1. Clarify What’s Critical—And Keep It Visible
Every organization has assets that, if compromised, could halt operations or erode public trust. The challenge is that these “crown jewels” aren’t always the most obvious systems. In many cases, attackers gain access through overlooked pathways—support systems, identity infrastructure, or trusted partners.
The incident affecting M&S is a powerful reminder that understanding the full chain of risk is vital. This includes the business functions that support critical operations, as well as the third-party systems and teams that enable them.
Leadership considerations:
Support frequent reviews of critical data, applications, and infrastructure—including dependencies beyond IT and your 3rd party vendors and contractors.
Ensure that cyber risks are assessed, quantified and regularly discussed in enterprise risk forums.
Encourage ongoing collaboration between business, IT, and security teams to map evolving exposure.
2. Invest in Human-First Security Practices
Technical defenses are essential, but people remain the most frequently targeted—and often most vulnerable—entry point. From phishing to impersonation tactics, threat actors are increasingly leaning on social engineering as a way in. This problem is now exacerbated due to Generative AI with DeepFakes and easily crafted phishing lures.
Though specifics of the M&S breach are still being investigated, reporting suggests that attackers may have relied on manipulation rather than malware alone to gain a foothold. This reinforces the need to integrate people-centric protections into the security stack.
Leadership considerations:
Back sustained investments in employee security awareness—not just annual training, but real-world simulations and reinforcement.
Ensure that controls like phishing resistant multi-factor authentication and least-privilege access extend to all teams, including support roles.
Reinforce the principle that security is everyone’s job, and create space for teams to raise concerns proactively.
3. Ask the Right Questions About Detection
In many high-impact incidents, attackers spend days, weeks, or even months inside systems before launching ransomware or stealing data. That dwell time represents an opportunity—for those watching closely.
Executive teams don’t need to be hands-on with detection tools, but they do need to sponsor and engage with the right conversations. What’s the average time to detect a threat? How quickly can we respond once it’s discovered? Are we staffed or partnered to watch for issues around the clock? What is our detection coverage across the MITRE ATT&CK framework?
Leadership considerations:
Make detection and response metrics—like MTTD and MTTR—part of regular reporting, including at the Board level.
Confirm that your organization has continuous threat monitoring, either in-house or via a managed service.
Ensure threat intelligence is integrated into operational processes, not siloed as a static feed.
4. Rehearse Incident Response Before It’s Needed
Cyber incidents rarely unfold in a straight line. When pressure is high, the ability to act quickly and cohesively can mean the difference between containment and escalation. That’s why practiced response plans matter so much.
M&S’s decision to take systems offline reportedly helped limit further damage. But such decisions don’t happen spontaneously—they require trust, alignment, and preparation at every level.
Leadership considerations:
Support the development and testing of incident response and crisis management plans that reflect real decision making scenarios.
Collaborate with external partners in advance so the organization is not negotiating support in the middle of a crisis.
Align with internal stakeholders on business-impact thresholds and response authority—so decisions can be made fast, not debated under pressure.
5. Lead the Recovery—and What Comes After
Post-incident recovery is more than just a return to service. It’s a chance to rebuild stronger, regain confidence, and reaffirm commitments to resilience. From regulators to customers, stakeholders want to see not only that an organization has responded—but that it is learning and evolving.
In the wake of the M&S breach, public attention has shifted toward what comes next: remediation, communication, and longer-term improvement. Those are outcomes that depend not just on technology, but on leadership.
Leadership considerations:
Insist on a structured, transparent post-incident review that identifies lessons learned across the organization.
Approve forward-looking investments to close gaps, rather than simply restoring prior states.
Communicate progress and improvement plans clearly to customers, employees, and partners.
