As cybersecurity consultants with expertise in ISO 27001 implementation, governance, and other related standards, we’ve spent years helping organisations design security frameworks built on prevention, compliance, and continuous improvement. But let’s be honest, something fundamental has shifted.
Jane Frankland MBE puts it brilliantly in her latest article, “When Prevention Fails: How Hackers and AI are Forcing a Cybersecurity Rethink”. It’s an essential read for anyone serious about securing information security management systems in 2025 and beyond. In it, she outlines how AI is revolutionising cybersecurity, however whilst it’s empowering defenders, it’s also supercharging attackers. And she’s absolutely right: the traditional prevention-first model is no longer enough.
Here, we look at some of Jane’s key points and urge you to read her full article.
AI Changes Everything, Including the Enemy
As ISO 27001 consultants, we see many organisations investing heavily in controls, risk assessments, and certification. These form the foundation of your information security requirements, without question. But it can also lull businesses into a false sense of security if not paired with adaptive threat detection, cyber recovery planning, and real-time response capabilities.
Jane’s article rightly exposes how the threat landscape is being reshaped by AI-enabled hacker collectives who operate more like decentralised startups than lone wolves. They learn fast, share tools freely, and have access to AI-generated malware and “Cybercrime-as-a-Service” packages that dramatically lower the skill barrier to launch devastating attacks.
This is happening now, and ISO 27001-certified organisations need to take note.
From ISO to Incident Response
Frameworks like ISO 27001 are no longer the destination, it should be considered as the launchpad. Achieving certification demonstrates you’ve met a rigorous set of controls, but Jane’s article reminds us that resilience means going beyond the checkbox. It’s about readiness for the worst-case scenario.
We often tell our clients: ISO 27001 gives you structure, but your incident response and cyber recovery strategy helps you to survive and should be part of your ongoing continuous monitoring strategy and internal auditing process. That includes testing backups, validating integrity, automating recovery, and preparing your executive team to make fast, informed decisions under fire.
This is where Jane’s advocacy for “Shift Right” aligns perfectly with what we’re seeing in the field. Prevention (Shift Left) remains essential, but planning for the breach (Shift Right) is now non-negotiable.
Recent cyberattacks on Marks & Spencer, Harrods, and Co-op by Scattered Spider highlight the growing threat of AI-driven attacks. Using AI for voice cloning, targeted phishing emails, and data scraping from platforms like LinkedIn, Scattered Spider deployed DragonForce ransomware to devastating effect. Marks & Spencer lost over £700 million in market value and millions weekly in sales due to disrupted online systems, likely exploited through a third-party vulnerability. Co-op minimized damage by swiftly shutting down systems, while Harrods contained the threat by restricting internet access. These incidents underscore the need for a balanced cybersecurity strategy: a “Shift Left” approach to prevent vulnerabilities through early security integration and a “Shift Right” approach to ensure rapid response and recovery. Battling such attacks can leave teams exhausted yet proud, with outcomes hinging on preparation. No organisation is immune, making robust planning and resilience critical to safeguarding operations and trust. We advise our clients to regularly test cyber-specific recovery protocols, isolate clean environments, and treat response as an operational function, not just a technical one. It’s about readiness, not just resilience.
The Bottom Line
Cybersecurity today isn’t just about having the necessary tools, it’s about mindset. Prevention is no longer enough. Compliance is a foundation, not a finish line. And AI is rewriting the rules faster than we can draft new ones.
Jane Frankland’s article is essential reading for any IT leader, CISO, or compliance professional navigating this new landscape.
And, if you need support aligning your ISO 27001 strategy with a modern, AI-aware, recovery ready information security posture, our Inavate consultants are here to help.
