(ISC)2 Study Sheds Light on How Cybersecurity Teams and Executive Leaders Communicate About Ransomware

Clearwater, Fla. (Dec. 9, 2021) - (ISC)2 – the world's largest nonprofit association of certified cybersecurity professionals – today released the findings of a new study titled, "Ransomware in the C-Suite: What Cybersecurity Leaders Need to Know About What Executives Need to Hear." The study provides insights for cybersecurity professionals into the minds of C-suite executives and how they perceive their organizations' readiness for ransomware attacks.


This data underscores the need for clearer and more frequent communications between cybersecurity teams and executives and offers best practices security leaders should implement to improve those interactions.


The survey of 750 C-level executives across the United States and the United Kingdom reveals that the high-profile ransomware attacks of 2021 have created an opportunity for cybersecurity leaders to proactively address their organizational readiness by providing more detailed updates and actionable intelligence to the C-suite. The data shows that while executive confidence about ransomware defenses remains high, there is a strong willingness to invest in technology and staff.


"With this study, we wanted to provide deeper insights from executives who are ultimately responsible for protecting their organizations from ransomware," said Clar Rosso, CEO, (ISC)2. "The study gives cybersecurity professionals a window into what their C-suite cares about when it comes to the potential impact of ransomware. Knowing this, and by tailoring their ransomware education and risk reporting accordingly, security teams can get the support they need to mitigate this high-profile risk to their organization."


Confidence is High


Surprisingly, respondents expressed high levels of confidence about their organizations' preparedness to handle a ransomware attack. The recent spate of attacks has not eroded that confidence either. In fact, there was a slight uptick in confidence (69% up to 71%) in the wake of the year's high-profile breaches. Only 15% of executives reported a lack of confidence.


What They Need to Know


Respondents were also asked about the most critical information they need from their cybersecurity teams when it comes to ransomware, and their top concerns included ensuring data backup and restoration plans were not impacted by ransomware (38%), how minimal operations can be restored in the event of an attack (33%), and how prepared the organization is to engage with law enforcement (32%).


What Worries Executives


If hit by a ransomware attack, the top concern among leaders, cited by 38% of respondents, is exposure to regulatory sanctions. The concern is higher in the United Kingdom (41%) than in the United States (36%). The second biggest concern for executives (34%) in the event of a ransomware attack is loss of data or intellectual property, followed equally (31% each) by concerns about loss of confidence among employees, loss of business due to systems outage, uncertainty that data could still be compromised even after paying a ransom, and reputational harm.


Five Tips for Cybersecurity Team Leaders


Based on the feedback from C-suite respondents, the study outlines five key tips for cybersecurity team leaders to consider in their conversations with and reports to executives about ransomware threats. More details on each tip can be found in the report, but the five tips are as follows:


  • Increase communication and reporting to leadership
  • Temper overconfidence as needed
  • Tailor your message
  • Make the case for new staff and other investments
  • Make clear that ransomware defense is everyone's responsibility


To download a copy of the report and learn more about the recommended actions organizations can take, visit: https://www.isc2.org/Research/Ransomware-Study



The (ISC)2 Ransomware Study was a blind survey conducted by (ISC)2 and Opinion Matters in September 2021. The total respondent base included 750 C-suite executives (CEO, CFO, CIO, COO, General Counsel/CLO, President) from organizations with more than 500 employees. 500 respondents were from the U.S. and 250 from the U.K. The margin of error is plus or minus 3.6% at a 95% confidence level.


About (ISC)2

(ISC)2 is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)2 offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, more than 160,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education. For more information on (ISC)2, visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.