5 Key Points When Educating Executives on Ransomware

Briefing executives on or presenting in the boardroom about ransomware can be a challenging, and sometimes daunting task for cybersecurity leaders. These conversations often require being able to translate a complex threat landscape into relatable and understandable terms. Successfully and effectively navigating these conversations requires building trust and being able to shift the focus from simply emphasizing the threats the organization faces, to delivering a clear and actionable message that aligns with the organization’s priorities.

Here are 5 key talking points you can use to help deliver a concise and impactful message to your leadership and board.

1. Leave out the technical terminology and focus on the business impact ransomware presents

What exactly are non-technical executives interested in? They likely don’t want to hear about new encryption algorithms, a micro segmentation strategy or the MITRE ATT&CK framework techniques that threat actors are using to carry out their ransomware attacks. Instead, focus on the risks that could directly impact the organization, ultimately having a negative effect on the bottom line.

• Highlight risk with real-world examples and industry data

  • Use previous ransomware attacks on other organizations within your industry to emphasize the factors that can influence the cost of the ransomware attack such as organizational downtime, recovery costs, legal fees and reputational damage.
  • For organizations that have regulatory or compliance considerations, describe the potential ramifications from a compliance perspective that a successful ransomware attack may have, or has had on other organizations.
  • While using real world or data driven examples may insight fear and uncertainty within the organization, this is a great time to engage with executive leadership on how to address these issues. For ongoing insights into ransomware trends and other cyber threats, we share expert analysis and updates through our Threat Intel Newsletter.

• Use critical operational services to help drive home the point

  • Describe the impact that downtime for a critical system or service would have on the organization. This could be anything from being able to provide services or a product to customers or failing to meet key deadlines and effectively communicate with business partners.

• Don’t overlook the importance of reputational damage

  • History is littered with examples of a company’s share price plummeting after news breaks of a ransomware attack. However, share prices are not the only talking point to bring up. Key partners may lose trust in your ability to provide the service you have promised, ultimately leading to losing customers to industry competitors. When it comes to ransomware, the saying “no publicity is bad publicity” couldn’t be further from the truth.

2. Make sure the cybersecurity strategy you are delivering is clear and to the point

Executives are busy individuals, and finding time on their calendars can be a difficult proposition in itself. Cybersecurity leaders need to make sure that they use the valuable time you are given to present a strategy that is concise (and won’t make their eye’s glaze over).

• Provide measurable, achievable and impactful goals. Here are a few examples to consider:

  • Describe how a new security tool investment could reduce the mean time to detect (MTTD) and respond (MTTR) to a potential ransomware event by “X” amount of time.
  • Explain how performing more frequent phishing simulations can increase awareness and decrease the likelihood a ransomware attack occurs through an employee interacting with a malicious email.

• Prioritize key cybersecurity program initiatives and how they address the risk ransomware poses

  • What are the top threats to your organization, and how does your roadmap effectively address them? Make sure that this is presented in a way that can be clearly understood.
  • Use industry recognized security frameworks to your advantage (i.e., NIST CSF, ISO 27001, CIS). Describe how you align with these frameworks and the gaps that have been identified.
  • Don’t miss out on an opportunity to highlight the ROI of a cybersecurity investment. For example, when it comes to ransomware, you could focus on areas such as cost savings due to reduced downtime or being able to prioritize resources for other key initiatives.

3. Emphasize the importance of establishing a proactive cybersecurity program against ransomware

An important aspect of cybersecurity to drive home to your executive team and board is that cybersecurity is not a one-time fix. As trends, threats and risks change, cybersecurity programs need to remain agile to shift with them. Ransomware is no different, threat actors are continuously improving their attack capabilities and techniques, and your organization needs to follow suit to combat them.

• When it comes to ransomware, it’s easier to focus on and talk about the negative aspects of a ransomware attack (the news doesn’t report on a company successfully preventing ransomware). These discussions with executives and the board present a great opportunity to highlight the successes and the progress that has been made within your program. It’s important to shed a positive light on the milestones the cybersecurity program has hit as a way to build trust and confidence in future initiatives.
• Be clear on the “why” aspect of the program. As security leaders, the need for additional resources or an investment in the cybersecurity program to protect against ransomware may be obvious, but for those who are not in the trenches every day, it may not be. For example, you can point back to a previous risk assessment or gap analysis to justify the importance of addressing those pitfalls and how they can help protect against ransomware.

4. Be honest and transparent on the current status of your organization’s cybersecurity posture

While we mentioned previously the importance and benefits of highlighting the strengths of the cybersecurity program, sometimes a tough conversation needs to be had about the failures or weaknesses of the program as well. Use lessons learned from passed failures or missteps to continue to build trust in the program.

• Build out key performance indicators (KPIs) to help tell the story of the cybersecurity program over time. Providing visual aids can go a long way in tracking and demonstrating the successes and challenges within the program. Tie these KPIs back to the risk ransomware presents and the critical areas that show room for improvement.
• Use KPIs to showcase the current effectiveness of security investments, or on the flip side, help justify the need for additional investments into the cybersecurity program.
• Emphasize the fact that cybersecurity is an organizational initiative. Specifically for ransomware, engage with the executive team to get their input on response plans and how to effectively navigate the crisis management aspect of a ransomware attack. If conducting an incident response tabletop exercise, invite members of the executive leadership team to participate or observe the exercise to gain a better understanding of the importance of their role during a ransomware attack.

5. Focus on actionable steps you can take to help bolster your cybersecurity program

Executive leadership teams are interested in hearing solutions to problems that have been identified. Use this as an opportunity to discuss the risks of ransomware, and more importantly, how you plan to address them.

• Be concise on the resources or investments you are asking for to address the issues

  • Your budget requests should outline the costs associated with key initiatives, such as personnel, technology, and training.
  • Justify these requests by demonstrating the potential return on investment (ROI)

• Provide a call to action for the executive team and board

  • Ensure they know that by approving the requests you have made; they are enabling you to bolster the organizations cybersecurity posture to protect against ransomware

• Always justify your stance in term of business value

  • Emphasize how continuous improvement to the cybersecurity program will help to protect the organization’s assets, maintain a high standing reputation and contribute to the overall business goals.

How can a ransomware assessment help lead the conversation?

Maturity assessments, risk assessments and gap analyses are all great tools to help identify the strengths and weaknesses of the overall cybersecurity program. A ransomware assessment provides a more targeted assessment of your program, by focusing specifically on your organization’s resilience against ransomware threats. Performing an assessment through the lens of ransomware provides the following benefits:

• Identification of the potential impact a ransomware attack could have on your organization and its critical assets
• Uncover the tactics and techniques that threat actors are employing to carry out ransomware attacks against your organizations industry or vertical
• Development of a strategy and roadmap for bolstering protections and safeguards against ransomware
• Enforce a proactive approach for addressing the potential gaps in your organization’s ransomware prevention, detection and recovery capabilities
• A resource to further educate key stakeholders within the organization about the threat of ransomware

How can K logix help?

Here at K logix we offer an in-depth ransomware assessment focused on assessing your organization through the lens of ransomware and the potential impact a successful attack may have on your organization. With our assessment, you gain a deeper understanding of your organization’s current cybersecurity program maturity, and the strengths and weaknesses of your ransomware preparedness, response, and recovery capabilities.