Ransomware reimagined: Why containment alone is no longer enough

In March, more than a dozen CISOs and other security managers gathered online to discuss how best to handle ransomware in today’s AI-powered environments.Because theCyberRisk Collaborativeroundtable discussion, sponsored by Akamai, followed the Chatham House rule, we can’t tell you who said what. But the latest CRC report, “Redefining Ransomware Containment,” summarizes what was said.The full report is available to CyberRisk Collaborative members. Click here to get started.The group’s main message:Ransomwareis no longer just a cybersecurity issue, but a full-scale business-resilience challenge.Organizations should focus onransomware recovery, the participants agreed. While rapid containment remains critical, stopping an attack is only part of the solution. True success against ransomware includes maintaining business operations, minimizing disruption, and lining up technical response with organizational priorities.Containment speed is important, but even a quickly halted attack can lead to substantial financial loss or reputational damage. Organizations must take a view of incident success that includes recovery timelines and customer impact alongside traditional security metrics. That’s because a ransomware incident affects the entire enterprise, not just IT systems.Because business continuity is the true benchmark ofresilience, CISOs and other security managers in the roundtable discussion stressed that customers and stakeholders often care less about how quickly an attack is contained and more about whether services remain available.The CISOs said that as a result, leading organizations are folding ransomware response into broader business-continuity anddisaster-recovery plans. That way, critical operations can keep going even during an active incident, and downstream impacts on customers, partners, and markets will be lessened.Effective ransomware response involves parallel operational tracks, not just a single process, participants agreed. While security teams handle containment and investigation, business leaders should assess the impact of the incident, communications teams should manage messaging, and the IT team initiates recovery. This coordination makes sure that decisions involve both technical and business considerations.Incident-responseteams must be able to act decisively. Delays caused by bureaucracy or unclear authority can let ransomware spread rapidly. High-performing organizations set rules of engagement that grant responders the wherewithal to take immediate action, such as cutting off systems or disabling accounts, without waiting for approval. Trust, preparation, andclear governancelet teams make high-stakes decisions quickly.Preparation is the most critical factor of all. The discussion participants underscored the value of holding regulartabletop exercisesto simulate real-world ransomware scenarios. Tabletops should include executives and stakeholders from the legal and communications teams, helping organizations spot gaps, clarify roles, and build “muscle memory” for actual crises. When a real incident does take place, the teams that have practiced together will be ready to respond.Overall, the roundtable discussion agreed that ransomware defenses must move beyond prevention and containment toward a broader emphasis on enterprise resilience. This means aligning cybersecurity goals with business operations, empowering teams to make autonomous decisions, preparing rigorously, and ensuring that organizations can continue functioning even under attack.Ransomware is inevitable, but catastrophe is not. Organizations that embrace a resilience-first approach that balances speed, continuity, coordination, and preparation will be best positioned to turn potentially disastrous ransomware incidents into merely manageable disruptions.