(ISC)², the nonprofit association of certified cybersecurity professionals, has released the findings of a new study titled, “Ransomware in the C-Suite: What Cybersecurity Leaders Need to Know About What Executives Need to Hear.”
The study provides insights for cybersecurity professionals into the minds of C-suite executives and how they perceive their organizations’ readiness for ransomware attacks. This data underscores the need for clearer and more frequent communications between cybersecurity teams and executives and offers best practices security leaders should implement to improve those interactions.
The survey of 750 C-level executives across the United States and the United Kingdom reveals that the high-profile ransomware attacks of 2021 have created an opportunity for cybersecurity leaders to proactively address their organizational readiness by providing more detailed updates and actionable intelligence to the C-suite. The data shows that while executive confidence about ransomware defenses remains high, there is a strong willingness to invest in technology and staff.
“With this study, we wanted to provide deeper insights from executives who are ultimately responsible for protecting their organizations from ransomware,” said Clar Rosso, CEO, (ISC)². “The study gives cybersecurity professionals a window into what their C-suite cares about when it comes to the potential impact of ransomware. Knowing this, and by tailoring their ransomware education and risk reporting accordingly, security teams can get the support they need to mitigate this high-profile risk to their organization.”
Confidence is High
Surprisingly, respondents expressed high levels of confidence about their organizations’ preparedness to handle a ransomware attack. The recent spate of attacks has not eroded that confidence either. In fact, there was a slight uptick in confidence (69% up to 71%) in the wake of the year’s high-profile breaches. Only 15% of executives reported a lack of confidence.
What They Need to Know
Respondents were also asked about the most critical information they need from their cybersecurity teams when it comes to ransomware, and their top concerns included ensuring data backup and restoration plans were not impacted by ransomware (38%), how minimal operations can be restored in the event of an attack (33%), and how prepared the organization is to engage with law enforcement (32%).
What Worries Executives
If hit by a ransomware attack, the top concern among leaders, cited by 38% of respondents, is exposure to regulatory sanctions. The concern is higher in the United Kingdom (41%) than in the United States (36%). The second biggest concern for executives (34%) in the event of a ransomware attack is loss of data or intellectual property, followed equally (31% each) by concerns about loss of confidence among employees, loss of business due to systems outage, uncertainty that data could still be compromised even after paying a ransom, and reputational harm.
Five Tips for Cybersecurity Team Leaders
Based on the feedback from C-suite respondents, the study outlines five key tips for cybersecurity team leaders to consider in their conversations with and reports to executives about ransomware threats. The five tips are as follows:
• Increase communication and reporting to leadership
• Temper overconfidence as needed
• Tailor your message
• Make the case for new staff and other investments
• Make clear that ransomware defense is everyone’s responsibility
The (ISC)² Ransomware Study was a blind survey conducted by (ISC)² and Opinion Matters in September 2021. The total respondent base included 750 C-suite executives (CEO, CFO, CIO, COO, General Counsel/CLO, President) from organizations with more than 500 employees. 500 respondents were from the U.S. and 250 from the U.K. The margin of error is plus or minus 3.6% at a 95% confidence level.