CISOs are coming under increased pressures to keep quiet about security incidents because concerns about corporate reputation often outweigh adherence to regulatory compliance.
More than two-thirds (69%) of CISOs have been told to keep breaches confidential, according to a recent survey by Bitdefender. These numbers are significantly up from the 42% recorded in an equivalent study two years ago.
Martin Zugec, technical solutions director at Bitdefender, told CSO that shifts in how cybercriminals operate could be having a direct influence on why some breaches are kept quiet.
“Traditional ransomware attacks that encrypted data and forced public disclosure are declining,” said Zugec. “Instead, attackers increasingly focus on data theft without disruption, making breaches less visible to customers or the public.”
Even when encryption is used, it’s often confined to back-end infrastructure. For example, a recent attack by the RedCurl group specifically targeted hypervisors while avoiding systems that would impact end users.
“This approach minimizes public fallout and enables private negotiations, adding to the pressure CISOs face around disclosure,” Zugec said.
Regulatory pressure
Regulatory pressures on CSOs come from various sources, including data protection rules such as the EU’s General Data Protection Regulations (GDPR) and financial market regulations that require timely disclosure of cyber incidents. Other regulations such as the Cyber Security and Resilience Act, DORA, and NIS2 are increasing the regulatory scrutiny.
CISOs are under pressure to downplay or avoid reporting compliance issues despite the risk of personal liability security leaders face in cases where they fail to report security incidents.
Bryan Marlatt, chief regional officer at cybersecurity consulting firm CyXcel, and a former CISO, told CSO that he left a previous employer after he was asked to downplay a security incident.
“With a recent employer, I was asked by the CIO to not share risks with the Audit Committee and [to] over-embellish the security capabilities on the SEC Form 10K,” Marlatt told CSO. “This came after being told not to share the details of a business email compromise that had recently occurred.”
Marlatt added: “The CIO had one year left before retiring and didn’t want to ‘rock the boat’ as they claimed.”
“Integrity means more to me than any amount of money, so when I was asked not to share details of a compromise and embellish security capabilities at my former employer, I left,” he said.
‘Intense pressure’ to keep quiet about security incidents
CSO spoke to two other former CISOs who reported pressures to stay silent about suspected security incidents. Both CISOs requested to remain anonymous due to end-of-contract confidentiality agreements made with previous employers.
“While working inside a Fortune Global 500 company in Europe, I witnessed this multiple times,” one of the former CISOs explained. “The pressure was especially intense before shareholder meetings or quarterly financial reports.”
The same source said: “Every incident had to be routed through the CIO first, who brought it up to his leadership team or the board — mostly the CFO [chief financial officer] — regardless of urgency or regulatory timelines.”
“The justification was always the same: ‘This isn’t necessarily a cybersecurity incident.’ Final disclosure decisions were consistently made without the CISO’s involvement,” the source reported.
The former CISO offered anonymized examples they had personally encountered:
Automotive development data theft: Around 500GB of sensitive engineering and personal data was stolen by an insider and later sold on the dark web. Root cause: Identity and access management (IAM) misconfiguration. Not disclosed, because it was “just stolen data, not a hack.”
Abuse of super admin rights by a security leader: A senior security employee abused admin access to intimidate subordinates, and to get access to accounts of board members and other high company profiles. The security operation center detected it. Labeled a “misconfiguration” not a cyberattack.
Financial subdivision hack abroad: Hackers rerouted around €50 million in SAP supplier payments via a third-party breach and missing multi-factor authentication. Not disclosed, as it didn’t “fall under local EU laws.”
Stolen administrator credentials: CrowdStrike flagged a still-active super admin account. Logs were missing. Red/blue teams recommended IAM reset. Ignored, because “no direct harm was detected.”
CISO bribery scandal: A Big Five provider bribed the global group CISO and two direct reports with vacations and other expensive perks to secure worldwide contracts. Evidence was ignored. The CISO was quietly replaced with a golden handshake, and the team was told not to discuss it.
A second former CISO told us of an incident in which his employer was notified of a suspected data breach involving private information — emails and names rather than credit card details.
After determining that the source of the problem was not their organization but the software developer of a third-party website, the CISO was told not to report the issue even though customer data was involved because it was “not their problem” and the business wanted to preserve its business relationship with the third-party website.
Caught in a trap
These situations highlight the impossible position in which CISOs are often placed: legally accountable for security but pressured to ignore standards when disclosure conflicts with corporate interests. “The business does not really understand what this means for people who really care about this,” the first source told CSO, adding that, faced with a difficult position, they complied with requests to keep quiet.
“There is no genuine whistleblower protection, financial or reputational, for a CISO or any other security person who comes forward,” the source said.
Speaking out will end a career.
“In my case, I’m sure I was flagged,” the source explained. “In a performance review, I was told that if I wanted to rise to the top, I needed to comply more with ‘the company’ and less with ‘my standards and my team.’ That conversation was one of the key reasons I ultimately left.”
CyXcel’s Marlatt added that business executives commonly try to hide that an incident ever occurred, even though it is likely to have an impact on their customers or business partners.
“As a consultant, I’ve heard of many CISOs being asked not to share details of an incident, or not to share that an incident had occurred,” Marlatt said. “With the increase in ransomware events and the need to bring in external parties for digital forensics and incident response or to submit insurance claims, it’s becoming much more difficult to hide these impactful incidents.”
Silence isn’t golden
Caroline Morgan, partner at CM Law, acknowledged that “internal company pressure to stay silent is real,” while warning that regulators not only expect but require disclosure of security incidents.
“Legally, by staying silent a business is likely only aggravating its problems, not escaping them,” Morgan said. “The price to pay can be devastating because now it is not just the breach it is also the cover-up.”
“Regulators can use silence to show a pattern of noncompliance to impose significant penalties,” Morgan warned. “Brand damage, loss of customer trust, and worse, lawsuits, can also be part of the fallout.”
Morgan continued: “If a chief information security officer or the like attempts the cover-up and is discovered, it is often a career ender and an invitation to be personally sued, fined by regulators, or worse, criminal charges.”
This is far from a theoretical risk. Former Uber Chief Security Officer Joe Sullivan was found guilty of covering up a 2016 security breach and sentenced to probation.
Incident response
Timely reporting is the foundation of data protection laws.
“Companies can greatly reduce their exposure by acknowledging that internal pressure to not report is a threat and by putting solutions in place to minimize it before a breach occurs,” Morgan advised.
“Companies can minimize internal pressure by ensuring they have a robust incident response plan whose framework promotes transparency, including training on ethical handling of incidents and decision-making authority that is walled off from commercial roles,” she said.
No Responses