“Prevention alone is not enough. Most intrusions do not involve malware at all, just legitimate tools repurposed for malicious activity, making early warning signs harder to spot. The real test is how quickly an organisation can assess the situation, make decisions and recover. That requires more than tools and backups. It requires decision-making authority, real threat intelligence and people who have previously handled serious intrusions. In practice, many organisations lack that combination of experience and readiness, which is why I favour a retained incident response capability over building one in-house.
“An internal team formed in response to a breach is already behind, with no shared history under pressure and no time to mature before facing its worst case. A retained team lives this daily and that experience separates a contained incident from a prolonged one. The questions worth asking are: who has the authority to act the moment something looks wrong? And have they ever actually done it before? When the call comes, the difference will not be who has the better tools. It will be who already knows what to do.”





