The first line of defence, not the first line of blame: Why you should give the service desk a break
In Partnership With
The service desk has always been a vital cog in the machinery of cybersecurity. Everyone working in cyber knows it. But it took several catastrophic ransomware attacks in 2025 for senior business leadership to realise. M&S’s annual pre-tax profits fell 29% after a cyber-attack cost the retailer £131m. And the hit to the UK economy as a whole from the Jaguar Land Rover (JLR) ransomware attack is estimated at £1.9bn. Both breaches started with a vishing call to the helpdesk.
These incidents might have raised awareness of the function at a senior level. But has it changed the way organisations treat security at this layer? A packed RANT roundtable hosted by Rapid7 and Longwall Security illustrated just how passionately CISOs feel about the subject.
For Longwall Security MD, Mat Cornish, the problem is not one of technology but people.
“I don’t think we’ve necessarily underinvested in cyber, I think we’ve underinvested in bringing it back and making it human again,” he told the assembled security pros. “We’ve invested tons in signals, we’ve got everything locked down from a technology point of view. But were not giving the service desk the tools to do their jobs effectively. How are they validating users? How are they feeling empowered? How can they have that psychological safety to say ‘no’?”
Service desks through the wringer
Among the security leaders round the table, many share that they had started their careers at the service desk. A popular refrain was that humans simply make mistakes, especially when faced with an agile adversary that might speak fluent English, be armed with deepfake technology, and have done enough OSINT research to sound convincing on the phone.
“We’re seeing the real-world impact. We need to reverse the culture. How can we empower the help desk to make the right decisions, and not blame them when things do go wrong? Because they probably will go wrong. They’re up against some really skilled people these days.”
Several attendees argued that creating the right culture can be a challenge when the function is outsourced. But third-party service desks can work in different ways. A dedicated outsourcer for the function is different to a situation in which the same operative may be handling calls from multiple client organisations, explained one attendee.
Nevertheless, security teams must try, argued Rapid7 Field CISO, Alan Simpson – himself a former helpdesk agent.
“They’re the most important people in the IT department. They have the pulse of the organisation. They talk to the most amount of people in the organisation on a daily basis,” he said. “If you’re outsourcing it’s about bringing them into the organisation.”
Simpson argued that information sharing between security and service desk teams is key—but something not many organisations do readily enough.
“It’s interesting the lack of information the service desk gets,” he said. “They’re the face of IT but they get the least amount of information.”
Why it’s OK for the helpdesk to be unhelpful
Empowerment of a function that lives and dies by its SLAs was a running theme throughout the event. This is where the cybersecurity team can and should play a role in helping to push back against the business, said Tim Woods, Head of Cyber Response at Shawbrook. He explained how his team has counselled the service desk that if it doesn’t meet its SLAs they will step in “and deal with the difficult conversations” if needed, “so the service desk feels protected”.
“Sometimes in industry, infosec is seen as an enforcer. But within our own teams and with our own people, we are there to support them. We’re on the same side,” Woods continued. “We don’t blame people for their mistakes. But we’re not too happy if people don’t ask for help. And that’s the thing. We’ve seen historically where someone has gone ‘I did this thing but it didn’t feel right’. That feeling is when you bring us in.”
Those SLAs can be key to setting the right kind of expectations and culture, said another attendee: “You get the behaviour you measure, so it’s about incentives as well.”
Rapid7’s Simpson went further, arguing that businesses need to build into service desk contracts the fact that, in certain situations, security should trump metrics like “first-time fix rates” and “wrap times”. However, that is sometimes “easier said than done”, he admitted.
Another security leader pointed out that organisations must also remember to train their service desk staff on a continuous basis. “They have to be aware that sometimes you have churn on your helpdesk,” she argued. “The people that started off on your contract aren’t necessarily the people you have in place at this time. So there’s also a need to train and then retrain.”
Should VIPs eat their own dog food?
Several security leaders agreed that some of the biggest problems for the help desk emerge when senior people don’t get the service they believe they deserve. One said he has been accused of “disabling the business” by standing firm when executives escalate a problem to him personally.
This segued neatly into the topic of dedicated VIP services, which split the crowd. Some argued that fast-tracking certain requests is a necessity to support the business, and could even help win more budget for IT. One attendee suggested that forcing senior leaders to “eat their own dog food” could ultimately lead to improvements for everyone if it raises their awareness of the service desk.
For some around the table, AI is being deployed to improve the service desk experience for all users—mainly by carrying out low-risk procedural tasks, and detecting and flagging anomalies. One argued that the technology is already “the first line of the service desk capability” in many organisations.
On a night of heated debate, this precipitated more intense discussion around the table—not least from one attendee who reminded his peers that AI agents can get socially engineered too.
Pen-testing for the win
The good news is that bad experiences for some can drive lasting improvements for others. Several participants shared that the incidents suffered by M&S and JLR triggered new service desk initiatives in their organisation. For Shawbrook’s Woods, it led to rigorous social-engineering pen-testing and awareness-raising programmes for service desk staff.
“When those incidents happened we were being pressured really hard to do something. That gave us an opportunity to take action and help our service desk. And truly I think that’s why we’ve been so successful,” he explained. “We’ve never wasted an incident.”
As long as humans are in charge of the service desk, there’ll no doubt be plenty more learning opportunities to come.