Without a dedicated seat at the board, CISOs continually face pressure to downplay security findings that could be critical.
CISOs contend with increasingly advanced attacks, evolving compliance and regulation standards, and constant worry about what will happen to the company and themselves if a breach does occur. Stress, pressure, blame, and panic have become synonymous with the role.
A recent Checkmarx report, The Future of Application Security in the Era of AI, found 95% of CISOs “feel pressured to suppress or delay compliance-related security findings.” The report surveyed 2,350 developers, application security managers, and CISOs, and found concerning news.
The 95% figure came as no surprise to Darren Meyer, research advocate for Checkmarx. As a practitioner, he has been on the end of having to push CISOs to disclose.
“There is a lot of pressure on one hand to disclose and the other: ‘Hey, maybe not yet. Don’t say anything until we have a really good solution'”, Meyers tells Dark Reading.
Mounting pressure affects transparency, and in some cases, failing to disclose could have a significant impact on customers and businesses, especially if a breach leads to legal action, he adds.
The Call Is Coming From Inside the House
CISOs don’t face pressure from one source. Instead, it comes from the board, public relations (PR), and product and sales teams. Some of it derives from C-level executives concerned about timing, who warn: “Don’t talk about this before an earnings call” reveals Meyer.
It’s not always a demand for CISOs to stay silent, but rather to wait. Time to delivery is one primary contributing factor, with someone asking the CISO to wait because the company needs to push out production, says Meyer.
It’s a balancing act between wanting to serve customers, to be the first on the market, not wanting to tip off the bad guys to a vulnerability, but also needing to disclose and be transparent, he says.
“It’s not an easy call by any stretch, and CISOs feel pressure from all directions to make the right call,” Meyer says.
To Disclose or Not To Disclose
CISOs become caught in the cross hairs of wanting to minimize panic but also wanting to promote transparency. Pressure swirls around staying silent on something labeled bad— whether that’s a vulnerability, a ransomware attack, or another risk to the company security’s posture.
Disclosure decisions become even more difficult when the vulnerability “isn’t so significant that anyone really has to worry,” Meyer explains. Maybe the company is confident in its environmental controls, or the exploitation risk is low.
However, there is also a lack of awareness outside of the security suite and other parts of the C-suite that disclosing a vulnerability doesn’t necessarily lead to bad PR, says Meyer. It also shows responsibility.
“A good CISO who wants to disclose has an uphill battle of convincing people of that, because: What do journalists cover? What gets the front page?” he posed. “It’s not: ‘Company responsibility disclosed a minor vulnerability.’”
CISOs Often Lack Authority
The pressure may be real – and palpable – but it’s rarely communicated directly, agrees Chainguard CISO John Sapp. Most CISOs actually experience competing business priorities and expectations to accomplish more with fewer resources, he adds.
Business leaders focus on finances and how to keep operations running smoothly. Cybersecurity leaders have the same goals in mind, but security investments are often viewed as cost, while the risks they prevent are difficult to quantify until an incident occurs, he adds.
“CISOs are hired to protect an organization’s digital assets, yet they often lack the authority, influence, or resources needed to fully manage risk,” Sapp tells Dark Reading. “As a result, they frequently find themselves defending security strategies and decisions while security findings are viewed as obstacles to business objectives rather than critical insights that help reduce risk and strength resilience.”
One of the biggest contributors to this pressure Sapp has observed is the tendency to treat compliance as a checkbox exercise rather than as a component of operational resilience. Like other experts across the industry, he warns that cyber incidents are a matter of when, not if. Compliance needs to reflect that by supporting preparedness, rather than become the primary objective.
“Compounding the issue is the significant room for interpretation within many regulations, along with inconsistent enforcement,” Sapp says “This can create disagreements about what constitutes compliance, how requirements apply to a business, and how security findings should be communicated and prioritized.”
Can Organizations Alleviate the Pressures?
Including CISOs in more business strategy discussions alongside other C-suite leaders is a strong way to alleviate the pressures, agree Sapp and Meyer. Technology is intertwined and essential for nearly all businesses; security will affect revenue, operations, and customer trust.
“Organizations must stop treating cybersecurity as separate from business priorities,” Sapp urges. “When organizations build strong security and resilience programs, compliance becomes a natural byproduct rather than the end goal.”
That echoes Meyer’s recommendation to build rapport and the expectation that transparency has a positive impact, before something major happens. Educate the C-suite and the board on the value of routine disclosures, he adds.
“Doing that when you’re not under pressure makes your life easier when something happens,” Meyer says.
Being a part of the C-suite helps, but it also raises concerns. A CISO with that level of influence and authority could signal the company has security problems and affect market perception, says Meyer.
“Would a CISO being a C-level executive help with the transparency problem? Absolutely” he says. “Is it worth it? That’s a harder thing to answer.”
