CISOs: would you pay the ransom?

It’s the question no CISO wants to answer. And it’s easy to say no, of course you wouldn’t – until your organisation goes offline. 

In theory, no CISO would pay. Paying cybercriminals funds the ecosystem, encourages repeat attacks and offers no guarantee that data will be restored or deleted. In practice though, ransomware decisions are made under pressure: you’ve got systems offline, customers waiting, regulators circling the building, and executives asking when the business will be back in operation. 

Absolute Security’s new ransomware report puts hard numbers behind that pressure. In a survey of 750 CISOs across the US and UK, 58% said they would consider paying a ransom. Among US CISOs, that rose to 63%, compared with 47% in the UK.

We all know paying isn’t a good strategy. But these numbers show that the alternative is often worse when you’re in the middle of a crisis. 

Payment becomes a viable option when recovery is too slow

The report’s most revealing finding isn’t really the 58% willing to consider payment. It’s what drives that stat: not a single respondent said their organisation had fully recovered from ransomware within 24 hours.

The mean recovery time was around five days. Some organisations took as long as two weeks. For a large enterprise, that’s a revenue event, a customer trust event, a regulatory event – and a personal liability event for security leaders.

This is the real ransom calculation. CISOs aren’t weighing morality in a vacuum – they’re comparing the cost of payment with the very tangible cost of downtime.

And this helps explain the gap between confidence and reality. Absolute found that 83% of CISOs were confident in their organisation’s ability to recover from ransomware. But 55% said their organisation had suffered a disruptive cyberattack or breach in the past year that rendered endpoint devices inoperable.

Confidence is cheap before an attack happens, but recovery is expensive after it. 

The endpoint problem

Ransomware recovery often comes down to a brutally practical question: how quickly can you restore the devices people need to work?

Here, the report shows why recovery drags. The most common restoration method is still physical device collection and repair, used by 59% of respondents. That might be manageable in one office, but it’s incredibly slow when employees are spread across cities, countries, and home networks.

Remote repair capability is used by 53%, but still trails physical recovery. Meanwhile, 57% of CISOs said they had experienced an attack that originated on a mobile, remote or hybrid endpoint device. With 29% of enterprise workforces fully remote and another 39% hybrid, the endpoint estate has become both the front door and the recovery bottleneck.

So ransomware is landing where organisations are least able to restore quickly.

Boards say ‘never pay’ – until the clock starts

There’s also a boardroom problem. Absolute found that 61% of CISOs say boards and executive leadership expect security investments to guarantee zero breaches and ransomware incidents. Another 63% say board pressure directly influences security strategy and investment decisions.

That expectation is dangerous. It rewards prevention theatre over recovery readiness.

No CISO can guarantee ransomware will not land. What they can influence is how long the business stays down when it does. But recovery infrastructure is often less exciting than prevention tools – and it’s harder to explain before an incident.

The real alternative to ransom is resilience

The strategic case against paying is still strong. The report cites industry data showing that 83% of organisations that paid were attacked again within a year, and 93% discovered data had been stolen despite payment.

So the answer isn’t to moralise at CISOs who have to make decisions under extreme pressure. It is to make the ransom conversation less likely to happen.

And no – that’s not all about prevention. It means building recovery capability before the crisis: 

• Remote restoration
• Endpoint resilience
• Tested recovery ownership
• Clear board-level expectations 
• Incident playbooks that assume some systems will fail

The best ransomware strategy is being able to say, with evidence: ‘No, we don’t need to pay.’