CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

Most CISOs Report Pressure to Bury Bad Security News

Dark Reading Archived Jun 15, 2026 ✓ Full text saved

Executive leaders may not be saying it aloud, but business objectives and priorities don't always promote timely disclosures.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Most CISOs Report Pressure to Bury Bad Security News Executive leaders may not be saying it aloud, but business objectives and priorities don't always promote timely disclosures. Arielle Waldman,Features Writer,Dark Reading June 15, 2026 5 Min Read SOURCE: BRIAN A JACKSON VIA GETTY IMAGES Without a dedicated seat at the board, CISOs continually face pressure to downplay security findings that could be critical.  CISOs contend with increasingly advanced attacks, evolving compliance and regulation standards, and constant worry about what will happen to the company and themselves if a breach does occur. Stress, pressure, blame, and panic have become synonymous with the role.          A recent Checkmarx report, The Future of Application Security in the Era of AI, found 95% of CISOs "feel pressured to suppress or delay compliance-related security findings." The report surveyed 2,350 developers, application security managers, and CISOs, and found concerning news.  The 95% figure came as no surprise to Darren Meyer, research advocate for Checkmarx. As a practitioner, he has been on the end of having to push CISOs to disclose.  "There is a lot of pressure on one hand to disclose and the other: 'Hey, maybe not yet. Don't say anything until we have a really good solution'", Meyers tells Dark Reading.  Related:AI Risk Worries Insurers & Businesses Alike Mounting pressure affects transparency, and in some cases, failing to disclose could have a significant impact on customers and businesses, especially if a breach leads to legal action, he adds.   The Call Is Coming From Inside the House CISOs don't face pressure from one source. Instead, it comes from the board, public relations (PR), and product and sales teams. Some of it derives from C-level executives concerned about timing, who warn: "Don't talk about this before an earnings call" reveals Meyer. It’s not always a demand for CISOs to stay silent, but rather to wait. Time to delivery is one primary contributing factor, with someone asking the CISO to wait because the company needs to push out production, says Meyer.  It's a balancing act between wanting to serve customers, to be the first on the market, not wanting to tip off the bad guys to a vulnerability, but also needing to disclose and be transparent, he says. "It's not an easy call by any stretch, and CISOs feel pressure from all directions to make the right call," Meyer says. To Disclose or Not To Disclose CISOs become caught in the cross hairs of wanting to minimize panic but also wanting to promote transparency. Pressure swirls around staying silent on something labeled bad— whether that’s a vulnerability, a ransomware attack, or another risk to the company security's posture.  Disclosure decisions become even more difficult when the vulnerability "isn't so significant that anyone really has to worry," Meyer explains. Maybe the company is confident in its environmental controls, or the exploitation risk is low. Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security However, there is also a lack of awareness outside of the security suite and other parts of the C-suite that disclosing a vulnerability doesn't necessarily lead to bad PR, says Meyer. It also shows responsibility.       "A good CISO who wants to disclose has an uphill battle of convincing people of that, because: What do journalists cover? What gets the front page?" he posed. "It's not: ‘Company responsibility disclosed a minor vulnerability.’"  CISOs Often Lack Authority  The pressure may be real – and palpable – but it's rarely communicated directly, agrees Chainguard CISO John Sapp. Most CISOs actually experience competing business priorities and expectations to accomplish more with fewer resources, he adds.  Business leaders focus on finances and how to keep operations running smoothly. Cybersecurity leaders have the same goals in mind, but security investments are often viewed as cost, while the risks they prevent are difficult to quantify until an incident occurs, he adds.  "CISOs are hired to protect an organization's digital assets, yet they often lack the authority, influence, or resources needed to fully manage risk," Sapp tells Dark Reading. "As a result, they frequently find themselves defending security strategies and decisions while security findings are viewed as obstacles to business objectives rather than critical insights that help reduce risk and strength resilience."  Related:How CISOs Should Prep for Agentic-Ready AI BOMs One of the biggest contributors to this pressure Sapp has observed is the tendency to treat compliance as a checkbox exercise rather than as a component of operational resilience. Like other experts across the industry, he warns that cyber incidents are a matter of when, not if. Compliance needs to reflect that by supporting preparedness, rather than become the primary objective.  "Compounding the issue is the significant room for interpretation within many regulations, along with inconsistent enforcement," Sapp says "This can create disagreements about what constitutes compliance, how requirements apply to a business, and how security findings should be communicated and prioritized."  Can Organizations Alleviate the Pressures?  Including CISOs in more business strategy discussions alongside other C-suite leaders is a strong way to alleviate the pressures, agree Sapp and Meyer. Technology is intertwined and essential for nearly all businesses; security will affect revenue, operations, and customer trust.  "Organizations must stop treating cybersecurity as separate from business priorities," Sapp urges. "When organizations build strong security and resilience programs, compliance becomes a natural byproduct rather than the end goal."        That echoes Meyer's recommendation to build rapport and the expectation that transparency has a positive impact, before something major happens. Educate the C-suite and the board on the value of routine disclosures, he adds.  "Doing that when you're not under pressure makes your life easier when something happens," Meyer says.  Being a part of the C-suite helps, but it also raises concerns. A CISO with that level of influence and authority could signal the company has security problems and affect market perception, says Meyer.                "Would a CISO being a C-level executive help with the transparency problem? Absolutely” he says. “Is it worth it? That's a harder thing to answer."  About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.     She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.     Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK AI Risk Worries Insurers & Businesses Alike JUN 10, 2026 ENDPOINT SECURITY The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life JUN 9, 2026 CYBER RISK AI Slop Will Kill Cybersecurity Storytelling If We Let It JUN 8, 2026 CYBERSECURITY OPERATIONS Zoom CISO: AI as a Security Enabler, Not Role-Replacer JUN 2, 2026 Read More The Edge Want more Dark Reading stories in your Google search results? BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗