Security teams have put in a lot of effort in the last decade to make sure that security parameters are as robust as possible. Because of this, zero trust frameworks, multi-factor authentication, endpoint detection, patched vulnerabilities have become baseline requirements for security. The technical stack for security has never been more sophisticated. And yet, breaches still keep happening.
What may come as a surprise is that the entry point to a breach is rarely a misconfigured firewall. Most people picture a cyberattack as someone in a dark room cracking code; however, the reality is far more mundane and human. Nowadays, social engineering is the common initial attack vector because it exploits the decision-making of people under pressure – a personal rushing before a meeting or simply trying to be helpful.
The MGM Resorts breach in 2023 took about 10 minutes of phone-based social engineering to initiate, ultimately costing the company $100 million. MGM had enterprise-grade security tools. What failed was human judgment in a high-pressure moment. That is the gap that organizations investing in leadership development through platforms like PepTalk are trying to close – bringing risk management speakers and crisis decision-making expertise inside the organization before an incident forces the issue.
Why Passing Your Audit Doesn’t Signal Readiness
Passing an audit is not the same as being ready. While most organisations can demonstrate compliance on paper, putting the theory into practice is where real capability shows. Audits can’t test how the CFO will make their decision, under pressure, at 2am in the morning. It can’t control for whether the Communications and Security team are able to speak the same language. Nor whether the CEO freezes in front of the board as an active ransomware attack takes its grip. In those moments, your certification becomes irrelevant. It’s your reflexes that count. That kind of instinct is built in rooms with people who have managed real incidents. These practitioners know what hour six of a ransomware negotiation feels like, and that is where PepTalk’s risk management speakers can be brought in to support an organisation through it, and help close the gap.
Microsoft’s 2025 Digital Defense Report documented AI-assisted attacks across at least four government-backed threat actors, with adversaries automating exploitation faster than human response cycles can match. When an attack moves at that speed, the first 30 minutes of leadership decision-making determines how contained or catastrophic the outcome becomes. That window is not improved by another compliance framework.
The $14,000-Per-Minute Argument for Training Leaders, Not Just Security Teams
When security is treated as a technology function rather than an organizational one, executive teams make slower, worse decisions during incidents. They lack the vocabulary, the mental models, and the rehearsed instincts that separate a contained event from a headline. ITIC’s 2024 research estimates downtime costs for large enterprises at over $14,000 per minute. A two-hour incident prolonged by leadership indecision can cost more than most annual security awareness budgets, and it will not show up in any vendor’s ROI calculator.
The organizations that respond well share a single characteristic: their senior teams have rehearsed appropriately. Beyond theory buried in a compliance checklist, they have led structured scenarios with people who have managed real incidents. Practitioners who know what a ransomware negotiation looks like at hour six understand what the board expects to hear, when they expect to hear it, and where communication between legal, comms, and security typically breaks down. That kind of preparation cannot be built internally.
The instincts are too close to the problem, and the assumptions are too comfortable. External expertise, like the kind that PepTalk connects organizations to through its roster of risk management speakers, introduces the friction and challenge that internal programs rarely generate on their own. Security budgets are scrutinized harder every year. The case for spending on leadership preparation is straightforward: the MGM breach was not stopped by better tools. It was lost in a 10-minute phone call that better-prepared people might have caught. The next major breach at a well-defended organization won’t be a technical failure. The question is whether the leadership team has practiced for it.
