Most CISOs Report Pressure to Bury Bad Security News
Dark ReadingArchived Jun 15, 2026✓ Full text saved
Executive leaders may not be saying it aloud, but business objectives and priorities don't always promote timely disclosures.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Most CISOs Report Pressure to Bury Bad Security News
Executive leaders may not be saying it aloud, but business objectives and priorities don't always promote timely disclosures.
Arielle Waldman,Features Writer,Dark Reading
June 15, 2026
5 Min Read
SOURCE: BRIAN A JACKSON VIA GETTY IMAGES
Without a dedicated seat at the board, CISOs continually face pressure to downplay security findings that could be critical.
CISOs contend with increasingly advanced attacks, evolving compliance and regulation standards, and constant worry about what will happen to the company and themselves if a breach does occur. Stress, pressure, blame, and panic have become synonymous with the role.
A recent Checkmarx report, The Future of Application Security in the Era of AI, found 95% of CISOs "feel pressured to suppress or delay compliance-related security findings." The report surveyed 2,350 developers, application security managers, and CISOs, and found concerning news.
The 95% figure came as no surprise to Darren Meyer, research advocate for Checkmarx. As a practitioner, he has been on the end of having to push CISOs to disclose.
"There is a lot of pressure on one hand to disclose and the other: 'Hey, maybe not yet. Don't say anything until we have a really good solution'", Meyers tells Dark Reading.
Related:AI Risk Worries Insurers & Businesses Alike
Mounting pressure affects transparency, and in some cases, failing to disclose could have a significant impact on customers and businesses, especially if a breach leads to legal action, he adds.
The Call Is Coming From Inside the House
CISOs don't face pressure from one source. Instead, it comes from the board, public relations (PR), and product and sales teams. Some of it derives from C-level executives concerned about timing, who warn: "Don't talk about this before an earnings call" reveals Meyer.
It’s not always a demand for CISOs to stay silent, but rather to wait. Time to delivery is one primary contributing factor, with someone asking the CISO to wait because the company needs to push out production, says Meyer.
It's a balancing act between wanting to serve customers, to be the first on the market, not wanting to tip off the bad guys to a vulnerability, but also needing to disclose and be transparent, he says.
"It's not an easy call by any stretch, and CISOs feel pressure from all directions to make the right call," Meyer says.
To Disclose or Not To Disclose
CISOs become caught in the cross hairs of wanting to minimize panic but also wanting to promote transparency. Pressure swirls around staying silent on something labeled bad— whether that’s a vulnerability, a ransomware attack, or another risk to the company security's posture.
Disclosure decisions become even more difficult when the vulnerability "isn't so significant that anyone really has to worry," Meyer explains. Maybe the company is confident in its environmental controls, or the exploitation risk is low.
Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
However, there is also a lack of awareness outside of the security suite and other parts of the C-suite that disclosing a vulnerability doesn't necessarily lead to bad PR, says Meyer. It also shows responsibility.
"A good CISO who wants to disclose has an uphill battle of convincing people of that, because: What do journalists cover? What gets the front page?" he posed. "It's not: ‘Company responsibility disclosed a minor vulnerability.’"
CISOs Often Lack Authority
The pressure may be real – and palpable – but it's rarely communicated directly, agrees Chainguard CISO John Sapp. Most CISOs actually experience competing business priorities and expectations to accomplish more with fewer resources, he adds.
Business leaders focus on finances and how to keep operations running smoothly. Cybersecurity leaders have the same goals in mind, but security investments are often viewed as cost, while the risks they prevent are difficult to quantify until an incident occurs, he adds.
"CISOs are hired to protect an organization's digital assets, yet they often lack the authority, influence, or resources needed to fully manage risk," Sapp tells Dark Reading. "As a result, they frequently find themselves defending security strategies and decisions while security findings are viewed as obstacles to business objectives rather than critical insights that help reduce risk and strength resilience."
Related:How CISOs Should Prep for Agentic-Ready AI BOMs
One of the biggest contributors to this pressure Sapp has observed is the tendency to treat compliance as a checkbox exercise rather than as a component of operational resilience. Like other experts across the industry, he warns that cyber incidents are a matter of when, not if. Compliance needs to reflect that by supporting preparedness, rather than become the primary objective.
"Compounding the issue is the significant room for interpretation within many regulations, along with inconsistent enforcement," Sapp says "This can create disagreements about what constitutes compliance, how requirements apply to a business, and how security findings should be communicated and prioritized."
Can Organizations Alleviate the Pressures?
Including CISOs in more business strategy discussions alongside other C-suite leaders is a strong way to alleviate the pressures, agree Sapp and Meyer. Technology is intertwined and essential for nearly all businesses; security will affect revenue, operations, and customer trust.
"Organizations must stop treating cybersecurity as separate from business priorities," Sapp urges. "When organizations build strong security and resilience programs, compliance becomes a natural byproduct rather than the end goal."
That echoes Meyer's recommendation to build rapport and the expectation that transparency has a positive impact, before something major happens. Educate the C-suite and the board on the value of routine disclosures, he adds.
"Doing that when you're not under pressure makes your life easier when something happens," Meyer says.
Being a part of the C-suite helps, but it also raises concerns. A CISO with that level of influence and authority could signal the company has security problems and affect market perception, says Meyer.
"Would a CISO being a C-level executive help with the transparency problem? Absolutely” he says. “Is it worth it? That's a harder thing to answer."
About the Author
Arielle Waldman
Features Writer, Dark Reading
Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, providing context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. Her coverage areas include identity and access management, cyber risk and operations, industrial control systems, operational technology, and ransomware trends.
She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at TechTarget SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Edge Picks
APPLICATION SECURITY
AI Agents in Browsers Light on Cybersecurity, Bypass Controls
CYBER RISK
Browser Extensions Pose Heightened, but Manageable, Security Risks
CYBERSECURITY OPERATIONS
Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds
ENDPOINT SECURITY
Extension Poisoning Campaign Highlights Gaps in Browser Security
Latest Articles in The Edge
CYBER RISK
AI Risk Worries Insurers & Businesses Alike
JUN 10, 2026
ENDPOINT SECURITY
The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
JUN 9, 2026
CYBER RISK
AI Slop Will Kill Cybersecurity Storytelling If We Let It
JUN 8, 2026
CYBERSECURITY OPERATIONS
Zoom CISO: AI as a Security Enabler, Not Role-Replacer
JUN 2, 2026
Read More The Edge
Want more Dark Reading stories in your Google search results?
BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE
Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.
GET YOUR PASS