CISOs have a one in four chance of their job surviving a successful ransomware attack, according to a recent Sophos report. The report’s findings are a wakeup call for CISOs regardless of whether they are found at fault or have any meaningful authority to block such attacks, industry experts say.

“That stat isn’t surprising, but it reflects a growing frustration at the board level when the security function fails to deliver results, regardless of how fair that judgment may be,” contends Erik Avakian, technical counselor at the Info-Tech Research Group. “Even if the attack came from factors outside of their direct control, there’s still an expectation from stakeholders that [CISOs] need to be able to prevent any worst-case scenario.”

Avakian adds that the move to oust a CISO after a ransomware attack is sometimes necessary and appropriate, but companies often jump to termination decisions too quickly.

“Firing the CISO might seem like a necessary reset for CIOs or boards, but it’s not always a strategic move. If the incident response plan was followed, the detection tools worked, and recovery was within SLAs, then replacing the CISO often sends the wrong message internally,” Avakian maintains. “It shows that the security role is more about optics than substance. But if basic hygiene was neglected — such as with no segmentation, no backups, no tabletop exercises — then change might be justified.”

Frank Dickson, group VP for security at IDC, agrees with Avakian’s assessment, but adds that some CISOs leave of their own volition after a ransomware attack, leading to higher replacement numbers.

“Addressing a ransomware event is extremely taxing. A security person may choose to leave due to burnout or be asked to leave due to conflict that results from the remediation process rather than the attack itself,” Dickson says. 

A question of authority

Dickson also argues that CISO authority should come into play. If decisions are made at the line-of-business (LOB) level — and potentially againstthe CISO’s advice — does it make corporate sense to blame the CISO?

Some “presume that a ransomware attack is the fault of the CISO,” he says. “The CISO is a leader, but not the leader. Breaches are the result of a pattern of decisions of many.”

Info-Tech’s Avakian compares such a corporate reaction to a homeowner blaming the fire department if their house burned down due to the homeowner’s fault.

“When was the last time you saw a fire department captain fired or their team blamed for a fire starting? They are the ones who responded, mitigated, educated, and helped minimize the future risk of fire occurrence,” Avakian says. “See this [security] team over there, including your CISO? They are your firefighters. They have your backs and are here to help whenever there is an incident.”

Dickson also stresses that many enterprise business units — even some CEOs and COOs — will sidestep CISOs by deliberately not inviting them to key meetings, out of the fear they will slow down certain business processes.

“They will actively decide to not include Security,” Dickson says. “I tell [those executives], ‘If you don’t want your CISO, someone else will.’”

The Sophos report said post-ransomware forensic investigations often discover problems that the CISO missed or should have known about.

“For the third year running, victims identified exploited vulnerabilities as the most common root cause of ransomware incidents used to penetrate organizations in 32% of attacks overall. Compromised credentials remains the second most common perceived attack vector, although the percentage of attacks that used this approach dropped from 29% in 2024 to 23% in 2025,” according to the report. “Email remains a major vector of attack with 19% of victims reporting malicious email as the root cause and a further 18% citing phishing — a notable jump from last year’s 11%.”

Chet Wisniewski, a Sophos director and global field CISO, said the company’s research showed that 40% of respondents said the ransomware attack stemmed from “a known gap that we had not addressed.”

“That’s a pretty tough thing to survive if you have a multimillion-dollar event on your hands,” he says.