Beyond the Firewall - Why Integrated Risk Management Is the Missing Layer in Cyber Defense

CybersecurityCyber InsuranceIntegrated Risk Management
Written By Samantha "Sam" Jones

The recent revelation that Marks & Spencer—one of Britain’s most iconic retailers—suffered a cyberattack that could cost it up to £300 million in annual operating profit is a reminder that no amount of cybersecurity spending can fully inoculate a company from human error. The attack, reportedly traced to a third-party vendor and facilitated by social engineering, underscores a hard truth: cybersecurity is necessary, but not sufficient.

Despite boosting its cyber investment by 75% and quadrupling its team over the past two years, M&S was not spared. Nor were other well-known retailers like Harrods and the Co-op grocery group. These incidents reflect a deeper problem in the digital defense playbook—one that requires a broader, integrated approach to risk.

The Human Layer: Still the Softest Target

Social engineering, once a term associated with propaganda and psychological influence, has taken on a new cyber-inflected meaning: manipulating people into enabling digital intrusions. These attacks are not brute-force hacks; they are precision-guided campaigns that exploit human trust, fatigue, or error. Whether it’s duping an IT helpdesk into resetting a password or hijacking SMS verification through SIM swaps, these tactics bypass technical controls by targeting the one variable that’s hardest to patch—us.

The FT’s editorial rightly emphasizes the growing threat of groups like “Scattered Spider,” who blend digital sophistication with interpersonal manipulation. Their victims are not just firewalls and data centers, but the people behind them—employees, contractors, and supply chain partners.

From Cybersecurity to Integrated Risk Management

What these breaches reveal is not just a failure of cybersecurity controls, but a failure of risk integration. While security teams may be fortified, other stakeholders—including procurement, vendor managers, legal counsel, and even HR—are often untrained and unaware of their role in digital resilience. That’s where Integrated Risk Management (IRM) comes in.

IRM goes beyond the silos of IT security to unify cyber, operational, third-party, compliance, and enterprise risk disciplines. It recognizes that digital vulnerabilities often originate in business processes—vendor onboarding, contract design, access provisioning, and incident response—and not just in code.

An IRM approach would:

  • Map risk across third-party ecosystems, not just monitor endpoints

  • Institutionalize board-level visibility, not just compliance checklists

  • Unify business continuity and cyber incident response, avoiding fragmented crisis playbooks

  • Continuously assess and adapt controls, rather than rely on static configurations or annual audits

Cyber insurance may offer some recovery cushion, but it rarely covers the reputational or shareholder damage that follows a well-publicized breach. Only an integrated model of risk management—where people, processes, and technology align—can close the gap between security readiness and business resilience.

Rethinking Risk Ownership

The M&S case reinforces a broader trend: cyber risk is no longer confined to IT departments. It is now a strategic risk, a reputational risk, a supply chain risk—and, increasingly, a boardroom risk. Yet too many organizations still treat these as separate domains. That segmentation is precisely what attackers exploit.

IRM offers a structural correction to this fragmentation. By connecting the dots across domains and elevating risk visibility to the highest levels of leadership, it not only hardens cyber defenses—it transforms them into a competitive differentiator.

Lesson Learned

The lesson from the latest wave of retail breaches is not that cybersecurity tools are broken, but that they are blind to broader systemic vulnerabilities unless paired with a more integrated approach. Firewalls and encryption are essential, but alone they cannot prevent a supplier’s employee from being duped or a contractor from clicking a rogue link.

In today’s asymmetric threat landscape, resilience requires more than cyber controls. It requires risk convergence.

The risk is integrated. The response should be too.

References

  • The Financial Times Editorial Board. “In cyber attacks, humans can be the weakest link.” FT View, May 26, 2025.

  • Google Threat Intelligence. Scattered Spider Threat Profile, 2024.

  • U.S. Department of Justice. “Five Alleged Members of Scattered Spider Charged.” DOJ Press Release, 2024.

  • Marks & Spencer Annual Report, 2024.

Samantha "Sam" Jones

Samantha “Sam” Jones is the lead research analyst for the IRM Navigator™ series and a core contributor to The RiskTech Journal and The RTJ Bridge. As a digital editorial analyst, she specializes in interpreting vendor strategy, market evolution, and the convergence of technology with enterprise risk practices.

As part of Wheelhouse’s AI-enhanced advisory team, Sam applies advanced analytical tooling and editorial synthesis to help decode the structural changes shaping the risk management landscape.

Previous

Generative AI Is Steering Banks Toward Autonomous IRM—But the Bridge Isn’t Finished Yet
Next

Avatars in Armani — How AI Analysts Are Reshaping the Future of Finance & Risk Management