Recovery is still the least mature part of incident response. What needs to change, in tools, culture or leadership, to ensure it’s as strong as it needs to be?
In spring 2025, M&S was one of several major UK retailers impacted by significant cyber disruption, linked to social engineering and supply chain compromise. Despite having an incident response plan and running executive drills prior to the incident, public reporting following the attack suggested that the response quickly became disorganised and reactive, with disrupted communications and teams operating under increased pressure when systems were unavailable.
The M&S example, alongside experiences later shared publicly by Co-op following its own cyber incident, helped frame one of the key discussion points during our recent roundtable around incident recovery, that as Co-op CEO Shirine Khoury-Haq candidly reflected, “preparation buys you time, but leadership determines how you use it.”
Recovery is still underdeveloped
One of the strongest themes emerging from the discussion was that recovery often remains the least mature aspect of incident response. Many organisations invest heavily in prevention and detection capabilities, but far fewer give the same level of attention to how they will operate, communicate and make decisions once an incident is underway.
In practice, incidents rarely unfold exactly as expected. Systems may be unavailable, communication channels disrupted and critical decisions required at speed, often with incomplete information. In those moments, the strength of leadership and the quality of decision-making become just as important as the technical response.
Decisions need to be made before the crisis
The roundtable discussion repeatedly returned to the importance of leadership, pre-agreed authority and decision-making structures. Certainty around who can make decisions, what can be authorised and how escalation operates under pressure needs to be determined before an incident occurs, not during it.
The discussion also reinforced that recovery cannot sit solely within IT or security functions. Effective recovery requires board-level sponsorship, operational ownership and organisational alignment well before a crisis begins.
Recent incidents such as that experienced by M&S demonstrate that the reputational, legal and operational consequences of how organisations respond can often exceed the technical impact of the incident itself.
Sharing lessons more openly
Another emerging theme is the need for greater openness across the industry around recovery lessons and post-incident learning. Often, post-incident reporting is sanitised, limiting the ability for organisations and peers to really learn from operational realities, decision-making challenges and recovery failures.
At the same time, there was recognition that many recovery playbooks and supporting tools are struggling to keep pace with the speed at which the threat landscape is evolving.
Strengthening recovery capability
Recovery is no longer simply a technical process. It’s an organisational capability that relies heavily on effective leadership, communication, coordination and decision-making under pressure. Strengthening recovery capabilities requires organisations to move beyond static plans and towards realistic exercising, clearer decision authority and tested recovery strategies that are effective under real-world conditions.
