Skip to main content
Cybersecurity

CISOs Weigh Ransom Payments Amid Ransomware Resilience Gap

Somber security leader sits alone at conference table, contemplating on laptop.

“58% of CISOs would realistically think about paying the ransom,” the report found — a stark number that frames the trade-offs security leaders say they face when ransomware locks enterprise systems.

CISO willingness to pay: 58% overall; 63% in the US, 47% in the UK

Absolute Security’s survey, published on May 13 and titled The Ransomware Reality: Zero Days to Recover, reports that 58% of chief information security officers would consider paying a ransom demand to end an incident and restore encrypted systems more quickly. The willingness to contemplate payment varies by geography: 63% of CISOs in the United States said they would consider paying, compared with 47% of CISOs in the United Kingdom.

Absolute Security suggested several explanations for the UK’s greater reluctance: “a combination of stronger legal guidance discouraging payment, GDPR complexities around data theft and extortion and lower confidence that payment will result in data recovery” were all cited as reasons for the gap between the two countries.

Operational downtime tops the list of impacts

When asked which consequences would matter most in a ransomware event, the CISOs surveyed ranked operational downtime as having the single most significant impact on their organization. Other named concerns included data loss, reputation damage, financial loss and regulatory penalties. The report captures a calculus familiar to security leaders: prolonged outage can cause immediate, quantifiable harm that pressures decision-making in the heat of an incident.

Christy Wyatt, president and CEO of Absolute Security, framed that tension plainly: “It is not surprising to learn that despite regulatory pressure, security and risk leaders remain open to paying a ransom to recover their systems and protect data when considering that prolonged downtime can lead to unsustainable losses.”

Confidence in recovery does not match measured recovery times

The survey finds a notable disconnect between belief and experience. Some 83% of respondents said they were confident their organization would be able to quickly recover from a ransomware attack. Yet among CISOs who had experienced an attack, 57% reported it took up to a week to restore systems and a further 20% said it took up to two weeks. None of the CISOs surveyed said their organization was able to recover within 24 hours.

Absolute Security characterizes that mismatch — high confidence paired with slower-than-expected restoration — as “the defining ransomware challenge of this moment.”

Absolute Security’s prescription: resilience, governance, and organizational readiness

The report concludes with a clear admonition to organizations: they must be committed to resilience and must build the “infrastructure, governance and organizational conditions that allow them to absorb disruption and recover at speed.” The vendor’s chief executive warned of a worsening cycle if organizations fail to harden recovery: “CISOs who build systems that can quickly restore continuity after disruptive attacks can avoid getting trapped in a cycle which will only grow alongside cybercriminals’ increasing use of AI-powered attacks,” said Wyatt.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams — The survey spotlights the operational focus: build restoration capability and reduce downtime. The data in the report imply that faster recovery, rather than simply relying on negotiation, is the lever CISOs point to when weighing payments.
  • Policymakers and regulators — The UK’s lower reported willingness to pay is linked in the report to “stronger legal guidance discouraging payment” and GDPR-related complexities; regulators should expect these legal and compliance frameworks to influence incident response choices.
  • Affected enterprises and procurement leaders — Absolute Security’s warning to invest in “infrastructure, governance and organizational conditions” frames procurement and budgeting decisions: resilience has to be treated as an operational requirement that mitigates the pressure to make rapid, high-stakes payment decisions during an outage.

The figures come from responses by 750 CISOs across the United States and United Kingdom, collected by independent polling provider Censuswide for Absolute Security. The choice many CISOs say they would make under duress — to pay or not to pay — reflects immediate commercial pressures as much as legal and ethical ones. The report leaves a pointed challenge in its final lines: will organizations translate that stated confidence into the systems and governance that shorten recovery from days and weeks to hours?

Read the original Absolute Security report summary at Infosecurity Magazine