The pressure to stay silent: A growing risk to cybersecurity

There’s a stat that stopped me in my tracks this week. According to a new Bitdefender survey, nearly 70% of CISOs have felt pressured to cover up a security incident. Let that sink in.

Not downplay. Not delay.
Cover up.

And it’s not theoretical pressure. It’s real. It’s increasing. And it’s becoming institutional.

This isn’t just a cybersecurity issue. It’s a culture issue. A leadership issue. And if we’re not careful, it could become a systemic failure that undermines every improvement we’ve made in modern security over the last decade.

I had a conversation with Eran Barak, our CEO at MIND, and Landen Brown, our Field CTO, we broke down what this pressure really means for security teams.

“There are so many different ways breaches can happen today... it’s almost impossible to determine how big or small a breach really was.”

He’s right. The complexity of hybrid environments, the expansion of GenAI, the fragmentation of data flows, it’s never been harder to define the boundaries of an incident. And in that ambiguity, pressure thrives.

Executives ask for “more time to validate.”
Legal suggests “it might not be material.”
PR prepares for “minimal disclosure.”

Meanwhile, the CISO sits in the middle not only managing risk but absorbing it.

Let’s be honest. The Uber case changed the conversation.
When a CISO is held personally liable, it becomes clear: this job can cost you more than your career.

Eran put it simply:

“They expect to be protected. But when they see peers held liable... they will try to minimize their risk.”

And that’s the quiet part no one wants to say out loud: when your job, your reputation and your legal safety are all on the line, the natural human instinct is to protect yourself. And in that moment, even the most ethical leaders might hesitate.

That’s not a flaw in character.
That’s a failure of culture.

When CISOs are pressured into silence, the cost isn’t just personal. It’s strategic.

• We lose the opportunity to learn
• We lose the trust of regulators
• We lose credibility with our peers, customers and users
• And most dangerously, we lose visibility into patterns that could help prevent the next breach

Transparency isn’t just about compliance. It’s about progress. It’s about building better systems, faster.

1. Organizations must de-risk transparency
   Executives can’t expect CISOs to be open while threatening them with liability or career consequences. Boards need to establish safe reporting frameworks, not just incident response plans.
2. We need to treat breach disclosure like incident medicine
   As I mentioned during our discussion, healthcare has long used “sentinel events” to proactively learn from near misses, without blame. Cybersecurity needs the same mindset. No-fault learning. Cross-functional review. Psychological safety.
3. We need tools that give clarity, not chaos
   Part of the problem is that most security teams still fly blind during an incident. As Landen pointed out, very few organizations practice real tabletop exercises or know how to quickly assess impact. This needs to change.

I hope we build a future where transparency is normalized, not punished. Where CISOs aren’t scapegoats, but strategic advisors. Where security leaders can speak plainly, backed by clear policy and strong culture. And where we see incidents not as failures, but as feedback.

Because when CISOs feel they have to choose between doing what’s right and keeping their job, we all lose.

Security isn’t just about defending systems.
It’s about defending trust.

The moment we start hiding the truth, even for understandable reasons, we risk losing the very thing we’re trying to protect. Let’s not let that happen. Let’s mind what matters.