{"id":1796,"date":"2025-02-06T07:30:00","date_gmt":"2025-02-06T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1796"},"modified":"2025-02-06T07:30:00","modified_gmt":"2025-02-06T07:30:00","slug":"21-of-cisos-pressured-to-not-report-compliance-issues","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1796","title":{"rendered":"21% of CISOs pressured to not report compliance issues"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs are increasingly getting caught between business pressures and regulatory obligations, leaving them struggling to balance corporate loyalty and legal accountability.<\/p>\n

To wit: One in five (21%) security leaders have been pressured by other executives or board members not to report compliance issues at their companies, according to a recent study by security vendor Splunk<\/a>.<\/p>\n

The same study \u2014 which was based on a survey of 600 CISOs<\/a> or equivalent security leaders worldwide \u2014 found that 59% of CISOs would become whistleblowers if their organization ignored compliance requirements, suggesting that many security leaders recognize the risks of inaction.<\/p>\n

Increased regulatory scrutiny<\/h2>\n

Independent security experts quizzed by CSO said that the survey\u2019s findings highlight the persistent cultural and organizational challenges inherent in security governance.<\/p>\n

\u201cThe pressure on CISOs to withhold compliance issues is not just unethical; it\u2019s a serious risk to their personal liability and their organization\u2019s long-term resilience,\u201d said Sam Peters, chief product officer at compliance management specialists ISMS.online.<\/p>\n

\u201cUnder regulatory frameworks like the SEC\u2019s disclosure rules as well as legal frameworks such as NIS2<\/a>, and DORA<\/a>, failure to report security incidents can result in significant legal and financial consequences, not just for CISOs but also for board members,\u201d he added.<\/p>\n

With increasing regulatory scrutiny and the rise of personal liability<\/a> for security leaders \u2014especially under regimes like the EU\u2019s General Data Protection Regulation (GDPR)<\/a>, SEC regulations<\/a>, and critical infrastructure laws \u2014 CISOs must navigate a fine line when pressured to not raise flags about corporate issues.<\/p>\n

Matthias Held, technical program manager at Bugcrowd, and a former CISO, said that the pressure CISOs face from boards to downplay or avoid reporting compliance issues reveals deeper, systemic problems in how security is perceived at the executive level<\/a>.<\/p>\n

\u201cThe Splunk report\u2019s findings are alarming but, unfortunately, not surprising,\u201d Held said. \u201cWe\u2019ve seen cases like the former Uber CISO<\/a> where legal accountability was shifted onto security leadership rather than addressing the root cause \u2014 corporate decision-making that prioritizes optics over security.\u201d<\/p>\n

Bryan Marlatt, chief regional officer at cybersecurity consulting firm CyXcel, said that while regulators require notifications of an organization\u2019s cybersecurity program and active incidents, boards are often more concerned about reputation management.<\/p>\n

\u201cThey [CISOs] are increasingly directed by the organization\u2019s senior leadership to keep quiet or to misclassify an incident to keep it below the radar of regulatory bodies, shareholders, and others,\u201d Marlatt told CSO.<\/p>\n

Marlatt added: \u201cAs a former CISO, I had this happen to me. Following a directive to misrepresent the organization\u2019s risks to the Audit Committee and embellish the cybersecurity program\u2019s capabilities on the SEC Form 10-K, I opted to leave the organization.\u201d<\/p>\n

Security disconnect<\/h2>\n

CISOs remain under immense pressure to comply with both existing and upcoming regulations, with the most recent being DORA, which came into effect in January 2025.<\/p>\n

\u201cThere is a critical gap between board-level understanding and reality. While regulators are increasingly stringent, many CISOs feel their budgets don\u2019t adequately reflect the board\u2019s commitment to compliance. This disconnect jeopardizes not only organizations\u2019 security posture but also their ability to meet evolving regulatory demands,\u201d James Hughes, VP of solutions engineering and enterprise CTO at data security vendor Rubrik, told CSO.<\/p>\n

Security leaders need executive backing and a robust security culture to ensure compliance isn\u2019t treated as a checkbox exercise but as a fundamental part of business integrity and legal responsibility.<\/p>\n

Jonathan Gill, CEO at Panaseer, said that because regulators are insisting on board accountability \u201cCISOs are under greater scrutiny and pressured to provide stronger assurances on security controls than ever before.\u201d<\/p>\n

\u201cSome CISOs have even been forced to plaster over the cracks with personal indemnity insurance,\u201d Gill said. \u201cBut this treats the symptoms without addressing the causes. If this blame-game culture continues whilst CISOs are left powerless to provide accurate assurances, many will leave the industry.\u201d<\/p>\n

And with personal liability souring 70% of CISOs on their role<\/a>, among other factors, nearly one in four security leaders are actively looking to leave their job<\/a>.<\/p>\n

Creating a culture of compliance<\/h2>\n

A recent study<\/a> by security vendor Thales found that the 43% of enterprises failed a compliance audit in the previous 12 months were much more likely to suffer a security breach \u2014 a finding that shows achieving compliance can boost operational resilience.<\/p>\n

\u201cBeing able to say, \u2018We are compliant with XYZ\u2019, is a competitive advantage, particularly in industries with strict regulatory requirements,\u201d according to Bugcrowd\u2019s Held.<\/p>\n

Best practices for CISOs on their compliance journey include implementing a well-documented incident response plan<\/a>, ensuring board-level buy-in for security governance<\/a>, and fostering a corporate culture where compliance is a shared responsibility rather than a burden.<\/p>\n

Regular training and awareness programs<\/a> should be implemented to educate employees on compliance requirements and their role in maintaining security standards.<\/p>\n

Joe Hubback, CISO and partner at tech consultancy Elixirr, commented: \u201cCISOs must promote risk-aware behaviour and accountability across the organization by encouraging open communication, including the reporting of compliance concerns.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs are increasingly getting caught between business pressures and regulatory obligations, leaving them struggling to balance corporate loyalty and legal accountability. To wit: One in five (21%) security leaders have been pressured by other executives or board members not to report compliance issues at their companies, according to a recent study by security vendor Splunk. […]<\/p>\n","protected":false},"author":0,"featured_media":1797,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1796","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1796"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1796"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1796\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1797"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}