From resilience to antifragility: Rethinking cybersecurity for real estate and mortgage professionals

In information security, we’ve long spoken about resilience. The goal has been to withstand an attack, recover quickly, and return to business as usual. But in today’s environment—where attackers adapt and evolve daily—resilience is no longer enough. We must go further. We must embrace antifragility.

Nassim Nicholas Taleb coined the term “antifragile” in his book Antifragile: Things That Gain from Disorder. Taleb’s work, originally centered on financial risk management, describes systems that don’t merely survive shocks but improve because of them. Unlike resilience, which aims to bounce back to the status quo, antifragility means that stress, volatility, and disruption actually make the system stronger.

This concept struck me as essential for cybersecurity, particularly in industries like mortgage, real estate, and title, where vast amounts of sensitive financial and consumer data are constantly targeted. At Williston Financial Group (WFG), we see an average of 80,000–120,000 cyberattacks each month. We encounter hundreds of phishing emails, wire fraud attempts, and other malicious intrusions every week. The reality is clear: our adversaries are relentless, and the status quo simply isn’t good enough.

Learning from kintsugi

To explain antifragility in a way that resonates, I often use the Japanese art of Kintsugi, which means “golden joinery.” I first heard this analogy in a conversation with a colleague at an information security leadership conference, and it struck me immediately. Instead of discarding broken pottery, Japanese artisans repair the cracks with gold, creating an entirely new piece that is stronger, more beautiful, and more valuable than the original. The breakage is not hidden; it is celebrated as part of the object’s history.

Cybersecurity should function the same way. When we experience a breach, a phishing attempt, or even a suspicious event, we should not just patch the crack and hope to return to “normal.” We should emerge stronger, smarter, and better prepared to withstand the next attack. Every incident—large or small—becomes an opportunity to add gold to the cracks in our defenses.

Moving beyond resilience

The difference between resilience and antifragility is profound.

• Resilience means recovering after an incident, returning to where we were.
• Antifragility means using that incident to advance—to create a new, stronger baseline of protection.

Most organizations treat major breaches as lessons learned. They conduct a postmortem, update processes, and implement new defenses. But what about the smaller events—the phishing emails caught by filters, the employee who almost clicked a malicious link, the attempted but failed wire fraud? Too often, these events are dismissed as routine “noise.”

In an antifragile model, every event is treated like an incident. Every close call prompts analysis: Why did this happen? How could it have been worse? What can we do differently to ensure we are better next time? This mindset ensures we continually sharpen our defenses, turning every attack into intelligence that forces adversaries to work harder with each attempt.

Why It matters for mortgage and real estate

For mortgage and real estate professionals, cybersecurity might seem like a background concern—something the IT team handles. But the truth is, our industry is uniquely attractive to cybercriminals. Wire transfers, personal financial data, and large sums of money moving quickly make us prime targets.

The consequences of even a single lapse can be devastating: compromised client trust, financial loss, regulatory scrutiny, and reputational damage. In an antifragile model, however, each attempted attack becomes an investment in stronger defenses. Instead of fearing disruption, we leverage it to continuously improve how we protect our businesses and our clients.

A practical example

Consider a recent incident where a fraudster used a phone-based phishing ploy instead of the usual email link or attachment. An unsuspecting user called the number, spoke to a convincing “support agent,” and was persuaded to download remote access software. While our systems contained the damage, the lesson was clear: the threat landscape is constantly shifting.

Instead of simply recovering, we changed our response protocols, blocked unnecessary tools, and adjusted our training. The result: we are now better equipped to prevent the same tactic from succeeding again. That is antifragility in action.

Building antifragile security programs

To build antifragile systems, organizations must commit to:

1. Treating every event as an opportunity. Don’t wait for a catastrophic breach. Learn from the small things, too.
2. Conducting postmortems consistently. Ask not just what happened, but why—and what new measure can prevent recurrence.
3. Celebrating improvement, not just recovery. Just as Kintsugi highlights the cracks filled with gold, recognize and embrace the ways your defenses are stronger after each test.
4. Staying dynamic. Cybersecurity is not static. Every event should shift your baseline, forcing attackers to work harder each time.

The call to action

Cybersecurity in the mortgage and real estate sectors can no longer be about merely holding the line. The volume and sophistication of attacks will only increase. Resilience is important—but antifragility is essential.

We need to view each intrusion, each phishing attempt, and each fraud scheme not as a setback but as a chance to emerge stronger. Like Kintsugi pottery, our defenses should bear the marks of past battles—visible reminders that we did not just survive, but improved.

By embracing antifragility, we don’t just protect our businesses. We evolve them. And in doing so, we protect the trust at the very heart of every mortgage, every real estate transaction, and every closing.

Bruce Phillips, CISSP, is Chief Information Security Officer at Williston Financial Group.
This column does not necessarily reflect the opinion of HousingWire’s editorial department and its owners. To contact the editor responsible for this piece: zeb@hwmedia.com.