{"id":4658,"date":"2025-09-04T07:00:00","date_gmt":"2025-09-04T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4658"},"modified":"2025-09-04T07:00:00","modified_gmt":"2025-09-04T07:00:00","slug":"pressure-on-cisos-to-stay-silent-about-security-incidents-growing","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4658","title":{"rendered":"Pressure on CISOs to stay silent about security incidents growing"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs are coming under increased pressures to keep quiet about security incidents because concerns about corporate reputation often outweigh adherence to regulatory compliance.<\/p>\n

More than two-thirds (69%) of CISOs have been told to keep breaches confidential,<\/a> according to a recent survey by Bitdefender. These numbers are significantly up from the 42% recorded in an equivalent study two years ago.<\/p>\n

Martin Zugec, technical solutions director at Bitdefender, told CSO that shifts in how cybercriminals operate could be having a direct influence on why some breaches are kept quiet.<\/p>\n

\u201cTraditional ransomware attacks that encrypted data and forced public disclosure are declining,\u201d said Zugec. \u201cInstead, attackers increasingly focus on\u00a0data theft\u00a0without disruption, making breaches less visible to customers or the public.\u201d<\/p>\n

Even when encryption is used, it\u2019s often confined to back-end infrastructure. For example, a recent attack by the RedCurl group specifically targeted hypervisors<\/a> while avoiding systems that would impact end users.<\/p>\n

\u201cThis approach minimizes public fallout and enables private negotiations, adding to the pressure CISOs face around disclosure,\u201d Zugec said.<\/p>\n

Regulatory pressure<\/h2>\n

Regulatory pressures on CSOs come from various sources, including data protection rules such as the EU\u2019s General Data Protection Regulations (GDPR)<\/a> and financial market regulations<\/a> that require timely disclosure of cyber incidents. Other regulations such as the Cyber Security and Resilience Act, DORA<\/a>, and NIS2<\/a> are increasing the regulatory scrutiny.<\/p>\n

CISOs are under pressure to downplay or avoid reporting compliance issues despite the risk of personal liability<\/a> security leaders face in cases where they fail to report security incidents.<\/p>\n

Bryan Marlatt, chief regional officer at cybersecurity consulting firm CyXcel, and a former CISO, told CSO that he left a previous employer after he was asked to downplay a security incident.<\/p>\n

\u201cWith a recent employer, I was asked by the CIO to not share risks with the Audit Committee and [to] over-embellish the security capabilities on the SEC Form 10K,\u201d Marlatt told CSO. \u201cThis came after being told not to share the details of a business email compromise that had recently occurred.\u201d<\/p>\n

Marlatt added: \u201cThe CIO had one year left before retiring and didn\u2019t want to \u2018rock the boat\u2019 as they claimed.\u201d<\/p>\n

\u201cIntegrity means more to me than any amount of money, so when I was asked not to share details of a compromise and embellish security capabilities at my former employer, I left,\u201d he said.<\/p>\n

\u2018Intense pressure\u2019 to keep quiet about security incidents<\/h2>\n

CSO spoke to two other former CISOs who reported pressures to stay silent about suspected security incidents. Both CISOs requested to remain anonymous due to end-of-contract confidentiality agreements made with previous employers.<\/p>\n

\u201cWhile working inside a Fortune Global 500 company in Europe, I witnessed this multiple times,\u201d one of the former CISOs explained. \u201cThe pressure was especially intense before shareholder meetings or quarterly financial reports.\u201d<\/p>\n

The same source said: \u201cEvery incident had to be routed through the CIO first, who brought it up to his leadership team or the board \u2014 mostly the CFO [chief financial officer] \u2014 regardless of urgency or regulatory timelines.\u201d<\/p>\n

\u201cThe justification was always the same: \u2018This isn\u2019t necessarily a cybersecurity incident.\u2019 Final disclosure decisions were consistently made without the CISO\u2019s involvement,\u201d the source reported.<\/p>\n

The former CISO offered anonymized examples they had personally encountered:<\/p>\n

Automotive development data theft:<\/strong> Around 500GB of sensitive engineering and personal data was stolen by an insider and later sold on the dark web. Root cause: Identity and access management (IAM) misconfiguration. Not disclosed, because it was \u201cjust stolen data, not a hack.\u201d<\/p>\n

Abuse of super admin rights by a security leader:<\/strong> A senior security employee abused admin access to intimidate subordinates, and to get access to accounts of board members and other high company profiles. The security operation center detected it. Labeled a \u201cmisconfiguration\u201d not a cyberattack.<\/p>\n

Financial subdivision hack abroad:<\/strong> Hackers rerouted around \u20ac50 million in SAP supplier payments via a third-party breach and missing multi-factor authentication. Not disclosed, as it didn\u2019t \u201cfall under local EU laws.\u201d<\/p>\n

Stolen administrator credentials:<\/strong> CrowdStrike flagged a still-active super admin account. Logs were missing. Red\/blue teams recommended IAM reset. Ignored, because \u201cno direct harm was detected.\u201d<\/p>\n

CISO bribery scandal:<\/strong> A Big Five provider bribed the global group CISO and two direct reports with vacations and other expensive perks to secure worldwide contracts. Evidence was ignored. The CISO was quietly replaced with a golden handshake, and the team was told not to discuss it.<\/p>\n

A second former CISO told us of an incident in which his employer was notified of a suspected data breach involving private information \u2014 emails and names rather than credit card details.<\/p>\n

After determining that the source of the problem was not their organization but the software developer of a third-party website, the CISO was told not to report the issue even though customer data was involved because it was \u201cnot their problem\u201d and the business wanted to preserve its business relationship with the third-party website.<\/p>\n

Caught in a trap<\/h2>\n

These situations highlight the impossible position in which CISOs are often placed: legally accountable for security but pressured to ignore standards when disclosure conflicts with corporate interests. \u201cThe business does not really understand what this means for people who really care about this,\u201d the first source told CSO, adding that, faced with a difficult position, they complied with requests to keep quiet.<\/p>\n

\u201cThere is no genuine whistleblower protection, financial or reputational, for a CISO or any other security person who comes forward,\u201d the source said.<\/p>\n

Speaking out will end a career.<\/p>\n

\u201cIn my case, I\u2019m sure I was flagged,\u201d the source explained. \u201cIn a performance review, I was told that if I wanted to rise to the top, I needed to comply more with \u2018the company\u2019 and less with \u2018my standards and my team.\u2019 That conversation was one of the key reasons I ultimately left.\u201d<\/p>\n

CyXcel\u2019s Marlatt added that business executives commonly try to hide that an incident ever occurred, even though it is likely to have an impact on their customers or business partners.<\/p>\n

\u201cAs a consultant, I\u2019ve heard of many CISOs being asked not to share details of an incident, or not to share that an incident had occurred,\u201d Marlatt said. \u201cWith the increase in ransomware events and the need to bring in external parties for digital forensics and incident response or to submit insurance claims, it\u2019s becoming much more difficult to hide these impactful incidents.\u201d<\/p>\n

Silence isn\u2019t golden<\/h2>\n

Caroline Morgan, partner at CM Law, acknowledged that \u201cinternal company pressure to stay silent is real,\u201d while warning that regulators not only expect but require disclosure of security incidents.<\/p>\n

\u201cLegally, by staying silent a business is likely only aggravating its problems, not escaping them,\u201d Morgan said. \u201cThe price to pay can be devastating because now it is not just the breach it is also the cover-up.\u201d<\/p>\n

\u201cRegulators can use silence to show a pattern of noncompliance to impose significant penalties,\u201d Morgan warned. \u201cBrand damage, loss of customer trust, and worse, lawsuits, can also be part of the fallout.\u201d<\/p>\n

Morgan continued: \u201cIf a chief information security officer or the like attempts the cover-up and is discovered, it is often a career ender and an invitation to be personally sued, fined by regulators, or worse, criminal charges.\u201d<\/p>\n

This is far from a theoretical risk. Former Uber Chief Security Officer Joe Sullivan<\/a> was found guilty of covering up a 2016 security breach and sentenced to probation.<\/p>\n

Incident response<\/h2>\n

Timely reporting is the foundation of data protection laws.<\/p>\n

\u201cCompanies can greatly reduce their exposure by acknowledging that internal pressure to not report is a threat and by putting solutions in place to minimize it before a breach occurs,\u201d Morgan advised.<\/p>\n

\u201cCompanies can minimize internal pressure by ensuring they have a robust incident response plan whose framework promotes transparency, including training on ethical handling of incidents and decision-making authority that is walled off from commercial roles,\u201d she said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs are coming under increased pressures to keep quiet about security incidents because concerns about corporate reputation often outweigh adherence to regulatory compliance. More than two-thirds (69%) of CISOs have been told to keep breaches confidential, according to a recent survey by Bitdefender. These numbers are significantly up from the 42% recorded in an equivalent […]<\/p>\n","protected":false},"author":0,"featured_media":4659,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4658","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4658"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4658"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4658\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4659"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}