The Bottom Line: CISOs are facing expectations to not immediately disclose security issues, despite regulation and best practices demanding prompt transparency.
A majority of CISOs report pressure from management to delay or suppress negative security disclosures. This contradicts regulatory requirements and leads to governance conflicts.
Business leadership and corporate management exert open or tacit pressure to avoid communicating security incidents, vulnerabilities, or breaches immediately, instead preferring delayed or selective communication. Business objectives (reputation, customer confidence, stock price, contract negotiations) are weighed against the necessity of timely disclosure – a conflict with implications for governance, compliance, and liability law.
For CISOs, this creates an institutional dilemma: they bear operational responsibility for security but must withstand pressure that runs counter to direct regulatory requirements and standards (NIS2 Directive, TISAX, industry-specific reporting obligations, contractual disclosure terms). Secret or delayed disclosures increase the company’s liability risk if later revealed and compromise trust-building with stakeholders.
A structural solution requires clarity over disclosure chains, documented escalation processes, and independent audit or compliance functions that decouple disclosure decisions from business interest considerations. Boards should explicitly determine who may disclose which security events and when – and why timely transparency creates more trust in the long term than short-term reputation protection measures.
Source: www.darkreading.com · Published June 15, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.