities of cybersecurity with guests from across the industry.PODCAST: The Resilience Room
https://dashboard.rss.com/podcasts/the-resilience-room-cyber/ 👆 Listen on your favourite podcast app or online here Welcome to The Resilience Room, where cyber professionals sit back and chat about their lives, passions and experiences. We discuss cyber culture, thought leadership, technical topics and emerging trends. Hosted by Sam Dickison, Community Manager at Immersive. 💡 We'd love to hear your questions for guests, or guest suggestions! Please comment on this post with any ideas.
