What We Learned from Nine CISOs on Ransomware Defense Strategies

Ransomware continues to be one of the most devastating and expensive cybersecurity threats. Global ransomware damages are projected to reach billions annually¹, leaving Chief Information Security Officers (CISOs) and security leaders under increasing pressure to ensure their organizations are prepared. Despite sophisticated tools and strategies, blind spots in detection and response capabilities can leave even the most mature security programs vulnerable.

The OnDefend team had the rare opportunity to be a fly on the wall as nine healthcare CISOs discussed their security programs. As a group, we identified their top ransomware challenges and collaborated on strategies for how tech vendors and security leaders can work together to address these issues.

From misconfigured tools to ineffective threat responses, blind spots in ransomware defense can have devastating consequences. This blog gives you a behind the scenes look at the top challenges these CISOs face in ransomware defense and the actionable insights discussed to overcome them.

1. Operational Assurance: Ensuring Security Controls Work as Intended

The Challenge

Security leaders face the critical challenge of ensuring that detection and response tools, such as Secure Email Gateway (SEG), Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM), are fully optimized and functioning as intended. Without operational assurance, misconfigurations, policy drift, and untested updates can leave organizations vulnerable to ransomware threats and other cyber risks.

When asked “How do you test and verify that your controls are functioning right now?”

One CISO responded, ” I don’t have enough of a team to be able to test, so I’m not aware whether these things are working correctly.”

Well, another CISO responded, ” the bad guys are technically testing us every day, right?”

But, they all agreed, they could do more.

Why It Matters

Misconfigurations and blind spots caused by outdated policies, incorrect thresholds, software updates, integration failures between tools, or unintended changes leave critical gaps that allow threat actors to operate undetected. This leads to increased dwell times, heightened risk exposure, and the potential for significant operational disruptions. Additionally, misconfigured controls can generate excessive false positives or negatives, overwhelming security teams and leading to missed detections of legitimate threats.

The Solution

CISOs and security leaders can take several proactive measures to ensure that security controls function as intended and deliver the protection their organization needs.

• Establish a Continuous Validation Program: Regularly (monthly or quarterly) test and validate security controls using tools like Breach and Attack Simulation (BAS) or managed services like OnDefend’s Ransomware Defense Validation (RDV) to ensure they are properly configured and capable of detecting and responding to real-world threats.
• Regularly Audit and Tune Configurations: Conduct routine audits of rules, thresholds, and integrations to ensure configurations are up-to-date and aligned with evolving threat landscapes. Validate that patches, updates, or policy changes do not inadvertently create vulnerabilities.
• Foster Cross-Departmental Collaboration: Collaborate with IT, DevOps, and other business units to ensure security measures are embedded into workflows and aligned with operational needs. Work closely with procurement teams to assess vendor capabilities and meet SLA commitments.
• Develop Incident Response Playbooks: Create detailed playbooks that include validated escalation paths, response protocols, and tool configurations to effectively handle various incident types. Test these playbooks through simulated exercises to ensure they work as intended during real incidents.
• Promote a Security-First Culture: Train internal teams and stakeholders on the importance of proper configurations and adherence to security protocols. Encourage a culture of vigilance where security practices are seen as critical to the organization’s success.

By taking these steps and working closely with trusted security vendors, CISOs can build a proactive, resilient cybersecurity posture that ensures security controls function as intended and evolve to meet new and emerging threats.

2. Quantifying Third-Party Vendor Efficacy: Holding Vendors Accountable

The Challenge

Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDR) solutions are critical components of a ransomware defense strategy. However, these providers often fail to meet Service Level Agreement (SLA) requirements due to:

• Resource constraints
• Skill gaps
• Outdated response protocols.

5 in 10 threat response assessments result in a notification response delay or failure – (Data Collected from OnDefend Services between 2020-2024)

Why It Matters

Measuring vendor performance can be difficult due to a lack of transparency, inconsistent reporting, and limited actionable data on real-world incident response capabilities. Without clear metrics to evaluate whether vendors meet SLA commitments or effectively mitigate threats, organizations risk extended dwell times, unaddressed vulnerabilities, and reduced resilience to cyberattacks. The inability to quantify vendor efficacy leaves security leaders in the dark, undermining confidence in their security posture and complicating vendor selection, retention, or replacement decisions.

The Solution

• Regularly evaluate MDR, NDR, MSSP service providers, and other security vendors to ensure they meet SLA commitments and perform as expected. Use metrics such as Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to measure vendor effectiveness and identify areas for improvement.
• Conduct regular, controlled threat detection and response exercises to measure real-world SLAs and detection and response times.
• Simulate real-world ransomware incidents to evaluate how quickly vendors detect, alert, and respond to threats.

Use these findings to hold vendors accountable or identify alternative solutions that deliver better performance.

3. Demonstrating Preparedness to Executives and Boards

The Challenge

CISOs face increasing pressure to assure executives and boards that their organizations are prepared to defend against and respond to ransomware and other cyber threats. However, demonstrating this preparedness is often hampered by the complexity of translating technical security measures into business-relevant insights.

Why It Matters

Without clear, quantifiable metrics—such as MTTD and MTTR—and tangible evidence of operational assurance, conveying the effectiveness of security controls and demonstrating cyber resilience becomes difficult. This lack of transparency can lead to uncertainty among stakeholders and diminished confidence in the organization’s cybersecurity posture.

The Solution

• Beyond traditional penetration testing: Penetration testing lacks real-world threat simulation, only provides a snapshot of vulnerabilities at a specific point in time and does not account for ongoing changes in the environment. Penetration testing reports are often technical and detail-oriented, making it challenging for CISOs to translate findings into business-relevant insights or quantifiable metrics that resonate with executives and boards. Invest in BAS tools or a managed service like Ransomware Defense Validation (RDV) to provide ongoing assurance.
• Provide Stakeholder Transparency: Communicate the status and effectiveness of security controls to executives and board members using data-driven insights and provide tangible results that stakeholders can understand. Regularly demonstrate how investments in security controls and continuous validation reduce risk and enhance organizational resilience.

By providing measurable metrics, testing real-world scenarios, and proving that security controls and processes are both resilient and effective, CISOs can ensure stakeholders that their cybersecurity efforts support operational continuity and organizational resilience.

4. Proving ROI on Cybersecurity Investments

The Challenge

CISOs are under constant pressure to secure budgets and demonstrate the value of their cybersecurity investments. However, proving ROI in cybersecurity is uniquely challenging because success is often measured by what doesn’t happen—prevented breaches, mitigated risks, and avoided costs.

Why It Matters

Without quantifiable metrics like MTTD or MTTR, and tangible proof that tools and services are functioning as intended, it becomes difficult to communicate the effectiveness of security investments to executives and boards. This lack of clarity can lead to skepticism about the necessity of new investments, underfunded security initiatives, and reduced stakeholder confidence in the organization’s ability to manage cyber risks effectively.

The Solution

Use results-driven validation to demonstrate ROI:

• Continuously test and validate existing security tools and service providers to show where investments are working and where they fail.
• Present quantifiable metrics, such as SEG filtering rates or detection improvements, to justify budget decisions.
• Use data to prioritize high-performing solutions and replace ineffective tools and service providers.

When CISOs demonstrate clear, measurable value, security becomes a business enabler rather than a cost center.

5. From Reactive to Proactive: Reducing Cybersecurity Risks

The Challenge

For many organizations, cybersecurity efforts remain largely reactive, focusing on responding to incidents after they occur rather than preventing them. Many organizations only test their defenses after an incident or during annual compliance audits. This reactive approach leaves significant gaps for adversaries to exploit.

“Ransomware is the #1 risk for most hospitals, including ours. We already subscribe to the standard legacy testing practices, but we don’t have a way to continuously test and validate our defensive controls to prove they are working.” – Healthcare CISO

Why It Matters

Security teams are perpetually in crisis mode, addressing vulnerabilities and threats only after they have already impacted the organization. CISOs face the challenge of shifting to a proactive strategy that continuously identifies and mitigates risks before they are exploited. Without proactive measures, organizations remain vulnerable to evolving threats, extended dwell times, and operational disruptions, making it difficult to build a truly resilient security posture.

The Solution

Achieving this requires regular validation of security controls, real-world testing of detection and response capabilities, and actionable insights to address gaps in coverage.

• Emulate ransomware scenarios continuously to identify weaknesses across prevention, detection, and response.
• Implement Breach and Attack Simulation (BAS) tools or a managed service like Ransomware Defense Validation (RDV) to regularly validate readiness against real-world threats.
• Conduct frequent, comprehensive risk assessments to identify and prioritize vulnerabilities based on their potential impact on the organization. Leverage frameworks like NIST or MITRE ATT&CK to systematically evaluate and address risks.
• Ensure tools like EDR, NDR, and SIEM are properly configured, updated, tuned, and integrated to detect threats proactively.
• Validate incident response workflows through regular tabletop exercises and real-world simulations.

A proactive approach builds resilience and ensures defenses evolve alongside the threat landscape.

Why Continuous Validation is Essential for Ransomware Defense

For CISOs, overcoming these challenges requires moving beyond assumptions and validating defenses against real-world ransomware attacks. By demonstrating preparedness, holding vendors accountable, and continuously validating controls, CISOs can build confidence across technical teams and executive leadership, mitigate current risks, and ensure their organizations are well-prepared for the threats of tomorrow.

We learned so much by just listening to these CISOs. While they all agreed these were the biggest technical challenges they faced, the one thing that stood out most prominently when discussing ways to solve these was LIMITED BANDWIDTH. The resources needed to check all these boxes are extremely limited and they have competing priorities.

That’s why OnDefend collaborated with CISOs and security leaders to develop Ransomware Defense Validation (RDV), a fully managed service designed to do this heavy lifting for security teams. Discover how this healthcare organization successfully implemented RDV and the positive outcomes they achieved.

Take the Next Step

Ready to prepare your organization against ransomware? Schedule a consultation today to learn how OnDefend’s Ransomware Defense Validation (RDV) can eliminate blind spots, optimize your security tools, and ensure vendor accountability.

About OnDefend:

OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, contact us.

Source: (Financial Times)