Make Cybersecurity a Strategic Asset

By elevating cybersecurity from an operational necessity to a source of opportunity, leaders can boost resilience and business advantage.

Reading Time: 14 min 


Permissions and PDF

Image courtesy of Gary Waters/

On June 27, 2017, employees in more than 80 global companies booted up their computers only to find a black screen with the message, “Oops, your important files are encrypted,” along with a demand for a bitcoin payment to decrypt the files. Within a few hours, managers began to realize the extent of the attack: Malware had infected the companies’ central servers, paralyzing every aspect of global operations, including interoffice communications, access to documents, access to customer data, and all operational and manufacturing systems. The NotPetya virus, which had begun its spread via the software-update function of a widely used Ukrainian tax preparation program, eventually caused global economic damage exceeding $10 billion in industries such as transportation, energy, pharmaceuticals, food production, consumer goods, and professional services.1

Despite such examples of devastating cyberattacks on major organizations, many of the world’s largest companies remain unprepared.2 Although executives acknowledge cybersecurity as an important part of IT planning, they misunderstand the strategic character of cyberattacks, both as a severe threat to earnings and operations, and as an opportunity. Yes, an opportunity.

We studied three global companies, competing in logistics, consumer goods, and professional services, that suffered from the 2017 NotPetya attack.3 (See “The Research.”) We found that executives who have successfully managed through cyberattacks now recognize cybersecurity as a top-level strategic priority; they told us that their biggest mistake in the period before the NotPetya attack was to treat cybersecurity as an operational issue.



1. A. Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, Aug. 22, 2018,

2. See, for example, P. Mee and J. Cummings, “Is Your Company Ready for a Cyberattack?” MIT Sloan Management Review, Dec. 4, 2018,; R.A. Rothrock, J. Kaplan, and F. Van der Oord, “The Board’s Role in Managing Cybersecurity Risks,” MIT Sloan Management Review 59, no. 2 (winter 2018): 12-15; and M.E. Mangelsdorf, “What Executives Get Wrong About Cybersecurity,” MIT Sloan Management Review 58, no. 2 (winter 2017): 22-24.

3. To preserve confidentiality, we are referring to the companies by industry — logistics, consumer products, and professional services — rather than by name.

Reprint #:


More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.