Bryan Marlatt, chief regional officer at cybersecurity consulting firm CyXcel, said that while regulators require notifications of an organization’s cybersecurity program and active incidents, boards are often more concerned about reputation management.
“They [CISOs] are increasingly directed by the organization’s senior leadership to keep quiet or to misclassify an incident to keep it below the radar of regulatory bodies, shareholders, and others,” Marlatt told CSO.
Marlatt added: “As a former CISO, I had this happen to me. Following a directive to misrepresent the organization’s risks to the Audit Committee and embellish the cybersecurity program’s capabilities on the SEC Form 10-K, I opted to leave the organization.”
