21% of CISOs pressured to not report compliance issues

CISOs are increasingly getting caught between business pressures and regulatory obligations, leaving them struggling to balance corporate loyalty and legal accountability.

To wit: One in five (21%) security leaders have been pressured by other executives or board members not to report compliance issues at their companies, according to a recent study by security vendor Splunk.

The same study — which was based on a survey of 600 CISOs or equivalent security leaders worldwide — found that 59% of CISOs would become whistleblowers if their organization ignored compliance requirements, suggesting that many security leaders recognize the risks of inaction.

Increased regulatory scrutiny

Independent security experts quizzed by CSO said that the survey’s findings highlight the persistent cultural and organizational challenges inherent in security governance.

“The pressure on CISOs to withhold compliance issues is not just unethical; it’s a serious risk to their personal liability and their organization’s long-term resilience,” said Sam Peters, chief product officer at compliance management specialists ISMS.online.

“Under regulatory frameworks like the SEC’s disclosure rules as well as legal frameworks such as NIS2, and DORA, failure to report security incidents can result in significant legal and financial consequences, not just for CISOs but also for board members,” he added.

With increasing regulatory scrutiny and the rise of personal liability for security leaders —especially under regimes like the EU’s General Data Protection Regulation (GDPR), SEC regulations, and critical infrastructure laws — CISOs must navigate a fine line when pressured to not raise flags about corporate issues.

Matthias Held, technical program manager at Bugcrowd, and a former CISO, said that the pressure CISOs face from boards to downplay or avoid reporting compliance issues reveals deeper, systemic problems in how security is perceived at the executive level.

“The Splunk report’s findings are alarming but, unfortunately, not surprising,” Held said. “We’ve seen cases like the former Uber CISO where legal accountability was shifted onto security leadership rather than addressing the root cause — corporate decision-making that prioritizes optics over security.”

Bryan Marlatt, chief regional officer at cybersecurity consulting firm CyXcel, said that while regulators require notifications of an organization’s cybersecurity program and active incidents, boards are often more concerned about reputation management.

“They [CISOs] are increasingly directed by the organization’s senior leadership to keep quiet or to misclassify an incident to keep it below the radar of regulatory bodies, shareholders, and others,” Marlatt told CSO.

Marlatt added: “As a former CISO, I had this happen to me. Following a directive to misrepresent the organization’s risks to the Audit Committee and embellish the cybersecurity program’s capabilities on the SEC Form 10-K, I opted to leave the organization.”

Security disconnect

CISOs remain under immense pressure to comply with both existing and upcoming regulations, with the most recent being DORA, which came into effect in January 2025.

“There is a critical gap between board-level understanding and reality. While regulators are increasingly stringent, many CISOs feel their budgets don’t adequately reflect the board’s commitment to compliance. This disconnect jeopardizes not only organizations’ security posture but also their ability to meet evolving regulatory demands,” James Hughes, VP of solutions engineering and enterprise CTO at data security vendor Rubrik, told CSO.

Security leaders need executive backing and a robust security culture to ensure compliance isn’t treated as a checkbox exercise but as a fundamental part of business integrity and legal responsibility.

Jonathan Gill, CEO at Panaseer, said that because regulators are insisting on board accountability “CISOs are under greater scrutiny and pressured to provide stronger assurances on security controls than ever before.”

“Some CISOs have even been forced to plaster over the cracks with personal indemnity insurance,” Gill said. “But this treats the symptoms without addressing the causes. If this blame-game culture continues whilst CISOs are left powerless to provide accurate assurances, many will leave the industry.”

And with personal liability souring 70% of CISOs on their role, among other factors, nearly one in four security leaders are actively looking to leave their job.

Creating a culture of compliance

A recent study by security vendor Thales found that the 43% of enterprises failed a compliance audit in the previous 12 months were much more likely to suffer a security breach — a finding that shows achieving compliance can boost operational resilience.

“Being able to say, ‘We are compliant with XYZ’, is a competitive advantage, particularly in industries with strict regulatory requirements,” according to Bugcrowd’s Held.

Best practices for CISOs on their compliance journey include implementing a well-documented incident response plan, ensuring board-level buy-in for security governance, and fostering a corporate culture where compliance is a shared responsibility rather than a burden.

Regular training and awareness programs should be implemented to educate employees on compliance requirements and their role in maintaining security standards.

Joe Hubback, CISO and partner at tech consultancy Elixirr, commented: “CISOs must promote risk-aware behaviour and accountability across the organization by encouraging open communication, including the reporting of compliance concerns.”