Research Feature

The CEO’s Cyber Resilience Playbook

What do CEOs who led through a serious cyberattack regret? Use this guide to learn from their experiences and take smarter actions before, during, and after an attack.

Manuel Hepfer, Rashmy Chatterjee, and Michael Smets Reading Time: 13 min 

Topics

Permissions and PDF

Michael Glenwood Gibbs/theispot.com

On May 7, 2021, executives at Colonial Pipeline discovered that cybercriminals had launched a ransomware attack on its IT systems. To prevent the malware from spreading further, the company took its computer systems offline, disabling 5,500 miles of pipeline that supplied 45% of the fuel consumed on the U.S. East Coast. The disruption lasted nearly a week, resulting in panic buying and fuel shortages. In a controversial decision, Colonial Pipeline paid a ransom of nearly $4.4 million in exchange for the decryption keys to get its systems back online. One month later, with recovery efforts and investigations ongoing, Colonial Pipeline CEO Joseph Blount defended that decision before the U.S. Senate, testifying, “We were in a harrowing situation and had to make difficult choices that no company ever wants to face.”

Blount’s testimony echoes the experiences of many of the CEOs we have interviewed as part of our research into how leaders manage cybersecurity risk and attacks.1 These CEOs shared with us similarly painful accounts of having to make existential decisions based on imperfect information, under enormous pressure, in an area where they had relatively little expertise. Serious cyberattacks thrust CEOs into the public eye, scrutinized by the media, shareholders, regulators, and other stakeholders.

We conducted 37 in-depth interviews with the chief executives of large enterprises (with average revenues of $12 billion) in the United States, Europe, and Asia. Nine of them had led their company through a serious cyberattack, which allowed us to compare their battle-tested views with those of CEOs who had not yet suffered such an attack. This article outlines strategies, based on their lessons, to help your organization stop over-relying on cybersecurity and start building cyber resilience as a strategic opportunity.

What CEOs Regret After a Serious Cyberattack

The CEOs who had lived through cyberattacks on their organizations spoke candidly (and anonymously) about their experiences, evaluating their preparation strategies and the actions they had taken. They also shared their regrets based on lessons learned from their experiences.

They focused too narrowly on prevention. It would be a struggle to find a company that does not currently list cyber risk near the top of its enterprise risk register. Cybersecurity has become an inescapable priority for chief executives.

Topics

About the Authors

Manuel Hepfer is the head of knowledge and insights at cybersecurity firm Istari and a research affiliate at Oxford University’s Saïd Business School. Rashmy Chatterjee is the CEO of Istari. Michael Smets is a professor of management at Saïd Business School.

References

1. M. Hepfer, R. Chatterjee, and M. Smets, “The CEO Report on Cyber Resilience,” PDF file (London: Istari, 2023), https://istari-global.com.

2. M. Hepfer and T.C. Powell, “Make Cybersecurity a Strategic Asset,” MIT Sloan Management Review 62, no. 1 (fall 2020): 40-45.

Tags:

Reprint #:

65406

More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
Dominador Gamboa
The relevance of resilience has moved evidently moved beyond  the physical to the internet domain; cybersecurity threats and its associated risks are not reserved solely to business interests but poses even greater challenges emanating from political agents in today's extraordinarily conflict ridden post pandemic world...DOMINADOR " RINGO" GAMBOA