How Business Leaders Can Prepare for a Cyberattack
Skip to content
Leadership Organizations Nov 1, 2019

How Business Leaders Can Prepare for a Cyberattack

The former head of U.S. Cyber Command explains why any company can be a target.

rugby defenders against cyberattack

Michael Meier

Based on insights from

Sandeep Baliga

Michael Rogers

Unless you are completely unplugged from global technology, your organization has had to contend with the rise in cyberattacks. Whether you are protecting your employees’ identities, ensuring the safety of your company’s intellectual property, or defending your nation’s security, a lot is at stake. Understanding the threats and knowing how to respond to cyber emergencies is critical to any organization’s operations.

Michael Rogers, a Senior Fellow and Adjunct Professor within the Kellogg Public–Private Interface, is a retired four-star admiral in the U.S. Navy who served as a commander in the U.S. Cyber Command and director at the National Security Agency. In those roles, he helped develop cyber intelligence and technology policy. Since leaving the Navy, he has turned his expertise to helping companies and industries in the private sector cope with cybersecurity issues.

Rogers recently sat down with Sandeep Baliga, a professor of managerial economics and decision sciences at Kellogg, to discuss cybersecurity threats and how leaders can guide their teams through crises.

This conversation took place as part of a recent course on Leadership and Crisis Management at Kellogg. It has been edited for length and clarity.

Sandeep Baliga: In the modern world, all sorts of businesses and institutions are subject to cyberattack. So, please set the stage for us. What kinds of cyberattacks are companies dealing with?

Michael Rogers: In general, cyber-threat activity has a few primary purposes. The most active one is generating revenue. That’s what you see individual criminals doing, but also lone nations like North Korea that use cyber to rob banks, break into online gaming sites to steal money, and mine Bitcoin. These countries are no longer a part of the international financial structure, so they can no longer move money through SWIFT, the global messaging network that allows institutions to securely share information. They had to come up with a different way to get money, and one of the ways they decided on was, “Hey, we can steal it.”

The second purpose is stealing intellectual property. The Chinese government, for example, are interested in oil exploration in the South China Sea. So a huge part of their national strategy with respect to cyber is going after U.S. natural gas and petroleum extraction sites’ technologies.

Companies are the number-one targets for stealing intellectual property, but they are not alone. A lot of major universities around the United States and other parts of the world are starting to realize that nations including the Chinese, the Russians, the Iranians, and the North Koreans are pulling research and dissertations. They’re not doing it because they want to check your students’ grades! They think there’s potential value that can generate an advantage for them.

Third, criminal entities are locking down a company’s data and saying, “Hey look, you want access to this, you’re going to pay us tens of thousands of dollars.” To date, much of this activity has been directed at data, but you watch: it’s going to start going after operating technology, the automated systems that you put in line that enable you to remotely control manufacturing processes, or the movement of petroleum and natural gas across the nation.

Finally, cyber is being used as a weapon designed to achieve hardware or infrastructure impact. Traditionally, that was directed at nation states. But more and more, it is directed at companies. This last one means that companies have to think about risk more broadly. I have heard people say, “Yeah, but our company’s in the food industry. Why would anybody care about us?”

They might think they’re a food company, but to the rest of the world, they are an American food company associated in many ways with America’s lifestyle. That means they’re a potential target, above and beyond any intellectual property associated with food or food processing.

Baliga: So they’re going to attack you just because you’re American. What should American companies do to prepare for this event then?

Rogers: I tell boards to prepare the exact same way as in every other area of their business: prioritize, decide where you can take risk and where you can get the greatest return, and that’s what you focus on.

I suggest looking at cybersecurity from two very different perspectives. First, what are the most likely scenarios? If you can understand how to defend against those, you can deal with most cyberattacks.

The other perspective is a little more challenging: threats that are low probability, but if an opponent is successful, you’ve got massive problems. For example, the Department of Defense has to think about an attack on nuclear infrastructure. We assess this attack as low probability. However, if someone was able to attack successfully, think about the implications for our nation and around the world. So we have to commit a lot of resources toward defense, more than you might expect given the probability of it happening.

The way I frame the question is, “Tell me what processes, data, and infrastructure are most linked to your ability to execute whatever your mission is.” Because your answer to that question is exactly where you want to focus your efforts. In other areas, you can take a risk.

But having said that, when you do take that risk, leadership has to be prepared if it goes wrong in those areas.

Baliga: Let’s say that now you are in an actual crisis. What is the most important thing for a leader to do?

Rogers: I find the most difficult thing, in my experience, is when you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, “Hey, give me a year or two to make this investment or get us where we need to be.” They need you to address the situation now.

That means you’re going to have to address substandard or poor performers right away. You might otherwise put up with people who are inexperienced or poorly trained because you view them as a long-term investment. But in a crisis, you have to be willing to say, “Okay, step aside, Johnson,” even if just temporarily. That is hard culturally for a lot of people, because it is also important to treat men and women with respect, and let them train and become more experienced over time. But as a leader, you’ve got to be willing to not be popular.

“When you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, ‘Hey, give me a year or two to make this investment or get us where we need to be.’ They need you to address the situation now.”

— Michael Rogers

Baliga: So even if you have to replace these people in a crisis, you still have a continuing relationship with them. How do you navigate that?

Rogers: I always tell them, “This is as much my fault as yours, because I failed to put you in the right spot. And I want to apologize for that. I am not trying to embarrass or undercut you.”

In probably 95 percent of the scenarios, I would also say, “Do not interpret this as me not believing in you or you not having a viable future with our organization. We just find ourselves in an extraordinary situation and need to deliver quickly.”

But this brings me to an important point. Whatever organization you lead, one of the questions you always need to ask yourself is whether your day-to-day decision-making structure is the same as what you are going to use in a crisis. To immediately revert to a totally different structure in times of crisis is something I find very confusing. Your partners outside the organization certainly won’t understand this. They’re used to dealing with a particular person on this issue, and suddenly you’ve got a whole new team, and a whole new structure?

That means when you’re putting people in jobs, you just don’t think about their day-to-day activities. Make sure that the people on your team have the experience that you need in a crisis.

Baliga: The crisis situation that you describe is one where there’s a hierarchy and there’s an authority figure who then looks at a subordinate and says, “Look, I’m going to use my authority to replace you with somebody else.” Are there reverse situations where you bring decision-making down to lower tiers in the hierarchy and allow them to take control and make decisions?

Rogers: Absolutely. In the military, leaders would build cross-functional teams that would include a lot of different disciplines, different demographics, and different levels of experience.

We would tell the team, “Here’s the problem, and here are your mission priorities. Come back and give us a sense of your plan, how you want to organize yourself, and what resources you need. Talk to me about timelines, and let me get a sense for what things are beyond your control.”

Nothing helps energize organizations like a clear sense of ownership of the process.

Baliga: I’d like to ask you a question about a very unique leadership problem now. When you became director of the National Security Association in 2014 [shortly after Edward Snowden’s release of highly classified information and subsequent criticism], you inherited an organization that had been through an ordeal. What did you do to recover and rebuild from that experience?

Rogers: It was an interesting challenge. From the perspective of the workforce at the NSA, they never did anything illegal. There were three independent reviews directed by President Obama in the aftermath, and all three came back and said, “You were fully compliant with the law.” So the questions left for us were: How are we going to continue to comply with the law? How will we continue to generate insights that help defend our nation?

My comment to the team was, “Guys, I get it that we feel vindicated internally. But we have to acknowledge that we are dealing with perception, and right now the perception is that we are engaged in activities that are not necessarily in accordance with the visions of our citizens. And so we have to ask ourselves what do we need to do differently?”

We felt we needed to talk more about what we are doing and why. Not so much how—when you start to talk about how very publicly, criminal entities and terrorist groups who watch and read American media change their behavior. But we did have to figure out how to talk more about the what and the why.

Baliga: It’s interesting that you had to bridge that gap between being transparent and being an intelligence organization and not compromising your mission.

Rogers: Yes, and the challenge was cultural. We’d never done this before. And I’d say, “I understand that, and there’s nothing wrong with you having that concern, but on the other hand, we have to be willing to do things differently. And we are doing this for mission execution, because if we lose the confidence of the citizens that we serve, we are going to lose some of the legal underpinning that’s been granted to us. That’s part of the challenge of living in a Democratic society. So, think about your real mission.”

Featured Faculty

John L. and Helen Kellogg Professor of Managerial Economics & Decision Sciences

Senior Fellow and Adjunct Professor in the Kellogg Executive Leadership Institute

Most Popular This Week
  1. One Key to a Happy Marriage? A Joint Bank Account.
    Merging finances helps newlyweds align their financial goals and avoid scorekeeping.
    married couple standing at bank teller's window
  2. Take 5: Yikes! When Unintended Consequences Strike
    Good intentions don’t always mean good results. Here’s why humility, and a lot of monitoring, are so important when making big changes.
    People pass an e-cigarette billboard
  3. How Are Black–White Biracial People Perceived in Terms of Race?
    Understanding the answer—and why black and white Americans may percieve biracial people differently—is increasingly important in a multiracial society.
    How are biracial people perceived in terms of race
  4. Will AI Eventually Replace Doctors?
    Maybe not entirely. But the doctor–patient relationship is likely to change dramatically.
    doctors offices in small nodules
  5. Entrepreneurship Through Acquisition Is Still Entrepreneurship
    ETA is one of the fastest-growing paths to entrepreneurship. Here's how to think about it.
    An entrepreneur strides toward a business for sale.
  6. Take 5: Research-Backed Tips for Scheduling Your Day
    Kellogg faculty offer ideas for working smarter and not harder.
    A to-do list with easy and hard tasks
  7. How to Manage a Disengaged Employee—and Get Them Excited about Work Again
    Don’t give up on checked-out team members. Try these strategies instead.
    CEO cheering on team with pom-poms
  8. Which Form of Government Is Best?
    Democracies may not outlast dictatorships, but they adapt better.
    Is democracy the best form of government?
  9. What Went Wrong at AIG?
    Unpacking the insurance giant's collapse during the 2008 financial crisis.
    What went wrong during the AIG financial crisis?
  10. The Appeal of Handmade in an Era of Automation
    This excerpt from the book “The Power of Human" explains why we continue to equate human effort with value.
    person, robot, and elephant make still life drawing.
  11. 2 Factors Will Determine How Much AI Transforms Our Economy
    They’ll also dictate how workers stand to fare.
    robot waiter serves couple in restaurant
  12. When Do Open Borders Make Economic Sense?
    A new study provides a window into the logic behind various immigration policies.
    How immigration affects the economy depends on taxation and worker skills.
  13. Why Do Some People Succeed after Failing, While Others Continue to Flounder?
    A new study dispels some of the mystery behind success after failure.
    Scientists build a staircase from paper
  14. Sitting Near a High-Performer Can Make You Better at Your Job
    “Spillover” from certain coworkers can boost our productivity—or jeopardize our employment.
    The spillover effect in offices impacts workers in close physical proximity.
  15. How the Wormhole Decade (2000–2010) Changed the World
    Five implications no one can afford to ignore.
    The rise of the internet resulted in a global culture shift that changed the world.
  16. What’s at Stake in the Debt-Ceiling Standoff?
    Defaulting would be an unmitigated disaster, quickly felt by ordinary Americans.
    two groups of politicians negotiate while dangling upside down from the ceiling of a room
  17. What Happens to Worker Productivity after a Minimum Wage Increase?
    A pay raise boosts productivity for some—but the impact on the bottom line is more complicated.
    employees unload pallets from a truck using hand carts
  18. Immigrants to the U.S. Create More Jobs than They Take
    A new study finds that immigrants are far more likely to found companies—both large and small—than native-born Americans.
    Immigrant CEO welcomes new hires
  19. How Has Marketing Changed over the Past Half-Century?
    Phil Kotler’s groundbreaking textbook came out 55 years ago. Sixteen editions later, he and coauthor Alexander Chernev discuss how big data, social media, and purpose-driven branding are moving the field forward.
    people in 1967 and 2022 react to advertising
  20. 3 Traits of Successful Market-Creating Entrepreneurs
    Creating a market isn’t for the faint of heart. But a dose of humility can go a long way.
    man standing on hilltop overlooking city
More in Leadership