A SecurityWeek Event


An Exclusive Executive Forum Focused on
Information Security Leadership and Strategy

September 13-14, 2022

2021 CISO Forum Presented by


2021 Diamond Sponsors


2021 Platinum Sponsors


2021 Gold Sponsors


Silver Sponsors


2021 CISO Forum

SecurityWeek’s CISO Forum takes place annually at the beautiful Ritz-Carlton, Half Moon Bay, which has served as the venue of the forum since 2014.

Given the global situation resulting from the COVID-19 pandemic, SecurityWeek’s 2021 CISO Forum, Presented by Cisco, will take place virtually. Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, specific zones & sponsor booths.

This  event is designed for security leaders to discuss, share and learn information security strategies. (Register)

Visit Here for the Latest Event Updates for the Virtual Edition

An Exclusive Executive Forum Focused on Cybersecurity Leadership and Strategy

September 14-15, 2021
Virtual Event – View Event Website

Throughout this two-day virtual event, sessions will have a strong focus on participation from CISOs in panel discussions along with talks from industry experts, analysts and other end users, and thought leadership, strategy and technical sessions.

Topics Include:

  • Fireside Chat: Adrian Stone: VP, CISO at Peloton
  • Winning Hearts and Minds on the Board
  • Designing and Architecting Security for a Hybrid World
  • CISO Panel: Navigating SBOMs and Supply Chain Security Transparency
  • Panel: CISO’s Guide to Building a Security Dream Team
  • Panel: The Top 5 Priorities of the Modern CISO
  • Defenders Playbook for Attack Simulation and Security Posture Validation
  • Virtual Expo and Networking
  • Identity-Focused Security for Your Zero Trust Journey
  • Winning Hearts and Minds on the Board
  • Securing Our Cloud Environment Against Hackers
  • Key Insights to Prevent Never-Before-Seen Cyber Attacks
  • SASE Industry Trends
  • Measuring Security and Building Trust with Leadership: Enabling Transformation Through Testing
  • How DevOps Can Make AppSec Testing Seamless
  • Addressing Sophisticated Supply Chain Attacks Head On with No Source Code Required
  • Much more! – Add to Calendar

Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, subject-specific discussion areas, and sponsor booths in a virtual expo hall.

Adrian Stone

Adrian Stone


Anne Marie Zettlemoyer

Anne Marie Zettlemoyer

VP, Security Engineering

Caleb Sima

Caleb Sima


Allan Friedman

Allan Friedman (Invited)

Cybersecurity and Infrastructure Security Agency (CISA)
SBOM Champion

Summer Craze Fowler

Summer Craze Fowler

Argo AI

Fredrick Lee

Fredrick ‘Flee’ Lee

Chief Security Officer

Shaila Shankar

Shaila Shankar

SVP and General Manager of Cisco Cloud Network and Security

Jonathan Jaffe

Jonathan Jaffe


Aanchal Gupta

Aanchal Gupta

VP, Azure Security

Lena Smart

Lena Smart


Sounil Yu

Sounil Yu


Theresa Payton

Theresa Payton

Former White House CIO
Star of CBS TV series, “Hunted”, and Leading Cybersecurity Expert




September 24-26, 2019


1 Miramontes Point Rd, Half Moon Bay, CA 94019


+ 1 (650) 712-7000

City of Atlanta Ransomware Attack Proves Costly

05/07/2018 0

City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not

(Kevin Townsend – SecurityWeekOver the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files.

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, “In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization’s files in an apparent attempt to capitalize on a victim’s willingness to pay a ransom.” Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, “GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft.” Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers — which sound like the Gold Lowell group — had previously compromised them.

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell’s dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

There is no simple answer. Atlanta does, however, get almost unequivocal support from the CISO of another U.S. city, who spoke to SecurityWeek requesting anonymity. “Unless paying the ransom provided details of how they were breached, what would it really get them?” he asked. “Firstly, they don’t know if they would actually get the decrypt keys; secondly, they don’t know if they would simply get hit again; and thirdly, it would only encourage more of the same kind of action.

“By bringing in emergency support,” he continued, “they probably now have a much better picture of their security posture, most likely have cleaned up a number of issues, and are now on track to pay more attention to this business risk.” His only criticism is that the money should have been spent to prevent ransomware rather than to recover from it. “The real lesson,” he said, “is for probably 10-20% of the cost of the emergency support they could have brought in the same people to help with the same issues prior to the incident. Would that guarantee it would not happen? No — but it would improve the odds greatly, would limit the damage done, and improve recovery efforts if it happened.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, has a different view. “The ethical dilemma whether to pay or not to pay a ransom becomes very complicated today. This incident is a very colorful, albeit sad, example that refusing to pay a ransom may be economically impractical and detrimental for the victims.”

He agrees that Atlanta should have been better prepared. “Taking into consideration the scope and the disastrous consequences of this incident, one may reasonably suggest that Atlanta has a lot of space for improvement in cybersecurity and incident response. Spending 50 times more money to remediate the consequences of the attack, instead of investing the same money into prevention of further incidents, is at least questionable.”

But he disagrees with one of the primary arguments of those who advocate not paying. “Refusing to pay a ransom is unlikely to demotivate cybercriminals from conducting further attacks, as they will always find someone else to pay.”

In the final analysis, he believes that each case needs to be decided on its own merits, but adds, “In some cases, paying a ransom is the best scenario for a company and its economic interests. Otherwise, you risk spending a lot of valuable resources with no substantial outcome.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe for Event News