Pressure on CISOs to stay silent about security incidents growing

‘Intense pressure’ to keep quiet about security incidents: CSO spoke to two other former CISOs who reported pressures to stay silent about suspected security incidents. Both CISOs requested to remain anonymous due to end-of-contract confidentiality agreements made with previous employers.”While working inside a Fortune Global 500 company in Europe, I witnessed this multiple times,” one of the former CISOs explained. “The pressure was especially intense before shareholder meetings or quarterly financial reports.”The same source said: “Every incident had to be routed through the CIO first, who brought it up to his leadership team or the board, mostly the CFO [chief financial officer], regardless of urgency or regulatory timelines.””The justification was always the same: ‘This isn’t necessarily a cybersecurity incident.’ Final disclosure decisions were consistently made without the CISO’s involvement,” the source reported.The former CISO offered anonymized examples they had personally encountered:
Automotive development data theft: Around 500GB of sensitive engineering and personal data was stolen by an insider and later sold on the dark web. Root cause: Identity and access management (IAM) misconfiguration. Not disclosed, because it was “just stolen data, not a hack.”Abuse of super admin rights by a security leader: A senior security employee abused admin access to intimidate subordinates, and to get access to accounts of board members and other high company profiles. The security operation center detected it. Labeled a “misconfiguration” not a cyberattack.Financial subdivision hack abroad: Hackers rerouted around Euro50 million in SAP supplier payments via a third-party breach and missing multi-factor authentication. Not disclosed, as it didn’t “fall under local EU laws.”Stolen administrator credentials: CrowdStrike flagged a still-active super admin account. Logs were missing. Red/blue teams recommended IAM reset. Ignored, because “no direct harm was detected.”CISO bribery scandal: A Big Five provider bribed the global group CISO and two direct reports with vacations and other expensive perks to secure worldwide contracts. Evidence was ignored. The CISO was quietly replaced with a golden handshake, and the team was told not to discuss it.A second former CISO told us of an incident in which his employer was notified of a suspected data breach involving private information, emails and names rather than credit card details.After determining that the source of the problem was not their organization but the software developer of a third-party website, the CISO was told not to report the issue even though customer data was involved because it was “not their problem” and the business wanted to preserve its business relationship with the third-party website.

Caught in a trap: These situations highlight the impossible position in which CISOs are often placed: legally accountable for security but pressured to ignore standards when disclosure conflicts with corporate interests. “The business does not really understand what this means for people who really care about this,” the first source told CSO, adding that, faced with a difficult position, they complied with requests to keep quiet.”There is no genuine whistleblower protection, financial or reputational, for a CISO or any other security person who comes forward,” the source said.Speaking out will end a career.”In my case, I’m sure I was flagged,” the source explained. “In a performance review, I was told that if I wanted to rise to the top, I needed to comply more with ‘the company’ and less with ‘my standards and my team.’ That conversation was one of the key reasons I ultimately left.”CyXcel’s Marlatt added that business executives commonly try to hide that an incident ever occurred, even though it is likely to have an impact on their customers or business partners.”As a consultant, I’ve heard of many CISOs being asked not to share details of an incident, or not to share that an incident had occurred,” Marlatt said. “With the increase in ransomware events and the need to bring in external parties for digital forensics and incident response or to submit insurance claims, it’s becoming much more difficult to hide these impactful incidents.”

Silence isn’t golden: Caroline Morgan, partner at CM Law, acknowledged that “internal company pressure to stay silent is real,” while warning that regulators not only expect but require disclosure of security incidents.”Legally, by staying silent a business is likely only aggravating its problems, not escaping them,” Morgan said. “The price to pay can be devastating because now it is not just the breach it is also the cover-up.””Regulators can use silence to show a pattern of noncompliance to impose significant penalties,” Morgan warned. “Brand damage, loss of customer trust, and worse, lawsuits, can also be part of the fallout.”Morgan continued: “If a chief information security officer or the like attempts the cover-up and is discovered, it is often a career ender and an invitation to be personally sued, fined by regulators, or worse, criminal charges.”This is far from a theoretical risk. Former Uber Chief Security Officer Joe Sullivan was found guilty of covering up a 2016 security breach and sentenced to probation.

Incident response: Timely reporting is the foundation of data protection laws.”Companies can greatly reduce their exposure by acknowledging that internal pressure to not report is a threat and by putting solutions in place to minimize it before a breach occurs,” Morgan advised.”Companies can minimize internal pressure by ensuring they have a robust incident response plan whose framework promotes transparency, including training on ethical handling of incidents and decision-making authority that is walled off from commercial roles,” she said.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/4050232/pressure-on-cisos-to-stay-silent-about-security-incidents-growing.html