CEOs are Aware of Ransomware, but Do They Understand?
The World Economic Forum’s 2022 Global Risks Report punctuated what those in the cybersecurity trenches know: ransomware and malicious nation states pose a serious, universal threat.
What’s unique about this data is that it surveyed ~12,000 “country-level leaders” from 124 countries. When asked to rank major threats to the global economy as we know it, “cybersecurity failure” ranks near the top of the list, as shown at right. Out of all the risks offered, world leaders list cyberthreats as 7th most concerning in the next two years, and 8th in the 2-5 year timeframe. Four major developed countries - Australia, Great Britain, Ireland and New Zealand - ranked cyber-failure as their number one risk.
If the visibility among world economic leaders is so high, why has so little been funded to do the work in the trenches? This should serve as a wake-up call to business and IT leaders to narrow the disconnect between infosec professionals and the C-Suite.
Bill Smith, CIO emeritus @ JMT Engineering, and currently a Strategic Advisor at Enabling, agreed that “Sometimes, there is a disconnect between IT leadership and senior management regarding the organizational risk to cyber events and ransomware.”
Are Executives Overconfident?
There is data behind this dissidence. The (ISC)² Ransomware Study polled 750 U.S. and U.K. C-Suite executives. (ISC)² is the international non-profit behind the CISSP accreditation. Executives with titles such as CEO, CFO, CIO, COO and General Counsel were polled. The title of (ISC)²’s chart asks a compelling question, shown below / right.
In short, business leaders are confident in their organization’s preparedness for ransomware attacks. In fact, despite the headlines, executives are on the whole, more bullish than before the 2021 attacks!
IT isn’t so Bullish
Meantime, Mimecast’s State Of Ransomware Readiness: Facing The Reality Gap report of IT and infosec professionals told a different story. They surveyed 742 global CISOs, CIOs, VPs, and directors of IT. 61% of respondents acknowledged that their business had been interrupted by ransomware; they reported six days on average of downtime; but for 37%, it was a week or more.
A Deloitte survey of C-Suite executives showed that even though ransomware is the #1 concern, only 1/3 have gone through a tabletop or simulated exercise to test their organization’s readiness. Which would beg the question… how can such organizations be confident at all?
Our Own Polls Show a Similar Disconnect
This dissidence is also evident from Enabling’s own polls on this matter. We specifically asked IT and security professionals to compare their confidence versus their perception of their C-Suite’s confidence.
The results show the difference between how business leaders feel about their organization’s readiness to deal with ransomware, versus the Infosec Pro’s confidence. The difference is shown below.
The first chart shows how 45% of IT and SecOps pros are comfortable with their organization’s protection against ransomware. However, the second chart shows how those same IT and SecOps pros feel about their business leaders’ confidence. 72% of business leaders feel comfortable that their IT departments have things handled.
The Heart of the Matter: Communication
Why is it that 27% of business leaders are more confident than their IT peers? Perhaps simply by having a discussion with IT (per the White House’s Executive Order), they may assume it’s being handled.
Bill Smith, CIO Emeritus and Strategic Advisor, gave his explanation. “Sometimes it boils down to poor communications. IT staff too often speak their own language full of jargon. Senior management get lost in the jargon, their eyes glaze over and they disengage in the conversation.”
How should a CISO make that conversation most productive? Smith suggests framing the message in the context of business risk.
- What is the risk (stated clearly)?
- What is the probability of the risk occurring?
- What is the potential impact of the risk?
- What is recommended to address and mitigate the risk?
- What resources are required to address and mitigate?
Good communications requires sending a clear, jargon-free message, and then ensuring the other party receives and comprehends the intended message, explained Smith. He warned, “I have seen that IT staff gets frustrated with senior management complaining ‘they don’t get it’. I have seen IT staff blame senior management and [when there’s a breach] put responsibility on senior management for their not ‘getting it.’”
The Ostrich Principle
Smith sees misalignment for another reason. Some business leaders assume “We are not a target,” and that cyber criminals intentionally target their crimes only on specific companies. “IT leadership is responsible for educating their senior management that many cybercrimes are opportunistic,” Smith advises. “CISOs must provide stories and examples to educate senior management and all employees.” One massive example is the damage done to Maersk and FedEx in 2017 after Russia’s cyberattack, originally targeting Ukraine, proliferated globally. You may remember (but shouldn’t mention the jargon) NotPetya.
The Moment of Truth
IT leadership owns the responsibility to ensure their messages and recommendations regarding business risks are received and understood. Smith cautions, “If senior management doesn’t acknowledge they understand, then it is IT leadership’s responsibility to make another attempt by changing up the communications.”
Then, Smith says, the business has the ball. “Once IT leadership is confident that senior management clearly understands the organization risks and preparedness, it is senior management’s decision regarding actions the organization is to take,” he suggested. “IT then executes senior management’s decision.”
If 27% of business leaders are more confident than their IT peers, what can IT do to narrow the gap?
- Overcommunicate before it’s too late, and thoroughly plan your recovery now! The (ISC)2 couldn’t have said it any better: “If cybersecurity professionals feel their C-suite is overconfident about ransomware, it’s time to speak up and deliver a dose of reality.”
- IT leadership must be vigilant and persistent in their efforts to inform and education the entire organization regarding cyber risks, safe computing habits and the need for a Zero Trust strategy.
- Since technology, cyber risks, and business risk are in a constant state of flux, IT leadership has a responsibility and courage to continuously update senior management as the landscape shifts.
- Talk about risk in dollars and cents. Cyber insurance pricing in the United States rose by 96% in the third quarter of 2021, and 204% year-over-year (Marsh)
- Discuss the prevalence and cost of ransomware in your specific industry.
- Leverage all the above to get funding. Unless significant budgets are allotted to people, technology, and training, then IT pro and SecOps pros are still feeling exposed.