VP, Information Security and Technology Risk
Federal Home Loan Bank of New York
Vice President and Global CISO
Senior Manager, Global Information Security
Chief Information Security Officer
Experts warn that we are experiencing a “golden age” for ransomware. With new attacks reported almost daily, the pressure is on for CISOs to protect against sophisticated networks and Ransomware-as-a-Service (RaaS) schemes. In addition, security leaders must manage stakeholder communications and expectations and outdated security mindsets within their own organizations.
CISOs in the New York community gathered recently to discuss ransomware attacks and exchange lessons learned with their peers from recent high-profile attacks. Advisory CISO Helen Patton of Cisco kicked off the discussion by noting that ransomware is gaining in visibility in non-security spaces. This means that other leaders, stakeholders and customers are hearing about attacks – and not all of the information is accurate. Patton said that it can be unclear what the role of technology is or what the role of the non-technology business process is.
Ransomware threatens the entire business, not just the data or security teams.
Patton also explained that federal policymakers are recommending that Board members include someone who is considered a technology and security expert. Boards, in general, are moving away from the idea that security is a technology problem and recognizing that security is its own risk to the business, requiring specific focus and expertise. She posed two ideas to the CISO group to consider: how to help Boards understand ransomware in the context of all other risks and how to help Boards understand that this risk can’t just be transferred to insurance, unlike some other risks.
To Pay or Not to Pay?
The group agreed that their default response is not to pay during a ransomware attack, but to leave open the possibility that you might have to. Some mentioned that CISOs should “work through the process” of how to pay in order to be prepared. They agreed that if you have a written policy in place, figuring out how to make such a payment should be included in it.
The discussion groups also talked about when you can’t pay, such as to a sanctioned group. The attack could also be from a small, bad actor pretending to be big, with one CISO noting that “there is a lot of impersonation out there.”
CISOs also talked about the struggle to attribute the attack, and one executive mentioned that there are several vendors that provide response and negotiation services that can help buy your organization some time to figure out attribution.
Several leaders weighed in on the fact that deciding whether or not to pay is a business decision, not a security decision. The role of the CISO is to put the decision into context and serve as the subject matter expert on the security situation. One executive said to take the opportunity to show yourself as a leader and make sure you are in the room when the discussion is taking place — but ultimately, the ownership of the decision belongs to the organization’s leadership team.
How to Prepare the Organization
The CISOs in attendance also discussed how to prepare for ransomware attacks and whether or not they had conducted tabletop exercises. One suggested having an executive leadership tabletop, rather than a technical one. Another said that sometimes executives participate “grudgingly” but that attitudes seem to be changing toward the exercises.
Some of the CISOs had actually run the exercises, while others said that they had at least run some sort of simulation in a test environment. A few noted that executives want answers, such as how quickly the organization could recover from an attack, but you really cannot provide accurate answers without running through the scenarios. Another said to keep the communication platform in mind and plan for the possibility that your primary form of communication could be disabled.
Key Takeaways from the Discussion
- Most CISOs have prepared their Boards and leadership teams never to pay a ransom, but it's worth reviewing multiple scenarios – including double extortion threats – to determine under what circumstances you might have to pay.
- CISOs recommend inviting board members to participate in tabletop exercises, and rotating who takes the ‘hot seat’ as the incident response leader.
- During an incident, the CISO’s role is to show up as a leader and subject matter expert and to provide strategic direction and recommendations to the executive team.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.