18 April 2023

How to survive a cyber attack: 3 lessons from the world's top CEOs

William Dixon

Approximately 8% of the world’s GDP, over $10 trillion dollars, is reportedly at risk from cyber attack. At the end of March 2023, a consortium of the world's leading media outlets reminded us how high the stakes are through an international investigative project on Russia’s cyber war machine Project Vulcan. It was another stark warning to global business leaders that the digital ecosystem their enterprises and the wider economy rely on is a contested battleground.

This reminder is critical, cyber issues matter, not only in terms of strategic importance to global prosperity but as an ultimate business leadership challenge. It is also timely, according to Gartner, that 75% of all CEO’s will be personally liable for an incident by next year. A new report, The CEO Report on Cyber Resilience, shares interviews with dozens of global CEOs who have experienced a cyber attack.

Here are three leadership lessons global CEOs shared on surviving a cyber attack.

1. Be prepared: it's not like other business crises

The most common crises organizations face – liquidity, natural disaster, even a pandemic – are seldom malicious acts directed at a business specifically. By contrast, with a cyber attack, suddenly someone is out to get you – causing you to panic, surviving on instinct and your gut. Unlike other crises which often unfold slowly, the damage can be done within minutes, crossing international borders, crippling without warning critical operations. Answers are quickly demanded from the staff, client and the board.
We are a big company but this was life threatening. You can’t produce, you can’t ship, you can’t sell, you can’t invoice, you can’t communicate with your employees and customers… we basically ran the company for nine days on WhatsApp.”— CEO of an $8 billion company.

Cyber attacks lack visibility and are dynamic, CEOs have to be directly involved in negotiation and game theory-esque-like speculation about the adversary’s next move as their company is held to ransom. The predominant feeling is loss of control. And yet despite this the CEO has to be a reassuring presence for all of their stakeholders, where active wargaming, detailed resilience plans, and well-exercised processes can make a real difference.
The CEO Report on Cyber Resilience, ISTARI & University of Oxford, Said Business School.

2. Blind trust to informed trust

A majority of the CEOs reported avoiding making decisions on cyber security issues. When faced with what they perceive as a highly technical domain, they simply delegated it. Around 72% of CEOs surveyed said they didn’t feel comfortable making decisions on cyber issues. Blindly trusting those that are in a crisis can put the fate of the company on the shoulders of people who they are unfamiliar with, and much likely further down the decision making hierarchy.

We had 1,000 managers around the world screaming and shouting that their business process or application is the most important. And we had to have someone divide what goes first, and what can go second.”— CEO of an $80 billion company.


In order to prepare for potential cyber attacks, leaders must be willing to push past their discomfort and engage with cybersecurity experts. Failure to do so leaves them vulnerable at the worst possible time. The Chief Information Security Officer (CISO) reports directly to the CEO, which over a third now do – this is just one way progressive leaders are dealing with this barrier.
The CEO Report on Cyber Resilience, ISTARI & University of Oxford, Said Business School.

3. Amplify, filter, absorb


When a crisis does happen, bad leadership can make matters even worse. How CEOs act, behave and communicate can be the difference between success and failure. Unfortunately most fall into the category of being a “transmitter”. Feeling overwhelmed the CEO defaults to relaying pressure and demands to the organization without barrier or filter. Faced with an onslaught, operational teams often try to assure leaders the issue will be quickly fixed – ultimately making matters worse.

Everybody comes and scares the hell out of me. They told me ‘you should be scared.’ I said I’m already very scared, what do you want me to do?”— CEO of an $18 billion company.


The most successful leaders need to take on multiple roles throughout the lifecycle of an attack. Deep in crisis, the most effective is “absorber” or “amplifier” where the CEO acts as a shield, absorbing panic from the board and acting to reassure stakeholders even if they’re not feeling confident themselves – adding weight to key messages and information when there is a need for urgent action. Finally, acting as a “filter”, they decide who needs to receive what information, distributing it, helping people and teams maintain focus as they rebuild operations.
The CEO Report on Cyber Resilience, ISTARI & University of Oxford, Said Business School.
DISCOVER

What is the World Economic Forum doing on cybersecurity?Show more

Never let a good crisis go to waste

Like those who survived a cyber attack, other leaders now need to view cybersecurity not as a threat, but a strategic opportunity. This is how they can ultimately help build greater resilience, both individually and collectively in the digital economy. Rather than a continuing ominous threat, cybersecurity has to become a strategic driver for value creation, business innovation and systemic resilience. A chance for industries to purge outdated processes, invest in new capabilities, accelerate public-private cooperation and stakeholder engagement. By changing their mindset in this way, leaders can not only survive an attack, but thrive.

No comments: