Increased expectations for CISOs to remain tight-lipped about security breaches or vulnerabilities

In the world of cybersecurity, Chief Information Security Officers (CISOs) find themselves under immense pressure to keep breaches under wraps, often at the expense of their careers and personal liabilities.

A recent survey by Bitdefender revealed that over two-thirds (69%) of CISOs have been instructed to maintain silence about security breaches, a significant increase from the 42% recorded two years ago. This alarming trend suggests a growing culture of secrecy within organisations, potentially putting sensitive data at risk.

The pressure to stay silent is particularly intense before shareholder meetings or quarterly financial reports. One former CISO shared that this was a time when the pressure to downplay or avoid reporting compliance issues was at its peak.

The consequences of speaking out can be severe. There is no genuine whistleblower protection for a CISO or any other security personnel who come forward. Speaking out will end a career. This was evident in the case of former Uber Chief Security Officer Joe Sullivan, who was found guilty of covering up a 2016 security breach and sentenced to probation.

Hackers have also exploited this culture of silence. In a shocking incident, they rerouted around €50 million in SAP supplier payments via a third-party breach and missing multi-factor authentication. The incident was not disclosed because it "didn't fall under local EU laws."

Attackers are increasingly focusing on data theft without disruption, making breaches less visible to customers or the public. In one instance, around 500GB of sensitive engineering and personal data was stolen by an insider and later sold on the dark web. The incident was not disclosed because it was considered "just stolen data, not a hack."

Even when encryption is used, it's often confined to back-end infrastructure, leaving end users vulnerable. Traditional ransomware attacks that encrypted data and forced public disclosure are declining, according to Zugec. Instead, attackers are opting for stealthier methods to avoid detection.

The pressure to ignore standards when disclosure conflicts with corporate interests is a concern for those who care about security. A Big Five provider was even reported to have bribed the global group CISO and two direct reports with vacations and other expensive perks to secure worldwide contracts. Evidence was ignored, and the CISO was quietly replaced with a golden handshake, with the team being told not to discuss it.

Regulatory pressures on CISOs come from various sources, including data protection rules such as the EU’s General Data Protection Regulations (GDPR) and financial market regulations. Timely reporting is the foundation of data protection laws, and companies can minimise internal pressure by ensuring they have a robust incident response plan that promotes transparency and separates decision-making authority from commercial roles.

Martin Zugec, technical solutions director at Bitdefender, stated that shifts in how cybercriminals operate could be a factor in why some breaches are kept quiet. However, the onus is on organisations to prioritise transparency and protect their customers and employees from potential data breaches.

As the cyber threat landscape evolves, it is crucial for CISOs to stand firm in their commitment to upholding security standards and reporting incidents promptly. The culture of silence must be broken to ensure the safety and security of all.