Ransomware and the C-Suite: Bridging the Gap Between Security Professionals and Executives

Common Ransomware Attack Vectors
Written by Rachel Holmes

Ransomware is the dominant threat to enterprises in 2022, yet despite the wave of recent high-profile attacks, business executives are bullish about their organization’s resilience in the face of this growing trend.

A new study by (ISC)2, finds that 71% of C-suite executives are confident that their organization is protected from ransomware. But are they too confident? The same study suggests that 43% of executives want more details from security teams about how to prevent a ransomware attack and need more timely updates after major breaches to see if their organization was affected or is vulnerable. In addition, 38% of executives need clearer assessments of ransomware risk so they can make informed decisions.

Worryingly, executives in sectors such as healthcare (83%) and financial services (83%) are the most confident. Yet, Bitsight research shows that 61% of healthcare organizations and 54% of financial firms are at a heightened risk of ransomware attacks. If cybersecurity professionals feel their C-suite is overconfident about ransomware, it’s time to speak up and deliver a dose of reality. 

The ISC(2) study into ransomware and the C-suite provides five tips for cybersecurity team leaders to consider in their conversations and reports to executives about the ransomware threat. We summarize these below and suggest best practices for educating corporate leaders and making a stronger case for investment in cybersecurity resources.

Ransomware and the C-Suite: What Cybersecurity Leaders Need to Know

Tip #1: Increase Communication and Reporting to Leadership

The feedback is clear. Executives want and need more communication from cybersecurity practitioners about ransomware threats. They also want more detail, depth, and explanation in that reporting to ensure that they can fully understand the landscape to facilitate more informed decisions and supporting calls for cybersecurity investment. 

To meet this need, organizations must implement new reporting processes and create consensus with leadership about what information they care about most to deliver powerful reporting that supports the decision-making process.

Tip #2: Temper Overconfidence as Needed

Security leaders must be clear and realistic about the cybersecurity threats and vulnerabilities the organization faces and its resilience in the face of a ransomware attack.

They must also make that threat understandable and relatable. This means cutting through the technical jargon and measuring and reporting cyber risk in a language that makes sense to business leaders. How will an attack impact the organization’s balance sheet? What will it cost the company in total? Bitsight can answer those questions in straightforward terms.

With Bitsight, security and risk management teams can simulate their organization’s financial exposure across thousands of cyber events, including ransomware, denial of service, compliance issues, supply chain attacks, and more.

They’ll get actionable metrics on the financial impact of ransomware and other attack vectors, including denial-of-service (DDoS) incidents and extortion attacks, data theft and privacy breaches, and even third-party service provider failures such as an outage, disruption, or a malicious attack that results in data loss. And, because third parties can hold an organization accountable for cyber-related damages or losses, these compensation claims are factored into calculations.

By transforming the technical side of cybersecurity into financial language, security leaders can better guide C-suite discussions around cyber risk management and justify new technology investments.

Tip #3: Tailor the Message Delivered to Executives

When it comes to the ransomware threat, executives worry about different things. The top concern is regulatory sanctions (38%) followed by loss of data or intellectual property (34%). Other concerns include loss of confidence among employees, loss of business due to outages, worry that data will be compromised even after paying a ransom, reputational harm, and remediation costs. 

Risk tolerance also varies by industry, so it's important for security leaders to focus on the top areas that executives care most about. For example, if regulatory compliance is a high priority, security leaders need to understand the regulatory landscape and the consequences of non-compliance. They must also position risk to leadership in a way that aligns specifically with their concerns, and build reporting around what’s most important.

One way to do this is to show how the company’s security program stacks up against others in the industry. For instance, firms in the highly regulated financial sector could compare their cybersecurity performance to peers and competitors. They can then use these in depth insights to uncover the standards of care that exist among their peer group and the level of security performance that the company should attain to be “best-in-class.” 

They can also use these comparisons to identify gaps in their own organization’s security performance, create informed improvement plans, and confidently report to the C-suite about where investments must be prioritized and resources allocated.  
 

cyber risk reporting ebook

Learn how to revolutionize the reporting process at every level of your organization.

Tip #4: Make the Case for New Staff and Other Investments

Security leaders must also push for more focus on building a resilient, deeper team of cybersecurity professionals. 

The (ISC)2 ransomware study indicates a healthy level of awareness in the C-suite about the dangers of ransomware and its potential effects. But even though executives are taking some ownership of the problem by requesting more information from cybersecurity teams and investing in defenses, most still see cybersecurity professionals as ultimately responsible for cyber defenses.

Once more Bitsight can help. Our data-driven, evidence-based cyber risk monitoring tools enable security leaders to continuously monitor cybersecurity program performance over time. They can also identify areas of concentrated risk as well as weaknesses in the organization’s security program and communicate their findings to the C-suite. By justifying spending and staffing requests based on risk-based cybersecurity metrics and benchmarks, security leaders can explain the value of continued cybersecurity funding and staffing.

Tip #5: Make Clear that Ransomware Defense is Everyone's Responsibility

The (ISC)2 study indicates that responsibility for ransomware is not clear cut in the minds of the C-suite with an even spread of ownership between cybersecurity, IT, and executive leadership.

It’s important that organizations embrace the fact that resiliency in the face of ransomware is everyone’s responsibility and avoid compartmentalizing responsibility and visibility of the threat and share risk management policies and processes.

Ultimately, leadership must come from the top of the organization in all instances, but it is the responsibility of cybersecurity professionals to inform and educate senior leadership about the growing ransomware trend, empower their organization to build stronger cybersecurity programs, and ensure the organization’s readiness and cyber resilience in the face of that threat.

Learn more about the growing ransomware threat and evidence-based strategies to lower your risk of becoming a ransomware victim.