How Business Leaders Can Prepare for a Cyberattack
Skip to content
Podcast | Insight Unpacked Season 1: Extraordinary Brands and How to Build Them
Leadership Organizations Nov 1, 2019

How Business Leaders Can Prepare for a Cyberattack

The former head of U.S. Cyber Command explains why any company can be a target.

rugby defenders against cyberattack

Michael Meier

Based on insights from

Sandeep Baliga

Michael Rogers

Unless you are completely unplugged from global technology, your organization has had to contend with the rise in cyberattacks. Whether you are protecting your employees’ identities, ensuring the safety of your company’s intellectual property, or defending your nation’s security, a lot is at stake. Understanding the threats and knowing how to respond to cyber emergencies is critical to any organization’s operations.

Michael Rogers, a Senior Fellow and Adjunct Professor within the Kellogg Public–Private Interface, is a retired four-star admiral in the U.S. Navy who served as a commander in the U.S. Cyber Command and director at the National Security Agency. In those roles, he helped develop cyber intelligence and technology policy. Since leaving the Navy, he has turned his expertise to helping companies and industries in the private sector cope with cybersecurity issues.

Rogers recently sat down with Sandeep Baliga, a professor of managerial economics and decision sciences at Kellogg, to discuss cybersecurity threats and how leaders can guide their teams through crises.

This conversation took place as part of a recent course on Leadership and Crisis Management at Kellogg. It has been edited for length and clarity.

Add Insight
to your inbox.

Sandeep Baliga: In the modern world, all sorts of businesses and institutions are subject to cyberattack. So, please set the stage for us. What kinds of cyberattacks are companies dealing with?

Michael Rogers: In general, cyber-threat activity has a few primary purposes. The most active one is generating revenue. That’s what you see individual criminals doing, but also lone nations like North Korea that use cyber to rob banks, break into online gaming sites to steal money, and mine Bitcoin. These countries are no longer a part of the international financial structure, so they can no longer move money through SWIFT, the global messaging network that allows institutions to securely share information. They had to come up with a different way to get money, and one of the ways they decided on was, “Hey, we can steal it.”

The second purpose is stealing intellectual property. The Chinese government, for example, are interested in oil exploration in the South China Sea. So a huge part of their national strategy with respect to cyber is going after U.S. natural gas and petroleum extraction sites’ technologies.

Companies are the number-one targets for stealing intellectual property, but they are not alone. A lot of major universities around the United States and other parts of the world are starting to realize that nations including the Chinese, the Russians, the Iranians, and the North Koreans are pulling research and dissertations. They’re not doing it because they want to check your students’ grades! They think there’s potential value that can generate an advantage for them.

Third, criminal entities are locking down a company’s data and saying, “Hey look, you want access to this, you’re going to pay us tens of thousands of dollars.” To date, much of this activity has been directed at data, but you watch: it’s going to start going after operating technology, the automated systems that you put in line that enable you to remotely control manufacturing processes, or the movement of petroleum and natural gas across the nation.

Finally, cyber is being used as a weapon designed to achieve hardware or infrastructure impact. Traditionally, that was directed at nation states. But more and more, it is directed at companies. This last one means that companies have to think about risk more broadly. I have heard people say, “Yeah, but our company’s in the food industry. Why would anybody care about us?”

They might think they’re a food company, but to the rest of the world, they are an American food company associated in many ways with America’s lifestyle. That means they’re a potential target, above and beyond any intellectual property associated with food or food processing.

Baliga: So they’re going to attack you just because you’re American. What should American companies do to prepare for this event then?

Rogers: I tell boards to prepare the exact same way as in every other area of their business: prioritize, decide where you can take risk and where you can get the greatest return, and that’s what you focus on.

I suggest looking at cybersecurity from two very different perspectives. First, what are the most likely scenarios? If you can understand how to defend against those, you can deal with most cyberattacks.

The other perspective is a little more challenging: threats that are low probability, but if an opponent is successful, you’ve got massive problems. For example, the Department of Defense has to think about an attack on nuclear infrastructure. We assess this attack as low probability. However, if someone was able to attack successfully, think about the implications for our nation and around the world. So we have to commit a lot of resources toward defense, more than you might expect given the probability of it happening.

The way I frame the question is, “Tell me what processes, data, and infrastructure are most linked to your ability to execute whatever your mission is.” Because your answer to that question is exactly where you want to focus your efforts. In other areas, you can take a risk.

But having said that, when you do take that risk, leadership has to be prepared if it goes wrong in those areas.

Baliga: Let’s say that now you are in an actual crisis. What is the most important thing for a leader to do?

Rogers: I find the most difficult thing, in my experience, is when you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, “Hey, give me a year or two to make this investment or get us where we need to be.” They need you to address the situation now.

That means you’re going to have to address substandard or poor performers right away. You might otherwise put up with people who are inexperienced or poorly trained because you view them as a long-term investment. But in a crisis, you have to be willing to say, “Okay, step aside, Johnson,” even if just temporarily. That is hard culturally for a lot of people, because it is also important to treat men and women with respect, and let them train and become more experienced over time. But as a leader, you’ve got to be willing to not be popular.

“When you’re in the middle of a crisis, your stakeholders generally want you to deal with things immediately. They aren’t interested in you saying, ‘Hey, give me a year or two to make this investment or get us where we need to be.’ They need you to address the situation now.”

— Michael Rogers

Baliga: So even if you have to replace these people in a crisis, you still have a continuing relationship with them. How do you navigate that?

Rogers: I always tell them, “This is as much my fault as yours, because I failed to put you in the right spot. And I want to apologize for that. I am not trying to embarrass or undercut you.”

In probably 95 percent of the scenarios, I would also say, “Do not interpret this as me not believing in you or you not having a viable future with our organization. We just find ourselves in an extraordinary situation and need to deliver quickly.”

But this brings me to an important point. Whatever organization you lead, one of the questions you always need to ask yourself is whether your day-to-day decision-making structure is the same as what you are going to use in a crisis. To immediately revert to a totally different structure in times of crisis is something I find very confusing. Your partners outside the organization certainly won’t understand this. They’re used to dealing with a particular person on this issue, and suddenly you’ve got a whole new team, and a whole new structure?

That means when you’re putting people in jobs, you just don’t think about their day-to-day activities. Make sure that the people on your team have the experience that you need in a crisis.

Baliga: The crisis situation that you describe is one where there’s a hierarchy and there’s an authority figure who then looks at a subordinate and says, “Look, I’m going to use my authority to replace you with somebody else.” Are there reverse situations where you bring decision-making down to lower tiers in the hierarchy and allow them to take control and make decisions?

Rogers: Absolutely. In the military, leaders would build cross-functional teams that would include a lot of different disciplines, different demographics, and different levels of experience.

We would tell the team, “Here’s the problem, and here are your mission priorities. Come back and give us a sense of your plan, how you want to organize yourself, and what resources you need. Talk to me about timelines, and let me get a sense for what things are beyond your control.”

Nothing helps energize organizations like a clear sense of ownership of the process.

Baliga: I’d like to ask you a question about a very unique leadership problem now. When you became director of the National Security Association in 2014 [shortly after Edward Snowden’s release of highly classified information and subsequent criticism], you inherited an organization that had been through an ordeal. What did you do to recover and rebuild from that experience?

Rogers: It was an interesting challenge. From the perspective of the workforce at the NSA, they never did anything illegal. There were three independent reviews directed by President Obama in the aftermath, and all three came back and said, “You were fully compliant with the law.” So the questions left for us were: How are we going to continue to comply with the law? How will we continue to generate insights that help defend our nation?

My comment to the team was, “Guys, I get it that we feel vindicated internally. But we have to acknowledge that we are dealing with perception, and right now the perception is that we are engaged in activities that are not necessarily in accordance with the visions of our citizens. And so we have to ask ourselves what do we need to do differently?”

We felt we needed to talk more about what we are doing and why. Not so much how—when you start to talk about how very publicly, criminal entities and terrorist groups who watch and read American media change their behavior. But we did have to figure out how to talk more about the what and the why.

Baliga: It’s interesting that you had to bridge that gap between being transparent and being an intelligence organization and not compromising your mission.

Rogers: Yes, and the challenge was cultural. We’d never done this before. And I’d say, “I understand that, and there’s nothing wrong with you having that concern, but on the other hand, we have to be willing to do things differently. And we are doing this for mission execution, because if we lose the confidence of the citizens that we serve, we are going to lose some of the legal underpinning that’s been granted to us. That’s part of the challenge of living in a Democratic society. So, think about your real mission.”

Featured Faculty

John L. and Helen Kellogg Professor of Managerial Economics & Decision Sciences

Adjunct Professor within the Kellogg Public Private Initiative; Senior Fellow

Most Popular This Week
  1. Your Team Doesn’t Need You to Be the Hero
    Too many leaders instinctively try to fix a crisis themselves. A U.S. Army colonel explains how to curb this tendency in yourself and allow your teams to flourish.
    person with red cape trying to put out fire while firefighters stand by.
  2. What Triggers a Career Hot Streak?
    New research reveals a recipe for success.
    Collage of sculptor's work culminating in Artist of the Year recognition
  3. What’s the Secret to Successful Innovation?
    Hint: it’s not the product itself.
    standing woman speaking with man seated on stool
  4. Which Form of Government Is Best?
    Democracies may not outlast dictatorships, but they adapt better.
    Is democracy the best form of government?
  5. How Much Do Campaign Ads Matter?
    Tone is key, according to new research, which found that a change in TV ad strategy could have altered the results of the 2000 presidential election.
    Political advertisements on television next to polling place
  6. What Went Wrong with FTX—and What’s Next for Crypto?
    One key issue will be introducing regulation without strangling innovation, a fintech expert explains.
    stock trader surrounded by computer monitors
  7. How Are Black–White Biracial People Perceived in Terms of Race?
    Understanding the answer—and why black and white Americans may percieve biracial people differently—is increasingly important in a multiracial society.
    How are biracial people perceived in terms of race
  8. Immigrants to the U.S. Create More Jobs than They Take
    A new study finds that immigrants are far more likely to found companies—both large and small—than native-born Americans.
    Immigrant CEO welcomes new hires
  9. How Experts Make Complex Decisions
    By studying 200 million chess moves, researchers shed light on what gives players an advantage—and what trips them up.
    two people playing chess
  10. Yes, Consumers Care if Your Product Is Ethical
    New research shows that morality matters—but it’s in the eye of the beholder.
    woman chooses organic lettuce in grocery
  11. Why Well-Meaning NGOs Sometimes Do More Harm than Good
    Studies of aid groups in Ghana and Uganda show why it’s so important to coordinate with local governments and institutions.
    To succeed, foreign aid and health programs need buy-in and coordination with local partners.
  12. Product Q&A Forums Hold a Lot of Promise. Here’s How to Make Them Work.
    The key to these online communities, where users can ask and answer questions, is how many questions get useful answers.
    man sits at computer reading Q&A forum
  13. What Went Wrong at AIG?
    Unpacking the insurance giant's collapse during the 2008 financial crisis.
    What went wrong during the AIG financial crisis?
  14. When Do Open Borders Make Economic Sense?
    A new study provides a window into the logic behind various immigration policies.
    How immigration affects the economy depends on taxation and worker skills.
  15. What the New Climate Bill Means for the U.S.—and the World
    The Inflation Reduction Act won’t reverse inflation or halt climate change, but it's still a big deal.
    energy bill with solar panels wind turbines and pipelines
  16. Post-War Reconstruction Is a Good Investment
    Ukraine’s European neighbors will need to make a major financial commitment to help rebuild its economy after the war. Fortunately, as the legacy of the post–World War II Marshall Plan shows, investing in Ukraine's future will also serve Europe's own long-term interests.
    two people look out over a city
  17. How Has Marketing Changed over the Past Half-Century?
    Phil Kotler’s groundbreaking textbook came out 55 years ago. Sixteen editions later, he and coauthor Alexander Chernev discuss how big data, social media, and purpose-driven branding are moving the field forward.
    people in 1967 and 2022 react to advertising
  18. The Political Divide in America Goes Beyond Polarization and Tribalism
    These days, political identity functions a lot like religious identity.
    people engage in conflict with swords
More in Leadership