COMMENTARY: When a breach hits, the spotlight quickly shifts. Technical teams race to restore systems, while executives manage public scrutiny, operational disruption, and regulatory pressure. In most cases, the outcome depends less on what happens after, and more on what was already in place.Recent campaigns by groups such as Scattered Spider, LAPSUS$, and Shiny Hunters have demonstrated the fragility of even global enterprises. These groups can now disrupt operations and expose millions of records across various industries, including retail and critical infrastructure. Each one highlights how preparation, or the lack of it, shapes what happens next.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The public only sees outages and statements: what they don’t see are the hours spent preparing – exercising scenarios, refining communication, and training teams to operate under pressure.The risks leaders face in a live crisis often differ from what they anticipated – and if they’re not testing those realities, they’re not ready. Even when core systems are down, leaders still have to keep operations moving, flag odd behavior, and deal with the fallout from partners they don’t fully control. At the same time, communications teams are trying to calm customers while working with partial facts, legal pressure, and regulators watching closely.Most organizations have crisis plans and run tabletop exercises, but few test how those plans hold up when alignment frays, customer pressure builds, and it’s an uneven recovery. Plans built to look perfect on paper often fail under real conditions. Few go deep enough to test how the organization actually functions when the crisis drags into its second or third week. Leadership vulnerability lives in the gap between planning and execution.Adversaries like Scattered Spider exploit stealth and speed, often leaving organizations to discover an attack only once it’s underway. In those moments, the difference between scrambling and leading comes down to preparation.Readiness requires more than technical safeguards. It’s about how the business functions under pressure and when uncertainty, incomplete information, and public scrutiny collide. Once that’s understood, organizations should test the moments that expose friction: conflicting advice, ambiguous facts, public pressure, and legal oversight. Those moments define how customers, regulators, and employees perceive a crisis.Threat groups like Scattered Spider unveil a universal truth: cyber readiness does not get defined by technology alone, but by how an organization responds under relentless pressure. It’s not how quickly the team patches a system or activates a runbook. It's how well the team can coordinate, communicate, and hold trust, even when the entry point isn't owned by the company.Leaders who continuously test their teams and prepare for uncertainty won't eliminate pressure, but in a crisis, that preparation becomes muscle memory. It helps them act faster and with more clarity, proving that actual cyber readiness is work the world never sees – and rarely appreciates.Jon-Paul Gabriele, director of crisis management, ImmersiveSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
The hackers exploit trust, test readiness
Scattered Spider has disrupted high-profile organizations, including M&S, Victoria’s Secret, and MGM Resorts, exposing how attackers exploit human and institutional trust – contractors, partners, and service providers all serve as unseen entry points.These incidents highlight a growing trend: adversaries leverage trusted relationships to reach their targets. When a breach starts outside a company’s walls, but the fallout lands squarely within them, public and regulatory judgment rarely reflect that nuance.Most people only take into account that the organization got breached; the complex details of supply chain infiltration or third-party compromise are invisible. Suppliers now operate at the front line of risk, even if they're not always recognized as such. This lack of understanding has measurable consequences and causes organizations to lose control of the narrative. The resulting misperception drives headlines that amplify reputational damage, erode investor confidence, and accelerate regulatory response.The nuances that the public does not understand are exactly where leadership pressure intensifies. Once a group gains access, technical teams race to contain the threat, but the true test shifts to leadership: managing scrutiny, navigating uneven recovery, and communicating amid uncertainty. The breach becomes less about technology and more about coordination, credibility, and resilience under pressure.The recent reemergence of Scattered LAPSUS$ Hunters, along with its Salesforce leak site, reminds that threat actors don’t disappear; they adapt. As seen with LAPSUS$ and Shiny Hunters before them, groups evolve, rebrand, and reappear under new banners. It’s a clear message: true cyber readiness gets built on sustaining resilience in the face of threat groups that continually shift tactics and identity. The ability to respond to a single event is not a readiness indicator.Leadership challenges and risks
Different teams see a crisis through different lenses and it’s one of leadership’s biggest challenges. Executives must stabilize the business while also weighing the following:- The level of transparency if a third party was the source.
- How to maintain service continuity when recovery varies across regions and/or functions.
- What to tell customers as facts evolve.
