Skip to main content
close search
site logo

Why CEOs become communication chiefs after a cyberattack

When ransomware hit, the CEOs of Colonial Pipeline and Accellion paused their day-to-day duties. Their immediate new roles? Communication.

Published Oct. 7, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Courtesy of Colonial Pipeline Company

By the time Colonial Pipeline CEO Joe Blount was informed of the May ransomware attack, 5,500 miles of pipeline were turned off, and access to fuel stopped. But was it a physical attack? The impact of the incident was yet to be seen. 

Employees are trained to shut down operations when they perceive risk, Blount said during the Mandiant Defense Summit keynote Wednesday. The company didn't have enough information to know if the ransomware jumped from its IT to OT environments.

On the morning of the incident, May 7, the usual CEO responsibilities immediately shifted to cybersecurity. Blount quickly learned that under stress, Colonial's security teams didn't have enough time or personnel — "so you become actively involved yourself," he said. 

After a major cyberattack that ripples through partnering businesses or the public, CEOs become one of the main players in incident response. The CISO shares duties too, coordinating cyber response with their CEO, who in turn informs stakeholders, federal agencies and customers. 

When Accellion's File Transfer Appliance (FTA) solution was exploited, CEO Jonathan Yaron, and other C-suite executives, made themselves available 24/7 to customers and government agencies globally. 

"You can put aside the day-to-day stuff. And you basically say, 'It's all about the attack. And it's all about making sure everybody knows, that needs to know," and offer remediation, Yaron said during the keynote.

Because Mandiant (formerly FireEye) was an Accellion customer, the security firm made the decision to shut down its Accellion instance, Charles Carmakal, SVP and CTO of Mandiant, said during the keynote. When Mandiant engaged with Accellion, the company spoke directly to Yaron and Accellion's CSO.

The transparency Yaron provided Mandiant, Carmakal said, "gave us a lot of confidence in their technology and we actually turned it back on on that Saturday." 

A shared CEO experience

Given the pedestal CISOs were thrown onto in the last year, CEOs expect real-time information in wake of a massive cyberattack, even when there is little information to provide. 

Yaron's first expectation was to identify the potential victims of the cyberattack. His second expectation was to have a patch for the first zero day within 72 hours, and ensure the necessary parties applied it. Once the initial Band-Aid was applied, Yaron wanted those clients to upgrade from the legacy FTA solution.

Both Accellion and Colonial enlisted outside security firms for forensics. Those security organizations provide unbiased second opinions, and they "keep you honest," Yaron said. 

As CEO, Yaron and the company were advising potential clients to shut off the technology, but without the board's blessing.

"My responsibility was to take the high road and tell [customers] the truth. And the truth was, in that second, we didn't have all the answers," Yaron said. "There's never enough communication," that is the first task. 

Colonial's board "knew enough to know they needed to stay out of the way," during the first few days of the ransomware attack, Blount said. The board is aware of the "stop work authority" employees have when they perceive a risk — there was no questioning the pipeline shutdown in the first hour of the ransomware discovery. From there, Blount wanted to know the immediate next steps in remediation, which in part consisted of at least once-a-day communication with agencies and stakeholders. 

Because Colonial's pipeline is a federally regulated asset, "we had a lot of phone calls to make that morning," including the FBI and Federal Energy Regulatory Commission. The Cybersecurity and Infrastructure Security Agency (CISA) was looped in via the FBI. Ultimately, the Department of Energy became Colonial's main point of contact, Blount said, and he was the department's direct line. 

"I kind of had an informal agreement with the chairman of the board, I would talk to him at least once a day. And then we would pull the board together when there were significant things to report," Blount said. Having the single point of contact between the company and government was the greatest takeaway of the incident.

"Your typical CEO job went out the door just a few hours ago. And it's not coming back for quite some time. You're in the communications game," he said. 

Through collaboration with federal agencies and security firms supporting the response, the company had to delegate what mission-critical systems needed to be restored, and which ones could wait, if need be. After answering those questions, Colonial and Blount had to answer the questions regulators were asking. 

"Lots of people want lots of answers, and they want the answers yesterday … And quite frankly, a lot of those questions aren't critical when your primary focus is containing the risk," Blount said.

Recommended Reading

Filed Under: Strategy, Cyberattacks

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell