Cyber Risk: The Board Room Edition — Relaunch Issue
In April, PYMNTS ran a headline that quietly captured a shift the cybersecurity industry has been pretending wasn’t happening: “Cybersecurity’s Hottest New Job Is Negotiating With Hackers.“
The piece reports that demand for ransomware negotiators is climbing at firms like Palo Alto Networks and Sophos. The skills they’re hiring for? Not technical. The article describes the role as requiring “psychological acuity, cultural awareness, financial strategy and a deep understanding of how cybercriminal groups operate.” One line in particular stopped me: “the enterprise’s most valuable asset may no longer be its defense perimeter but rather someone who knows how to talk to the hackers.“
That sentence should make every board in America sit up.
Because if the most valuable asset in a cyber event is the person at the negotiating table — and almost no one in your cybersecurity org has been trained to be that person — you have a strategic gap nobody is pricing yet.
A Tale of Two Casinos
September 2023. Same attacker group (Scattered Spider, working with the ALPHV/BlackCat ransomware-as-a-service operation). Same week. Two of the largest hospitality companies in the world. Two completely different responses.
Caesars Entertainment got hit first. They entered negotiations early and paid $15 million — half of the initial $30 million demand. Operations were largely unaffected. They filed an 8-K and moved on.
MGM Resorts got hit days later. They refused to pay. Ten days of operational chaos followed — slot machines down, digital room keys offline, reservation systems frozen, staff using pen and paper. MGM took an estimated $100 million hit to third-quarter EBITDA and has since paid an additional $45 million to settle class-action litigation over the data exposure.
You can debate which company made the right call. Reasonable people do. But there’s one thing you can’t debate: Caesars negotiated. MGM didn’t. Caesars walked the demand down 50%. MGM either didn’t try or didn’t know how to. The financial difference between those two stances was somewhere north of $130 million.
That gap isn’t about technology. Both companies had sophisticated security teams. The gap is about a skill set that wasn’t on the org chart.
The Quiet Reality of Cyber Risk Decisions
The casino story is dramatic, but it’s not the most common version of this. Every major cybersecurity decision is a negotiation:
Budget reviews with the CFO
MSSP and tooling contracts with vendors
Cyber insurance renewals with brokers and carriers
Ransomware response with criminal counterparties
Regulator engagement after an incident
M&A due diligence with the deal team
Internal politics of getting Engineering to ship security fixes on time
The professionals on the other side of those tables — CFOs, vendor sales teams, insurance underwriters, ransomware operators, attorneys, M&A advisors — are not amateurs. Most have invested years in formal negotiation training, gone through structured deal experience, and operate with a clear playbook.
Cybersecurity leaders, in my experience, rarely have any of that.
The Training Gap
In 28 years of cybersecurity, I have met thousands of CISOs, security directors, and risk officers. I have met very few who have been through formal negotiation training. Most are technically credentialed at the highest levels — CISSP, CISM, OSCP, board certificates, GIAC stacks — and have invested heavily in their craft.
And almost none of them have invested in the one skill that determines whether their technical work actually translates into reduced risk for the business.
That is not a personal failing. It is a structural one. The cybersecurity profession built itself around technology and compliance frameworks. Negotiation lives in the business school curriculum. The two have not met.
The result: cyber leaders walk into board rooms, vendor calls, and crisis bridges with deep technical expertise — and improvised negotiation strategy.
Hit on NegIQ-234
The most expensive single number in cyber risk right now might be this one:
79% of ransomware gangs offered a discount when simply asked.
That finding comes from NegIQ-234, our dataset of 234 actual ransomware negotiations involving 24 criminal gangs and more than 11,000 messages. Not surveys. Not anecdotes. The actual chat windows.
Roughly four out of five times, the gang was prepared to take less than the opening demand — and victims paid full price because nobody on the response team knew that asking was a viable move. Caesars knew. They saved $15 million in one conversation. Most companies don’t.
A trained negotiator does not hand over the opening price on anything, much less a multi-million-dollar criminal transaction. But that is the default play in cybersecurity.
What’s Changing Here
The Cyber Risk Board Room Edition is going to look different starting now. The cyber risk is still the focus. The lens has changed.
Each issue, three sections:
The Lead — A close look at one cyber risk decision and how to actually negotiate it. Budget. Vendors. Insurance. Ransomware. Regulators. M&A. Board conversations.
Hit on NegIQ-234 — A real finding from the dataset. Concrete data. Tactical implications.
The Close — One specific question to bring to your next board meeting, vendor call, or risk review.
That’s it. Three sections. Sustainable. Honest about where the value sits.
The Close
If you are sitting at the board level, this is the most direct ROI conversation you can have with your CISO that you are probably not having:
Have they been trained to negotiate the decisions they are responsible for?
The technical skill stack is necessary. It is not sufficient. Every dollar of cyber risk reduction your CISO produces eventually has to be defended, negotiated, or extracted across a table — and the other side has practice your team does not have. Caesars demonstrated what training is worth in one week. MGM demonstrated what the gap costs.
The good news: this is the most learnable expensive skill in the cyber stack.
The bad news: nobody is going to teach it to your team unless you decide it matters.
This newsletter is going to operate on the assumption that you have decided it does.
Welcome back. Glad to have you reading again.
