Security as immunity

Author Tony Fish argues that traditional security models are broken. In this article he reveals how to boost your ‘security immunity’ and sustain conditions where optimal responses thrive.

Why fraud is a symptom

For 30 years, the industry has treated fraud as a problem to be detected, and the playbook has been the same in every institution: more rules, faster models, tighter controls at the moment money moves. Whilst the dashboards appear to get cleaner, the losses continue to grow, and every year we tell ourselves the next layer of detection will close the gap - yet it will not, because the gap is not where we have been looking.

The uncomfortable truth is that fraud is not the problem, but what shows up when the problem has already happened somewhere else. Fraud is a symptom of pressure, of poor decisions made under stress, of social and economic conditions that have shifted faster than our frameworks have noticed. It arises when a customer trusts a voice on the phone because that voice sounds like their daughter, when an employee clicks because the email looks like the one they were expecting, or when the line between a desperate decision and a fraudulent one becomes thinner than we are comfortable admitting. We have built sophisticated systems for managing a symptom whose cause sits upstream of where detection can see, and the world that produced our anti-fraud playbook has quietly gone.

The fortress has stopped working

The traditional model of security is rational, process-driven, anchored in historical patterns, working through catalogues of known threats, structured rules, and controls that respond to signatures we have seen before. It worked when threats moved at human speed and attack patterns were predictable enough to be systematised, when the gap between a new threat appearing and a new control being deployed was something the industry could close inside its own rhythm. That world has ended, and three things ended it.

The first is AI, not as the next generation of tools but as something that changes the speed, scale, and unpredictability of attacks in ways our detection systems cannot match. Voices are cloned in seconds, phishing campaigns personalised to millions simultaneously, and attackers no longer need to be sophisticated themselves - they need only be subscribers to systems that are. The second is complexity: our own architectures have grown beyond the point where any single mind, or any single dashboard, can hold them, and the vulnerabilities that matter most emerge from interactions between systems stitched together over decades, so that most of our gaps are no longer in the code but in the seams. The third is what is coming: quantum computing will eventually break the mathematics underneath much of our cryptography, and the timing, while uncertain, is closer than comfortable migration timelines suggest.

When the threat lives inside an unpredictable, fast-moving, emergent space, asking whether our defences are strong enough is the wrong question, because it assumes making a taller wall …. when there is no wall, only a landscape we no longer fully understand, and the institutions that mistake one for the other will keep investing in walls while the landscape moves beneath them.

Security as immunity

There is a different way to think about this, and biology has been doing it for a long time. Immunity is not a wall, not constructed, and not a thing the body has, it is something the body does, continuously and quietly, across millions of distributed cells that have never met each other, that learn from every encounter, and that maintain capabilities which look wasteful right up until they become essential. You cannot build immunity by strengthening individual cells (thicker walls); immunity is an emergent property of a healthy system, arising when conditions are right and declining when they are not.

This is not a metaphor borrowed for elegance but a different way of making sense of security itself. Immunity is the body's ongoing conversation with an evolving threat landscape, and security, properly understood, is the same conversation: between an organisation, its people, its customers, and a world that will not stop changing. In an immunity model, the question changes from ‘have we built the right defences?’ to ‘are we maintaining the conditions in which the right responses can arise?’ a very different question, and the only one that scales when the next attack will not look like the last.

What this means for banks, merchants, and fintechs

If fraud is a symptom and security is an emergent property, the implications for our industry are uncomfortable but clarifying. Our customers are not the perimeter we defend; they are part of the system that needs to develop immunity, and telling them to ‘remain vigilant’ without giving them the means to think well has become the cyber equivalent of telling someone to be healthy without giving them food, sleep, or rest. It feels responsible, it does not work, and under mandatory reimbursement, it will not meet the regulatory bar either.

Giving people fish is no longer enough: fixed rules age badly in a world where attacks themselves are generated by systems that learn, and the lists of red flags we have spent years distributing are obsolete by the time they are printed. What customers and colleagues need is the ability to think better: to recognise the conditions under which they are vulnerable, to slow down at the right moments, to question the urgency that scammers manufacture, and to treat an emotional pull as a signal rather than a feeling. That is closer to teaching someone to fish, and closer still to teaching them to read the river.

It also means that behaviour, fear, and vulnerability are now first-class security concerns rather than soft-edged adjacencies, because the most successful attacks of recent years have not exploited cryptographic weaknesses but human ones - tiredness, loneliness, and the fact that a customer in financial difficulty is more likely to believe a message offering relief, while an employee at the end of a long week is more likely to approve a payment that looks almost right. These are not technical problems and will not be solved by technical means alone; they are human conditions, and increasingly the attack surface itself.

The metrics underpinning our current approach are due for an overhaul, too. The industry measures detected fraud, prevented fraud, false-positive rates, and customer friction. All useful measures of the symptoms, but not of the conditions producing them. They tell us where the problem has shown up, not what we gave away to get there, nor whether the conditions for the next wave of attacks are quietly improving or deteriorating outside the dashboard.

What changes today!

The shift described here is not a project, a platform purchase, or a transformation programme with a steering committee, but it is a change in the question leadership is willing to ask, and almost everything else flows from that. It means treating fraud, cyber, customer experience, and product as parts of a single immune system rather than separate functions reporting separate KPIs, because immunity does not work in silos, and neither does this. It means investing in the cognitive and behavioural literacy of customers and colleagues with the seriousness currently invested in detection engines, not awareness campaigns, but actual capability: the ability to pause, to verify, and to recognise when one is being moved emotionally and treat that as the signal it is.

Friction might be a good thing!

It also means accepting that some of what looks wasteful, redundancy, friction in the right places, slowness when slowness is the point, and capabilities rarely used are what allow the system to survive the attack nobody saw coming. Efficiency optimised in one direction is fragility waiting in the other, and institutions that have stripped out everything that did not justify itself on last year's numbers will discover the cost in the years ahead. And it means leadership being willing to ask a harder question than the one anti-fraud has been designed to answer, not ‘how do we detect this faster?’ but ‘what conditions have we allowed to deteriorate, in our customers, our colleagues, our systems, and our trust, that have made this kind of attack inevitable?’

The detection layer will tell you where fraud is showing up, but not why, not what needs tending, and it will not, on its own, get smaller. By 2028, the institutions that thrive will not be the ones with the strongest walls but those with the healthiest immune systems: distributed, learning, human, and quietly maintained long before the next attack arrives. That is the work, and it begins with a different question.

About author

Tony Fish is a provocateur, pathfinder, and author. Consurgence is his thinking for what your frameworks have quietly optimised away. Six books, thirty years of foresight, ahead of multiple technical revolutions. Executive leadership and boards bring him in when the dashboard reads green and yet there is something wrong.