Impact of cybersecurity organizational structure on ransomware outcomes: The most successful models

Last week, we discussed how the organizational structure of your security team can impact ransomware attacks. This week, we delve deeper into how security team structure impacts ransomware attack recovery operations and how day-to-day cybersecurity outcomes are more broadly impacted by organizational structure.

This is based on Sophos's report, Impact of Organizational Structure on Cybersecurity Outcomes. The company commissioned a vendor-agnostic survey of 3,000 IT and cybersecurity professionals who worked at organizations with 100 and 5,000 employees within 14 countries. Part of that survey evaluated the relationship between security team structure and security outcomes and, if so, which structures yielded the best results.

The three models evaluated by Sophos:

Model 1: The IT team and the cybersecurity team are separate organizations (1,212 respondents were in this category)

Model 2: A dedicated cybersecurity team is part of the IT organization (1,529)

Model 3: There is no dedicated cybersecurity team; instead, the IT team manages cybersecurity (250)

For an overview of how organizational structure affected ransomware impact, look at last week's post here.

As noted by Sophos, there are two primary ways to restore data encrypted by adversaries: use your backups or pay the ransom to get the decryption key. Interestingly, the study found a considerable difference between the three models, the propensity to pay the ransom and how much they pay.  

First, the good news is that 80% of organizations within those enterprises where the cybersecurity team is part of the IT team were able to back up and recover their encrypted data. That's the way it should be done. Organizations that don't have a dedicated cybersecurity team also faired very well, with 76% saying they should recover from their backups. Both groups reported the lowest percentage of survey participants paying a ransom, at 37% and 35%.  

The news isn't as good for those organizations where the IT and the cybersecurity teams are separate. This many years into the ransomware pandemic, one would hope all 4these organizations would have recoverable backups. We covered some of the basics of successful ransomware attack recovery last winter. Among these model 1 organizations, just 60% could use backups to recover encrypted data. This group was also 58% likely to pay the ransom to regain their data. As the Sophos report authors said, low ransomware resilience is one of the most notable differentiators for these model 1 organizations.

And with that low resilience, it's not surprising that model 1 organizations also paid much higher ransoms to ransomware gangs. Their median payment was reportedly more than double that of models 2 and 3. For organizations following model 1, the median ransom payment was $935,600. At the same time, model 2 and 3 organizations reported average ransoms of $320,167 and $350,000.

The faster an organization can recover from a ransomware attack, the better. Over half (54%) of the model 2 organizations fully recovered within a week, compared with 37% of those following model 1 and 35% of those following model 3.

In addition to any ransom paid, many other recovery costs are associated with recovering from a ransomware attack. These can include downtime, higher insurance premiums, reputational damage, recovery efforts, etc. In addition to any ransom paid, model 1 organization reported a mean ransomware recovery cost of $1 million higher than those in model 2, at $2.4 million vs $1.29 million. Model 3 organizations came in between the other models at $1.75 million.

Of course, ransomware costs don't just come in the form of investigation, remediation, and retrieval of backups; they also hit revenue. Those businesses within the model 1 category were more than twice as likely to report lost revenue due to the attack, at 57%. That's a substantial number. It's also substantially higher than the 31% who suffered revenue loss in model 2.

Finally, for day-to-day cybersecurity impacts, it turns out that all three models endure similar cybersecurity challenges. Still, model 2 (which integrates security and IT into the same group) had the best outcomes among all three groups.

Sophos found that, across all three models, more than half reported that cyber threats are too advanced for their organization to deal with on their own: 60% in model 1, 51% in model 2, and 54% in model 3.

Sophos also found near-identical concerns among the three models regarding cybersecurity risks: Data exfiltration and phishing are high among the top three cyber concerns.

Additionally, security tool misconfiguration is the most common perceived risk across the board. "Essentially, everyone has the same top concerns, independent of organizational structure," Sophos found.

Another universal finding among all three groups? They'd all rationally like to spend more time on strategic initiatives rather than putting out cybersecurity-related fires. While all groups report challenges in these areas, model 2 organizations appear to be better placed to deal with the day-to-day impact than those following models 1 or 3.

Why did model 2 organizations fare better than the others? As Sophos noted, the report looks at the correlation of outcomes, not necessarily causation. So, more analysis is needed to understand the dynamic here. However, the report author cites having security and IT connected directly facilitates collaboration and shared outcomes. "Working together within a larger group may help prevent the operational silos that can reduce the impact of cybersecurity efforts," they concluded.

It makes sense, as that's the driver behind the success of DevOps, or "DevSecOps" organizations. Could your organization improve its cybersecurity posture by optimizing the IT and security teams for enhanced collaboration? It's a question worth asking.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.