How a Federal Ban on Ransomware Payments Could Help CISOs

Chief information security officers often take the fall after a breach. New rules could change that.

by

Gary Barlet

by

Gary Barlet

August 04, 2023

Jeffrey Coolidge/Getty Images

Summary.

The White House is considering a ban on ransomware payments, which could change the chief information and security officer (CISO) job. The ban would would elevate the cybersecurity conversation to the CEO, the CFO, and the board, and potentially end the practice of scapegoating CISOs when a breach happens. This is a significant shift: after Uber’s former chief security officer was convicted for his role in covering up a 2016 cyberattack, CISOs had more reason to worry of the personal liability that came with the job. Here’s how companies should prepare for this new landscape right now: prepare for the worst, make senior leadership own the cybersecurity conversation, and test their security posture and regularly audit internal processes and employee security training to pinpoint gaps in cyber readiness.

Chief information security officer (CISO) burnout has been a problem in the industry for the better part of the past decade, and it seems to only be getting worse. With cyberattacks on the rise, managing wider and more complex attack surfaces, and mounting pressure to do more with tighter budgets, it’s no wonder three in four CISOs in the U.S. report feeling burned out. CISOs today aren’t just juggling resources — they’re in dual CIO/CISO roles in an effort to streamline strategy and further cut costs. And when security breaches and ransomware attacks occur, CISOs often automatically shoulder the blame.

New!

HBR Learning

Digital Intelligence Course

Accelerate your career with Harvard ManageMentor®. HBR Learning’s online leadership training helps you hone your skills with courses like Digital Intelligence . Earn badges to share on LinkedIn and your resume. Access more than 40 courses trusted by Fortune 500 companies.

Excel in a world that's being continually transformed by technology.

Start Course

Learn More & See All Courses

GB

Gary Barlet is the Federal Chief Technology Officer at Illumio, where he is responsible for working with government agencies, contractors and the broader ecosystem to build in Zero Trust Segmentation as a strategic component of the government Zero Trust architecture. Previously, Gary served as the Chief Information Officer for the Office of the Inspector General, United States Postal Service; Chief of Ground Networks for the Air Force CIO; and Chief of Networks for the Air National Guard CIO, where he was responsible for information technology policy and providing technical expertise to senior leadership.

New!

HBR Learning

Digital Intelligence Course

Accelerate your career with Harvard ManageMentor®. HBR Learning’s online leadership training helps you hone your skills with courses like Digital Intelligence . Earn badges to share on LinkedIn and your resume. Access more than 40 courses trusted by Fortune 500 companies.

Excel in a world that's being continually transformed by technology.

Start Course

Learn More & See All Courses

How a Federal Ban on Ransomware Payments Could Help CISOs

Partner Center

Explore HBR

HBR Store

About HBR

Manage My Account

Follow HBR