In the United States, the White House has floated the idea of a total ban on ransomware payments, a move that could change the role of a company’s chief information and security officer (CISO), says one expert on corporate information security.
Such a ban would, “for the first time…elevate the cybersecurity conversation to the CEO, the CFO (chief financial officer), and the board,” writes Gary Barlet in a blog for Harvard Business Review. “It won’t just be the CISO stuck holding the bag when a cyberattack happens.
“It would be an unprecedented broadening of cybersecurity awareness and reckoning, with the federal mechanisms in place to hold the culpable accountable, across all of business.”
Barlet, a former company CISO, quipped the role of a CISO has recently been interpreted to be the “chief scapegoat officer,” a lamb to be sacrificed by the company whenever a cyber breach occurs.
“Is this fair? Principally, no,” Barlet writes. “But in practice, this is what typically happens: A breach occurs, often due to some kind of misconfiguration or lax security practice within the organization or a third-party software provider, and, to save face with customers (and the board), a new CISO is swapped in for the old.”
In a new report, IBM estimates the global average cost of a data breach in 2023 was US$4.45 million, a 15% increase over three years.
Given the rise in ransomware attacks, the White House has floated the idea of banning ransomware attacks entirely as a means to prompt companies to show a greater awareness of cybersecurity. One effect of the ban would be to extend responsibility for breaches further than just the CSIO, who often wears dual hats (i.e., CIO and CISO), and whose department is underfunded.
The move comes after Uber’s chief security officer Joe Sullivan was convicted in May for covering up the severity of Uber’s 2016 cyberattack after paying cybercriminals $100,000 in hush money to keep the breach under wraps. “A survey this year found that 62% of CISOs are worried that when a breach occurs, they’ll be held personally accountable,” Barlet writes.
Related: Privacy commissioner recommends ransomware insurance
Banning ransomware payments is guided by a basic principle: If the incentive for demanding ransomware payments is reduced, that would lead to fewer ransomware attacks. Beyond that, the ban would have a dual effect, Barlet predicts.
On the one hand, the responsibility for cyber breaches would go beyond just the CISO, including all C-suite members, to step up security against a cyber breach.
“By broadening the scope of responsibility for cyber and ransomware attacks, CEOs and CFOs will be incentivized to spend more on cybersecurity proactively,” Barlet writes. “Not just when they have to, or after a breach occurs, but before a cybersecurity oversight can lead their company to lose data for millions.”
The broadened accountability would come from the fact that the C-Suite, not just the CISO, would play an oversight role to make sure illegal ransomware payments had not been made to hide the cyber breach.
Also, public governments and agencies are not allowed to negotiate with terrorists. A ban on ransomware would align both the public and private sectors. If governments are not allowed to negotiate with terrorists, as Barlet observes, why would that be different for cyber-terrorists demanding ransomware payments?
Feature image courtesy of iStock.com/traffic_analyzer