A Checkmarx report out this month says 95% of CISOs feel pressure to suppress or delay compliance-related security findings. Pressure from the board. From PR. From product and sales.
The industry response, predictably, is: CISOs need to stand their ground.
They’re missing the point.
95% is not a character flaw
When nineteen out of twenty people in a role do the same thing, the explanation is not that they all lack backbone. It’s that the environment produces the behavior. CISOs who surface bad news get fired. CISOs who manage information carefully get renewed. The data is overwhelming, and so is the incentive.
I’ve been in those rooms. The ones where you bring a real finding to the executive team and the next question is “how do we frame this” instead of “what do we do about it.” You learn fast what the organization actually rewards. Not what the mission statement says. What the behavior in the room rewards.
The job description has three objectives that don’t always agree
Every CISO was hired to do some version of three things: keep the company secure, keep it compliant, and keep it out of the news.
Those objectives are frequently in conflict.
Keeping the company secure means finding problems and acting on them. Keeping it out of the news often means not finding them, or finding them and deciding the risk is manageable without escalating. The CISO who chooses the second path isn’t being dishonest about security. She’s being honest about what happens to people who choose the first path consistently and loudly.
The actual incentive structure
Boards say they want transparency. What they usually mean is they want confidence. Not the same thing.
When a CISO surfaces a material finding, there are three possible responses: resources to fix it (rare), a question about whether the finding is really that serious (common), or a quiet conversation about fit. And anyone who’s been in this role long enough has watched that last one happen to someone they know.
When a CISO surfaces something, it becomes a problem they now own. When they manage it internally and there’s no incident, nobody mentions it. The risk of transparency is real and immediate. The risk of suppression is theoretical, and spread across more people.
That’s not cowardice. That’s math.
The fix is not “CISOs should be braver”
The organizations that break this pattern do something specific. They hold the audit committee and board accountable for what the CISO does with risk information.
If the board only hears good news, that’s a governance failure. An audit committee that never asks “what aren’t you telling us” isn’t doing its job. And when the executive team treats a finding as a PR problem, the CISO learns to treat it that way too.
Ask any long-term CISO what makes it possible to surface hard findings without losing the room. The answer is almost always the same: a sponsor at the executive or board level who has made it clear that transparency is a value, not just a stated one. Without that, you’re asking someone to repeatedly take career risk for an organization that hasn’t made it safe to do so.
The question to ask your CISO
The useful question isn’t “are you telling us everything.” It’s: “What would make it harder to tell us something? What have you seen in this organization that might make someone manage information carefully?”
If your CISO has good answers to that, your governance is probably working. If the question makes the room uncomfortable, that discomfort is information.
Ninety-five percent of organizations are producing a predictable behavior. The behavior is rational given the structure. You don’t fix it by asking CISOs to be more willing to risk their jobs. You fix it by building an organization where surfacing risk doesn’t cost them one.
That conversation starts before you hire the CISO. It starts with the board deciding whether they actually want to know what’s wrong.
If you’re building a security function where the CISO can do the job they were hired to do, book a call.
