Can CISOs Cope With The Growing Pressure of Ransomware Attacks?

The role of the Chief Information Security Officer (CISO) in businesses today cannot be underestimated. The gatekeepers for protecting corporate data, systems and networks against threats like ransomware attacks, the role of the CISO has grown in recent years as threats grow in number and become increasingly complex.


While not every business is fortunate enough to have a senior security executive, those that do rely heavily on their expertise and knowledge of the changing threat environment, while they in turn need to be able to communicate to all levels of the business, including the Board.

A recent survey by executive search firm Heidrick & Struggles suggests that CISOs are struggling to cope with an ever-changing job spec and the exacting demands of the job. According to the findings, stress and burnout are the most significant personal risks CISOs face in relation to their job.

We’re starting to see these ‘burnout’ headlines more and more in the media with some very senior security professionals leaving after just a few months in the job. Given we are facing a significant skills shortage in the industry overall, this is not ideal.

Our own survey of security decision makers in the UK and US seems to back this up. Perhaps most concerning is the fact that they worry more about employees ignoring corporate security advice and clicking on links or attachments containing malware (46%) than about losing their job (26%).

With a shift to remote and hybrid working over the past couple of years this is no surprise. Employees are a company’s biggest risk and weakest link.

This move to new ways of working has expanded the attack surface of businesses, with many staff still trying to adapt to a model that means the growing use of cloud applications, collaboration tools and online resources, which means working most of the time in the web browser. This opens the business up to new vulnerabilities, attack vectors and entry points for cyber criminals.

For CISOs however, it’s more complex than this. Our report shows that ransomware attacks are  also a growing concern. The survey found that one third of businesses now experience a ransomware attack at least once a week, while one in 10 experience them more than once a day.

Ransomware attackers are constantly developing more and more advanced techniques to increase the likelihood of successfully demanding a ransom payment. There has been a surge in a class of threats known as Highly Evasive Adaptive Threats, or HEAT, that are designed to bypass detection by traditional security tools such as Secure Web Gateways and phishing detection solutions.

There’s a real sense of frustration about how to cope with the challenges of protecting businesses and employees against this barrage of ransomware attacks. Security professionals admit they worry about such ransomware attacks evolving beyond the knowledge and skills of their team, as well as beyond the company’s security capabilities.

According to the survey they also worry about ransom demands and how best to deal with them. While two-thirds (65%) of respondents say they would pay a ransomware demand, around a third (31%) say it’s down to their insurance company to pay it, and nearly one in five say the government should pay. More than a quarter (27%) say they would never pay a ransomware demand.

They may have cause to worry about payment should the worst happen. Industry figures suggest there is an alarming disparity between the perceived cost and actual cost of recovering from a ransomware attack among security professionals. Our survey shows that the average perceived cost is $326,531, with insurance pay-outs extending up to an average of $555,971. However, industry figures show the average total cost of recovery from a ransomware attack in 2021 was $1.4 million.

With current insurance pay-outs unable to cover even half of the average cost to recover from ransomware, many firms could suffer serious financial consequences if they are hit. What’s more alarming is that a quarter of businesses cannot say with certainty that they have cyber insurance.

Operating on the frontline of cybersecurity, CISOs are coming under huge levels of stress, so it’s little surprise that these decision makers are prioritising the business’s concerns over that of their own job. We can expect the burnout and high churn rate of CISOs to continue unless things change.

Such concerns are not conducive for an effective security environment. Current approaches will need to change, shifting towards empowering CISOs with the right tools, technologies, and solutions to reduce operational burdens and provide greater peace of mind. This in turn will free up security leaders to focus on important tasks and delivering high-value projects effectively.

Mark Guntrip, Senior Director of Cybersecurity Strategy at Menlo Security

Menlo Security report: