Harvard | Mr. Consumer Goods Senior Manager
GMAT 740, GPA 8.27/10
Berkeley Haas | Mr. Evolving Teacher
GRE 328, GPA 3.26
Columbia | Mr. Indian I-Banker
GMAT 740, GPA 8.63
Cornell Johnson | Ms. Chef Instructor
GMAT 760, GPA 3.3
UCLA Anderson | Ms. Tech-y Athlete
GRE , GPA 3.63
Harvard | Mr. Deferred Financial Poet
GMAT 710, GPA 3.68
Harvard | Mr. Lieutenant To Consultant
GMAT 760, GPA 3.7
Berkeley Haas | Ms. EV Evangelist
GRE 334, GPA 2.67
Wharton | Ms. Product Manager
GMAT 730, GPA 3.4
Wharton | Mr. Indian Engineer + MBA Now In Consulting
GMAT 760, GPA 8.7 / 10
Chicago Booth | Mr. EduTech
GRE 337, GPA 3.9
Cornell Johnson | Mr. Indonesian Salesperson
GMAT 660, GPA 3.49
Berkeley Haas | Mr. LGBT+CPG
GMAT 720, GPA 3.95
McCombs School of Business | Ms. Tech For Non-Profits
GRE 312, GPA 3.2
Harvard | Mr. Combat Pilot Non-Profit Leader
GRE 329, GPA 3.73
UCLA Anderson | Mr. Actual Poet
GMAT 720, GPA 12.0/14
MIT Sloan | Mr. Indian Healthcare Analytics
GMAT 720, GPA 7.8
Harvard | Mr. Healthcare Administration & Policy Latino Advocate
GRE 324, GPA 3.4
Cornell Johnson | Mr. Asian Mexican Finance Hombre
GMAT 650, GPA 2.967
Stanford GSB | Mr. Filipino Startup
GMAT 710, GPA 3.7
Columbia | Mr. Fintech Data Scientist
GMAT 710, GPA 3.66
Tuck | Mr. Opportunities In MBB
GMAT 710, GPA 3.4
Stanford GSB | Mr. Co-Founder & Analytics Manager
GMAT 750, GPA 7.4 out of 10.0 - 4th in Class
Harvard | Mr. Strategy For Social Good
GRE 325, GPA 3.5
MIT Sloan | Mr. Spaniard
GMAT 710, GPA 7 out of 10 (top 15%)
NYU Stern | Ms. Hopeful NYU Stern Marketing Ph.D.
GRE 297, GPA 2.8
Harvard | Mr. Strategy Consultant Middle East
GMAT 760, GPA 3.4

At Cybersecurity Summit, Warnings For Biz, And All

Stuart Madnick

When long-time MIT Sloan professor Stuart Madnick talks to his MBA students about cybersecurity, he doesn’t frame it as a national security issue — though it certainly is that. He frames it as a management issue.

The average cyberattack on a business has been going on for 270 days before it’s discovered, says Madnick, the John Norris Maguire professor of information technologies. He cites the 2014 hack of personal details from as many as 1 billion Yahoo accounts to show that in most cases, cyber crime catches business leaders flat-footed.

“When people in the industry talk about cyberattacks, they usually talk about three key phases: the penetration, the detection, and the recovery,” Madnick tells Poets&Quants. “By and large we do a poor job at prevention, we do a terrible job at discovery, and we’re doing a godawful job at recovery. And when someone shoves the microphone in front of the CEO of Yahoo and says, ‘What are you going to do about this, what are you going to say about this? Has she developed an action plan six months ago already?’ — the answer is probably not. Almost always they are caught flat-footed, and almost always the initial responses are embarrassing.”

Madnick’s message will get a broader airing Wednesday (Oct. 5) when he serves as a panelist at the Cambridge Cyber Summit, a collaboration between CNBC, the Aspen Institute, and various departments of MIT in the Kresge Auditorium on the school’s campus. CNBC will cover the event live.


To his students, Madnick, director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, offers a somewhat grim outlook of the fight to thwart cyber criminals. He doesn’t plan to pull any punches for the expected audience of 300 to 400 middle to upper managers at Wednesday’s summit, either.

For one thing, he says, for every widely read story about Yahoo’s security breach or the theft of $81 million from the Bank of Bangladesh, which happened in February, many other potentially more dangerous events were barely noticed: a Turkish pipeline that was attacked in 2008, or the German steel mill that sustained massive physical damage in late 2014. Around the holidays in 2015, two Ukrainian power companies were infiltrated, and power was cut to 80,000. “There is a huge disconnect that most people have no idea of the increasing amount of risk that organizations are facing and that individuals are facing,” Madnick says.

“I have a number of viewpoints on the issue and one of the more controversial ones is that the worst is yet to come,” he says. “That’s partly because of the amount of automation in many forms: autonomous vehicles, increasingly automated factories, especially with the various renewable energies, and so on. We’re becoming increasingly dependent on automation and computerization to run more and more of our world. The number of attack surfaces is going to increase at least tenfold, if not fifty-fold, in the next five years.”


It won’t only be big, splashy attacks that cause corporate or industrial damage in the tens of millions, Madnick says. Smaller, individual attacks — he cites a recent case in which a computerized refrigerator was used as a botnet to send out pornographic spam — will become more common. Then there’s what’s called ransomware. Imagine getting a text message in the morning that your coffee maker is being held hostage, Madnick says, and you won’t get your morning cup of Joe “unless you deposit $10 into this account.”

There are thousands of other examples of ransomware going on this year, Madnick says.

Don’t (necessarily) blame it all on the Russians, he adds. “The Russians, the Chinese, the North Koreans — there are a lot of countries, including the United States, that have invested a lot in what are called cyber weaponry, by which I mean various techniques and methods by which they can break into people’s systems — refrigerators and coffee makers, whatever the case may be. But to attribute all of it to the Russians is probably an overstatement,” he says, adding that “from our research, our view is that in cyber crime, a criminal network is probably much more active in most of these matters.”

Moreover, while the FBI seems convinced that the highly publicized hack this summer of the Democratic National Committee was the work of Russian agents provocateur, Madnick is not so sure. Why, he asks, wouldn’t someone who knows what he’s doing leave evidence that a hack was the work of someone else? “This is an issue we call attribution,” he says. “If you’re really good at it, you try hard to misdirect.”


Such sophisticated threats “require a multi-pronged response,” Madnick wrote in a Sept. 24 story for CNBC. “And while each organization will fashion its own customized response, we believe that all companies, institutions and government agencies should think holistically e2e, end-to-end.

“It is up to senior business leaders to take the lead in protecting their organizations; and in the dark and complex world of cyber crime, that can only be accomplished by working together with government, industry, and academia.”

In his class this fall, Managing Web 3.0, Madnick and his MBA students discuss managing the whole new world of Internet-controlled everything, especially the allocation of resources to different activities of cybersecurity. Five lectures are dedicated to the subject, he says. In January he’ll teach a short course on cybersecurity ethics.

At heart, he says, cybersecurity is a management issue. “If you look at various studies that have been done about cyberattacks, you’ll find that between 50% and 80% of all attacks are aided or abetted by insiders — usually unintentionally. I can put a stronger lock on my door, but if I keep leaving the key under the mat, I haven’t made my office more secure. So exactly what policies, procedures, and methods are you putting in place?”