Over the years, chief information security officers (CISOs) have faced increasing scrutiny as data breaches and other incidents have increasingly affected business performance. In many cases, cyber executives are under pressure to keep incidents quiet, despite a growing body of government regulations and compliance standards that now require greater transparency and disclosure.
A survey released by cybersecurity firm Bitdefender illustrates the pressure cyber leaders face. The report, based on 1,200 responses, found that 69 percent of C-level executives, including CISOs and CIOs, reported being told to stay silent about a breach. Mid-level security managers are encountering the same issue, with 46 percent reporting that they have faced similar orders.
One of the primary factors driving CISOs and other security leaders to stay silent about breaches and attacks is the increasing number of regulations that companies now face.
“In an era of increased regulation and sharper scrutiny, organizations face significant financial, regulatory, and reputational risks if a breach reveals noncompliance,” Nicholas Jackson, Bitdefender’s director of cyber security services, noted in the report. He added that regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) can result in heavier fines when disclosures are delayed or covered up.
In addition, some security leaders – notably the former CISO of Uber – have faced criminal charges when security incidents were not promptly reported to authorities.
The fact that CISOs are facing pressure from their organizations while government agencies and lawmakers are growing more concerned about security incidents is a significant factor in cybersecurity today, said Casey Ellis, founder of Bugcrowd.
“The pressure on CISOs and security teams to conceal breaches is a symptom of a deeper issue: the misalignment between cybersecurity, business priorities and regulatory accountability,” Ellis recently told Dice. “The numbers in Bitdefender’s survey are alarming but not surprising. They reflect a growing tension where security leaders are caught between doing what’s right for transparency and protecting their careers in environments that prioritize optics over ethics. This is a dangerous game, and it’s one that ultimately erodes trust, not just between companies and their customers but within the security profession itself.”
Ellis and other cybersecurity experts point out that Bitdefender and similar surveys demonstrate how important compliance and regulatory expertise are for security teams, and how cybersecurity professionals need to have these skills to better compete, especially as government watchdog agencies increase their scrutiny and enterprises respond.
“The demand for professionals with legal, compliance, and regulatory expertise is absolutely fueled by this trend. As cybersecurity becomes more ingrained in corporate governance, the ability to navigate these areas is no longer a ‘nice-to-have’ – it’s essential, Ellis added. “CISOs and aspiring security leaders need to understand the regulatory landscape, not just to avoid penalties, but to advocate for ethical decision-making when breaches occur. A strong compliance background equips them to push back against pressure to conceal incidents and to frame transparency as a business advantage rather than a liability.”
A Growing Need for Compliance, Regulatory Knowledge
A report published earlier this year by CyberSN, a security and IT workforce management platform provider, showed that cybersecurity job listings are increasingly focused on professionals with skill sets that can address compliance and regulatory issues.
For example, the data found that one job title that showed a more than 40 percent increase in listings between 2023 and 2024 was cybersecurity/privacy attorney.
If organizations are making concealment decisions at the executive level, they need security leaders who can navigate the legal and regulatory minefield as well as the technical one. This means that a background in compliance or law is now a fundamental skill that either CISOs need themselves or must develop within their teams, said Chad Cragle, CISO at security firm Deepwatch.
For cybersecurity professionals, possessing these skills can help with career advancement and create opportunities beyond technical know-how.
“For professionals advancing in their careers, knowledge of compliance and regulations serves as a valuable career booster. When a breach occurs, technical skills help identify and contain the issue, but compliance skills determine how you communicate, report and reduce liability,” Cragle told Dice. “Even if a CISO is pressured to remain silent, being able to cite regulatory requirements gives them leverage to insist on doing the right thing. It changes ‘I think we should report this’ into ‘We are required to report this, here’s why.’”
Organizations that lack cybersecurity professionals with a strong understanding of compliance and regulatory requirements face significant risks. Without this expertise, they are more likely to incur regulatory penalties, legal consequences and reputational damage resulting from non-compliance, Louis Eichenbaum, federal CTO at ColorTokens.
Depending on the industry, cybersecurity teams need expertise with frameworks that include GDPR, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and Cybersecurity Maturity Model Certification (CMMC).
“These gaps can also lead to failed audits, loss of certifications and disqualification from critical contracts. Beyond financial and legal exposure, organizations may suffer operational disruptions if incident response processes fail to meet mandated requirements,” Eichenbaum told Dice. “Perhaps most concerning, the absence of regulatory awareness can create strategic blind spots, where security controls are implemented without consideration of legal obligations, leaving the organization exposed to risks leadership did not anticipate.”
In Eichenbaum’s view, CISOs can help by building security teams with professionals who are trained in relevant frameworks, as well as pairing compliance experts with technical staff, and fostering collaboration between cybersecurity, legal and governance functions.
“CISOs should also prioritize continuous education to keep pace with evolving regulations and reinforce the message that compliance is not just about avoiding fines. It is fundamental to business continuity, customer trust and organizational resilience,” Eichenbaum added.
How is AI Changing Compliance?
Looking beyond current data, artificial intelligence (AI) is also expected to alter how CISOs and cybersecurity professionals respond to compliance issues as well as new regulations that lawmakers are starting to develop.
In their current state, large language models (LLMs) can accelerate detection and response, but they also introduce new risks, such as data leaks, bias, explainability issues, and increased regulatory oversight, Deepwatch’s Cragle noted. AI-driven security processes will eventually be judged on performance but also on how well these technologies align with governance and regulations.
“If organizations don’t embed compliance and governance into their security DNA, they risk regulatory fines, lawsuits and brand damage – costs that may exceed those of the initial breach,” Cragle added. “Worse, they may foster a culture where hiding incidents becomes normal. CISOs should integrate compliance expertise into their teams, either by cross-training technical staff or collaborating closely with legal and compliance departments. The message must be clear: compliance isn’t a separate track; it’s part of security.”
Bugcrowd’s Ellis also noted that AI is amplifying the need for cybersecurity professionals who understand how the technology works and how these platforms are changing regulations and compliance standards.
“With AI-driven tools increasingly used for threat detection, incident response, and even compliance monitoring, the complexity of governance and regulatory oversight grows. Security professionals who can bridge the gap between technical expertise and regulatory requirements will be indispensable,” Ellis said.