·

When Systems Fail, Leadership is Tested

Few leaders speak publicly about what it’s really like to manage a live cyber incident. Understandably so. It exposes uncertainty, gaps in preparedness, and plans that don’t survive first contact with reality.

But the reality matters.

Cyber incidents rarely remain technical problems. They quickly become enterprise-wide leadership challenges, affecting:

  • operations and revenue
  • customer trust and confidence
  • legal and regulatory exposure
  • reputation and investor confidence

The Marks and Spencer, Co-op and Jaguar Land Rover attacks affected customers and suppliers, causing significant financial damage.

Yet many organisations still default to a model where cyber incidents are “run” by technology teams, with other functions brought in sequentially.

Under pressure, that model fails.

Effective response requires rapid, collective decision-making across technology, operations, communications, legal, HR and commercial leadership, often before anyone fully understands what’s happened.

The British Library’s own report on the incident in 2023 that put many of its services out of action shows the breadth of challenges faced and is costing millions to resolve.

One CEO was candid about her experience, describing the “intensity, urgency and unpredictability” of a live incident, noting that “the buck stops with us as senior leaders”.

One of the most common failure points we see is unclear leadership in the first critical hours:

  • Who is in charge overall?
  • Who has authority to make trade-offs?
  • Who decides what to communicate, and when?

Where this is unclear, decisions stall, accountability fragments and communications become reactive. Trust erodes quickly.

Even organisations with detailed plans can struggle. The National Audit Office’s review of the WannaCry attack on the NHS found that roles and responsibilities existed on paper — but had not been exercised, leading to confusion and delay.

A practical self-check:

  • Who leads in the first two hours?
  • Do legal, communications, operations and security come together immediately, or in sequence?
  • Have leaders practised making decisions with incomplete information?

Capability is often assumed rather than tested. That assumption is what gets exposed in a real incident.

In our final article, we’ll look at how organisations can build this capability deliberately – before they’re tested for real.

Read part three

Leave a comment

Latest articles

Get in touch

If you’d like to know more about our service, complete the form below and we’ll be in touch.

← Back

Thank you

We’ll be in touch shortly