{"id":4406,"date":"2025-08-18T09:00:00","date_gmt":"2025-08-18T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4406"},"modified":"2025-08-18T09:00:00","modified_gmt":"2025-08-18T09:00:00","slug":"25-of-security-leaders-replaced-after-ransomware-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4406","title":{"rendered":"25% of security leaders replaced after ransomware attack"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs have a one in four chance of their job surviving a successful ransomware attack, according to a recent Sophos report. The report\u2019s findings are a wakeup call for CISOs regardless of whether they are found at fault or have any meaningful authority to block such attacks, industry experts say.<\/p>\n<p>\u201cThat stat isn\u2019t surprising, but it reflects a growing frustration at the board level when the security function fails to deliver results, regardless of how fair that judgment may be,\u201d contends <a href=\"https:\/\/www.infotech.com\/profiles\/erik-avakian\">Erik Avakian<\/a>, technical counselor at the Info-Tech Research Group. \u201cEven if the attack came from factors outside of their direct control, there\u2019s still an expectation from stakeholders that [CISOs] need to be able to prevent any worst-case scenario.\u201d<\/p>\n<p>Avakian adds that the move to oust a CISO after a ransomware attack is sometimes necessary and appropriate, but companies often jump to termination decisions too quickly.<\/p>\n<p>\u201cFiring the CISO might seem like a necessary reset for CIOs or boards, but it\u2019s not always a strategic move. If the incident response plan was followed, the detection tools worked, and recovery was within SLAs, then replacing the CISO often sends the wrong message internally,\u201d Avakian maintains. \u201cIt shows that the security role is more about optics than substance. But if basic hygiene was neglected \u2014 such as with no segmentation, no backups, no tabletop exercises \u2014 then change might be justified.\u201d<\/p>\n<p><a href=\"https:\/\/my.idc.com\/getdoc.jsp?containerId=PRF004767\">Frank Dickson<\/a>, group VP for security at IDC, agrees with Avakian\u2019s assessment, but adds that some CISOs leave of their own volition after a ransomware attack, leading to higher replacement numbers.<\/p>\n<p>\u201cAddressing a ransomware event is extremely taxing. A security person may choose to leave due to burnout or be asked to leave due to conflict that results from the remediation process rather than the attack itself,\u201d Dickson says.\u00a0<\/p>\n<h1 class=\"wp-block-heading\">A question of authority<\/h1>\n<p>Dickson also argues that <a href=\"https:\/\/www.csoonline.com\/article\/3602722\/the-ciso-paradox-with-great-responsibility-comes-little-or-no-power.html\">CISO authority<\/a> should come into play. If decisions are made at the line-of-business (LOB) level \u2014 and potentially againstthe CISO\u2019s advice \u2014 does it make corporate sense to blame the CISO?<\/p>\n<p>Some \u201cpresume that a ransomware attack is the fault of the CISO,\u201d he says. \u201cThe CISO is a leader, but not <em>the<\/em> leader. Breaches are the result of a pattern of decisions of many.\u201d<\/p>\n<p>Info-Tech\u2019s Avakian compares such a corporate reaction to a homeowner blaming the fire department if their house burned down due to the homeowner\u2019s fault.<\/p>\n<p>\u201cWhen was the last time you saw a fire department captain fired or their team blamed for a fire starting? They are the ones who responded, mitigated, educated, and helped minimize the future risk of fire occurrence,\u201d Avakian says. \u201cSee this [security] team over there, including your CISO? They are your firefighters. They have your backs and are here to help whenever there is an incident.\u201d<\/p>\n<p>Dickson also stresses that many enterprise business units \u2014 even some CEOs and COOs \u2014 will sidestep CISOs by deliberately not inviting them to key meetings, out of the fear they will slow down certain business processes.<\/p>\n<p>\u201cThey will actively decide to not include Security,\u201d Dickson says. \u201cI tell [those executives], \u2018If you don\u2019t want your CISO, someone else will.\u2019\u201d<\/p>\n<p>The <a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/9brgj5n44hqvgsp5f5bqcps\/sophos-state-of-ransomware-2025.pdf\">Sophos report<\/a> said post-ransomware forensic investigations often discover problems that the CISO missed or should have known about.<\/p>\n<p>\u201cFor the third year running, victims identified exploited vulnerabilities as the most common root cause of ransomware incidents used to penetrate organizations in 32% of attacks overall. Compromised credentials remains the second most common perceived attack vector, although the percentage of attacks that used this approach dropped from 29% in 2024 to 23% in 2025,\u201d according to the report. \u201cEmail remains a major vector of attack with 19% of victims reporting malicious email as the root cause and a further 18% citing phishing \u2014 a notable jump from last year\u2019s 11%.\u201d<\/p>\n<p><a href=\"https:\/\/www.sophos.com\/en-us\/contact\/chester-wisniewski\">Chet Wisniewski<\/a>, a Sophos director and global field CISO, said the company\u2019s research showed that 40% of respondents said the ransomware attack stemmed from \u201ca known gap that we had not addressed.\u201d<\/p>\n<p>\u201cThat\u2019s a pretty tough thing to survive if you have a multimillion-dollar event on your hands,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs have a one in four chance of their job surviving a successful ransomware attack, according to a recent Sophos report. The report\u2019s findings are a wakeup call for CISOs regardless of whether they are found at fault or have any meaningful authority to block such attacks, industry experts say. \u201cThat stat isn\u2019t surprising, but [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":4407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4406","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4406"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4406"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4406\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4407"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4406"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4406"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4406"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}