Summary.    The White House is considering a ban on ransomware payments, which could change the chief information and security officer (CISO) job. The ban would would elevate the cybersecurity conversation to the CEO, the CFO, and the board, and potentially end the...

Chief information security officer (CISO) burnout has been a problem in the industry for the better part of the past decade, and it seems to only be getting worse. With cyberattacks on the rise, managing wider and more complex attack surfaces, and mounting pressure to do more with tighter budgets, it’s no wonder three in four CISOs in the U.S. report feeling burned out. CISOs today aren’t just juggling resources — they’re in dual CIO/CISO roles in an effort to streamline strategy and further cut costs. And when security breaches and ransomware attacks occur, CISOs often automatically shoulder the blame.

Is this fair? Principally, no. But in practice, this is what typically happens: A breach occurs, often due to some kind of misconfiguration or lax security practice within the organization or a third-party software provider, and, to save face with customers (and the board), a new CISO is swapped in for the old.

Recently, however, the stakes for CISOs have gone up. This May, former Uber chief security officer Joe Sullivan was convicted for covering up the severity of Uber’s 2016 cyberattack after paying bad actors $100,000 to keep the breach under wraps. A survey this year found that 62% of CISOs are worried that when a breach occurs, they’ll be held personally accountable. As the Wall Street Journal explains, “relentless cyberattacks and pressure to fix security gaps despite budget constraints are raising the stress levels of corporate cyber leaders and their worries about personal liability.”

The landscape might be about to change, however. With the White House considering a ban on ransom payments — which for the first time would elevate the cybersecurity conversation to the CEO, the CFO, and the board — it won’t just be the CISO stuck holding the bag when a cyberattack happens. It would be an unprecedented broadening of cybersecurity awareness and reckoning, with the federal mechanisms in place to hold the culpable accountable, across all of business.

Here’s what your business, C-suite, and board members should be thinking about as the White House looks to hold more organizations accountable for lapses in cybersecurity.

The Rise of the “Chief Scapegoat Officer”

Despite a quieter end to 2022, data shows that after the first few months of this year, cybercriminal gangs are already on pace to surpass their earnings from a record-breaking 2021. That means that in 2023, ransomware is poised to be a larger threat to business than ever before.

More ransomware means more problems for CISOs. In the past several years, the attack surface has expanded exponentially. Any IT resource connected to the network or the internet — from applications and laptops to cloud platforms — forms a part of an organization’s attack surface and adds to their level of risk exposure. Additionally, at a time when 80% of organizations rely on multiple public clouds, the threat landscape has never been harder to understand or defend against.

In the greater scheme of things, the CISO role often feels like a losing battle. And funding priorities don’t make the job any easier. Particularly with tighter budgets and in the face of a tougher economy, getting the CEO or CFO to invest in cybersecurity in lieu of other business priorities is easier said than done. I’ve seen the following scenario play out time and time again. The CISO does their due diligence, gathers the data, develops the security strategy, begs and pleads for additional resources, and the funds go toward other business priorities. Or they get a blank check to buy new tools, but no supporting resources to implement them. Three months later, a breach occurs because there was a gap in security and the CISO takes the fall for what is an organizational failure.

In short, the role of the CISO has long been under-resourced and under-valued (something I can attest to as a former CIO), and we’re getting farther away from the days when it was OK to blame a CISO or a CIO for organizational cybersecurity shortcomings.

Organizations need more sophisticated ways of understanding their security and of responding when it fails. Funding priorities and budgeting conversations fall to the CEO, the CFO, and the board, not the CISO. Boards and CEOs need to have clearer processes in place to help them prioritize security spend (at scale and in real time) and hold themselves accountable when they fail to protect their infrastructure in cyberspace. Because up until now, the reality is that they’ve not had to worry about their own feet being held to the fire when cyber disaster strikes — and it’s a lack of resourcing and misaligned business prioritization that’s to blame.

A Ransom Ban Means Broader Accountability

The White House, in collaboration with other global partners through the International Counter Ransomware Initiative, earlier this year floated the ambitious idea of instituting an outright ban on ransom payments. The thinking is that less financial incentive would equal less ransomware (although part of the policy would also likely incorporate some sort of waiver for critical operations and extenuating circumstances).

If the White House moves forward with its ban on ransom payments, it’ll be monumental for several reasons.

One, it’s the first aggressive, definitive action we’ve seen from the White House in addressing the pervasive ransomware problem. According to IBM’s 2022 Cost of a Data Breach Report, breaches caused by ransomware grew 41% from 2021 to 2022, and the average cost of a ransomware attack totaled $4.54 million last year. Bad actors are evolving, refining their tactics and becoming even more effective by the day. It’s clear that what we’ve been doing isn’t working. We need to take a fundamentally different approach, or nothing’s going to change.

Second, by broadening the scope of responsibility for cyber and ransomware attacks, CEOs and CFOs will be incentivized to spend more on cybersecurity proactively. Not just when they have to or after a breach occurs, but before a cybersecurity oversight can lead their company to lose data for millions. Say, for example, as a part of this ban, the federal government makes it an SEC requirement for publicly traded companies to report a breach. The IRS would then be able to investigate organizations suspected of “covering up” a cybersecurity incident by paying a ransom, meaning that everyone from the CEO to the CFO to the board would be held accountable for an oversight. Not just the CISO. That broadens the scope of responsibility for cyber incidents immeasurably.

Lastly, while National Cybersecurity Strategies and frameworks (like NIST) provide helpful guidelines for organizations, to combat an aggressive adversary, we need a more assertive stance — articulated and carried out from the top down. The U.S. government’s official stance on dealing with terrorists’ demands is that it does not negotiate with terrorists. Why make an exception in cyberspace? The U.S. needs to adopt the same approach to ransomware, like a national ban for both the public and private sectors — a fundamentally new approach to give us a fighting chance at combatting this growing problem. Because right now, we as a country are failing in cyberspace.

And from the federal government, it’s clear that we need more direct guidance for business leaders, CEOs, and board members to drive greater action and accountability when it comes to cybersecurity.

What This Means for Your Business

With breaches and cyberattacks on the rise, the fact is that modern organizations must prepare to be breached and shore up critical assets accordingly. Here’s how business leaders should be thinking about building cyber resilience now, so they won’t have to make a tradeoff between staying compliant and maintaining operations when a breach occurs.

“Assume breach,” a.k.a. prepare for the worst.

There’s nothing worse than being caught flat-footed when ransomware attacks happen. From financial losses to reputational damage, the business implications are endless. That’s why it’s better for organizations to proactively prepare for when bad actors inevitably breach the perimeter (a side effect of our hyperconnected world).

Business leaders need to ask themselves ahead of time, “What can our organization do to ensure that a breach doesn’t spread across systems? How can we contain the blast radius of an attack? How are we prepared to maintain business operations in the event of a breach?”

Make senior leadership own the cybersecurity conversation.

Cybersecurity doesn’t need to be a technical dialect — anyone can understand it if it’s communicated effectively. Use the universal language of data to underline the value, articulate the business opportunity, and showcase the ROI of prioritizing cybersecurity within your organization — and make sure that cyber conversations are happening across senior leadership teams, the C-suite, and the board now.

Cyber is a collective responsibility, not just the security team’s. Use data to highlight the risks posed by not investing in cyber proactively (e.g., millions of dollars lost in downtime, a loss in public confidence, or a downturn in your market value). Leverage numbers to empower the board and other business leaders to become cyber advocates in their own right — especially as organizations increasingly consider wrapping cybersecurity expertise into board member purviews.

Do your due diligence.

Organizations should be testing their security posture and regularly auditing internal processes and employee security training to pinpoint gaps in cyber readiness. Prioritize implementing incident response programs within your organization, or bring in a third party to help you conduct tabletop exercises, so your entire team (including the business leaders) knows what to do in case of emergency. Remember that cyber resilience is a muscle, and the more that you flex it, the better equipped you’ll be to respond (with minimal business impact) when disaster strikes.

The Road Ahead

I hope that the White House moves forward with its call to ban all ransom payments. Too often the default is for organizations to forgo cyber spend in lieu of other business priorities and then pay the ransom (without reporting it) when an attack occurs. But that’s perpetuating the problem. According to Sophos, nearly half (46%) of organizations hit by ransomware during the past year paid a ransom to recover data.

Ransomware is a self-fulfilling prophecy. If there’s money to be made, then the attacks will continue. Negligent CEOs, CFOs, and boards should be held accountable for the consequences of that tradeoff. And even outside of this ransomware ban, we’re seeing the SEC and other federal agencies crack down on accountability in cyber.

Depending on the requirements and enforcement of this ban, this will be one of the first that makes cybersecurity not just a CISO, CSO, or CIO imperative but a core business issue — which is where it belongs. Otherwise, organizations across industries around the globe will continue hemorrhaging millions to faceless adversaries in cyberspace and we’ll continue to see breaches — and CISOs — being swept under the rug as collateral damage.