What major breaches demand from security leaders, according to Intrinsic Security’s cyber leader

When a major cyber incident hits, the first failure leaders cannot afford is confusion.

In this Security Edge session, Alex Loizou, Cyber Security Leader at Intrinsic Security, drew on his experience during the Medibank breach to explain how large scale incidents test leadership long before recovery begins.

He focused on how to communicate under pressure, support exhausted teams, adapt when plans stop fitting the situation, and manage a recovery that unfolds over months and years.

Key takeaways:

• Major breaches test leadership first, especially the ability to communicate clearly and translate technical risk into business decisions.
• Sustained response depends on structured support, including leadership rotation, shared accountability, and active care for team wellbeing.
• Recovery takes place across immediate fixes and long term change, with trust rebuilt through steady proof rather than declarations alone.

Crisis leadership depends on clarity under pressure

In a major incident, the security leader becomes the link between technical reality and business decision making.

As the breach escalated from unusual activity to confirmed compromise and public disclosure within days, Alex’s role shifted quickly into real time translation for executives and stakeholders. That meant giving updates that were urgent without becoming chaotic, and specific without overstating certainty.

Visible confusion from leadership can widen the damage by slowing decisions and increasing organisational anxiety.

Alex’s account showed that composure is operational. It helps the business absorb uncertainty without losing direction.

Endurance needs structure, not just commitment

One of the strongest lessons from the session was that major incidents last far longer than many organisations expect.

Fatigue builds quickly, and once leadership and response teams begin running on exhaustion, judgment starts to degrade.

Alex pointed to two structures that helped.

One was leadership rotation, which ensured continuous coverage while preserving minimum rest.

The other was a twin CISO model that split crisis leadership from business as usual responsibilities.

That separation protected decision quality, reduced burnout, and gave the organisation more capacity to sustain a long response.

Trust holds when communication stays honest

Alex argued that communication with boards, executives, and customers had to stay direct.

Trust erodes quickly when organisations smooth over uncertainty or simplify the situation so aggressively that the real risk disappears from view.

He described two principles that shaped his approach.

The first was being clear about what was known and unknown.

The second was using real language, supported by explanation, rather than diluting the message.

He also stressed the value of keeping internal and external communications aligned, so the organisation spoke with consistency under scrutiny.

Playbooks help early, but incidents quickly outgrow them

The session also made clear that major incidents do not stay inside predefined plans for long.

Playbooks are useful, but rigid adherence can become a constraint when the situation becomes more complex than the original scenario design.

Alex described bringing in multiple incident response partners with different methods to validate findings and strengthen confidence in the response.

That was not a standard playbook move, but it matched the conditions of the incident.

The lesson was straightforward. Preparation matters, but adaptability decides whether a response remains effective once conditions change.

People need support long after the first shock passes

Large incidents place sustained psychological strain on teams.

Stress, blame, and fatigue can weaken performance well beyond the technical containment phase if leaders treat recovery as purely operational.

Alex pointed to practical steps such as buddy systems, enforced breaks, and wellbeing support.

He also described the leadership role more personally, as being available for teams carrying the emotional weight of the incident. That part of the response is easy to overlook, but it shapes whether people can continue functioning across a long crisis.

Recovery runs on two tracks at once

Post incident recovery does not move at one speed.

Organisations have to fix immediate weaknesses quickly while also planning deeper structural change that may take years.

Alex described this as a dual speed effort, with urgent remediation on one side and longer term improvement on the other.

That work extends beyond technology. Public incidents leave a trust deficit that has to be addressed through evidence, consistency, and repeated proof of improvement. Recovery is therefore not only about closing vulnerabilities. It is about rebuilding confidence with stakeholders over time.