(ISC)² study sheds light on companies' ransomware communications

Survey data provides cybersecurity professionals with actionable intelligence about what C-suite needs to know to feel confident about ransomware preparedness and response strategies.

(ISC)² has released the findings of a new study titled, “Ransomware in the C-Suite: What Cybersecurity Leaders Need to Know About What Executives Need to Hear.” The study provides insights for cybersecurity professionals into the minds of C-suite executives and how they perceive their organisations’ readiness for ransomware attacks. This data underscores the need for clearer and more frequent communications between cybersecurity teams and executives and offers best practices security leaders should implement to improve those interactions.

The survey of 750 C-level executives across the United Kingdom and United States reveals that the high-profile ransomware attacks of 2021 have created an opportunity for cybersecurity leaders to proactively address their organisational readiness by providing more detailed updates and actionable intelligence to the C-suite. The data shows that while executive confidence about ransomware defences remains high, there is a strong willingness to invest in technology and staff.

“With this study, we wanted to provide deeper insights from executives who are ultimately responsible for protecting their organisations from ransomware,” said Clar Rosso, CEO, (ISC)². “The study gives cybersecurity professionals a window into what their C-suite cares about when it comes to the potential impact of ransomware. Knowing this, and by tailoring their ransomware education and risk reporting accordingly, security teams can get the support they need to mitigate this high-profile risk to their organisation.”

Confidence is High

Surprisingly, respondents expressed high levels of confidence about their organisations’ preparedness to handle a ransomware attack. The recent spate of attacks has not eroded that confidence either. In fact, there was a slight uptick in confidence (69% up to 71%) in the wake of the year’s high-profile breaches. Only 15% of executives reported a lack of confidence.

What They Need to Know

Respondents were also asked about the most critical information they need from their cybersecurity teams when it comes to ransomware, and their top concerns included ensuring data backup and restoration plans were not impacted by ransomware (38%), how minimal operations can be restored in the event of an attack (33%), and how prepared the organisation is to engage with law enforcement (32%).

What Worries Executives

If hit by a ransomware attack, the top concern among leaders, cited by 38% of respondents, is exposure to regulatory sanctions. The concern is higher in the United Kingdom (41%) than in the United States (36%). The second biggest concern for executives (34%) in the event of a ransomware attack is loss of data or intellectual property, followed equally (31% each) by concerns about loss of confidence among employees, loss of business due to systems outage, uncertainty that data could still be compromised even after paying a ransom, and reputational harm.

Five Tips for Cybersecurity Team Leaders

Based on the feedback from C-suite respondents, the study outlines five key tips for cybersecurity team leaders to consider in their conversations with and reports to executives about ransomware threats. More details on each tip can be found in the report, but the five tips are as follows:

•Increase communication and reporting to leadership

•Temper overconfidence as needed

•Tailor your message

•Make the case for new staff and other investments

•Make clear that ransomware defence is everyone’s responsibility


New report provides key recommendations to MSPs on how to best grow their cloud businesses.
Access to real-time endpoint data promotes zero-trust security and enhances application performance and reliability across complex integration environments.
Network engineers and CIOs agree that cybersecurity issues represent the biggest risk for organisations that fail to put networks at the heart of digital-transformation plans. According to research commissioned by Opengear, 53% of network engineers and 52% of CIOs polled in the U.S., U.K., France, Germany, and Australia rank cybersecurity among the list of their biggest risks.
Only 1 in 5 employees feel their organisation is very prepared for hybrid working.
Significant 82% rise in short duration DDoS ‘Flood’ attacks, a 297% increase in OpenVPN attacks and a 29% higher risk of a repeat attack within a week.
One of the leading global email cloud security and backup providers adds IT security awareness-building training to its portfolio.
Tight integration of IDaaS into Censornet’s platform elevates its autonomous security capability and gives organisations intelligent affordable control of authentication.
A perfect storm of escalating cyber-attacks and global tech innovation, leaves 61 per cent of Chief Information Security Officers (CISO) only “fairly confident” of managing their current threat exposure.