ON MAY 7, 2021, EXECUTIVES AT Colonial Pipeline discovered that cybercriminals had launched a ransomware attack on its IT systems. To prevent the malware from spreading further, the company took its computer systems offline, disabling 5,500 miles of pipeline that supplied 45% of the fuel consumed on the U.S. East Coast. The disruption lasted nearly a week, resulting in panic buying and fuel shortages. In a controversial decision, Colonial Pipeline paid a ransom of nearly $4.4 million in exchange for the decryption keys to get its systems back online. One month later, with recovery efforts and investigations ongoing, Colonial Pipeline CEO Joseph Blount defended that decision before the U.S. Senate, testifying,
“We were in a harrowing situation and had to make difficult choices that no company ever wants to face.”
Blount’s testimony echoes the experiences of many of the CEOs we have interviewed as part of our research into how leaders manage cybersecurity risk and attacks.¹ These CEOs shared with us similarly painful accounts of having to make existential decisions based on imperfect information, under enormous pressure, in an area where they had relatively little expertise. Serious cyberattacks thrust CEOs into the public eye, scrutinized by the media, shareholders, regulators, and other stakeholders.
We conducted 37 in-depth interviews with the chief executives of large enterprises (with average revenues of $12 billion) in the United States, Europe, and Asia. Nine of them had led their company through a serious cyberattack, which allowed us to compare their battle-tested views with those of CEOs who had not yet suffered such an attack. This article outlines strategies, based on their lessons, to help your organization stop over-relying on cybersecurity and start building cyber resilience as a strategic opportunity.
This story is from the Summer 2024 edition of MIT Sloan Management Review.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber ? Sign In
This story is from the Summer 2024 edition of MIT Sloan Management Review.
Start your 7-day Magzter GOLD free trial to access thousands of curated premium stories, and 9,000+ magazines and newspapers.
Already a subscriber? Sign In
Serve More Customers With Inclusive Product Design
Use these questions to empower teams to design products for more diverse populations.
A Tale of Two Hot Sauces: Spicing Up Diversification
The contrasting paths of two hot sauce manufacturers show that managing exposure on multiple fronts is essential.
How Generative AI Can Support Advanced Analytics Practice
Large language models can enhance data and analytics work by helping humans prepare data, improve models, and understand results.
To Navigate Conflict, Prioritize Dignity
Four interrelated practices can bolster dignity, leading to more constructive problem-solving and collaboration.
How AI Skews Our Sense of Responsibility
Research shows how using an Al-augmented system may affect humans' perception of their own agency and responsibility.
Return-to-Office Mandates: How to Lose Your Best Performers
Your organization's highest-performing employees want executives to focus on outcomes and accountability, not office badge swipes.
The CEO's Cyber Resilience Playbook
What do CEOs who led through a serious cyberattack regret? Use this guide to learn from their experiences and take smarter actions before, during, and after an attack.
Engineer Your Own Luck
Companies that modularize and externalize their best capabilities are in a strong position to seize unexpected opportunities.
Acing Value-Based Sales
To get the best returns on innovative products, collaborate with customers to define and share the commercial opportunity.
Why Territorial Managers Stifle Innovation and What to Do About It
Managers who feel insecure about their status tend not to encourage novel ideas from their employees. Fostering their identification with the organization can change this behavior.
