Bryan Marlatt, chief regional officer at cybersecurity consulting firm CyXcel, said that while regulators require notifications of an organizationās cybersecurity program and active incidents, boards are often more concerned about reputation management.
āThey [CISOs] are increasingly directed by the organizationās senior leadership to keep quiet or to misclassify an incident to keep it below the radar of regulatory bodies, shareholders, and others,ā Marlatt told CSO.
Marlatt added: āAs a former CISO, I had this happen to me. Following a directive to misrepresent the organizationās risks to the Audit Committee and embellish the cybersecurity programās capabilities on the SEC Form 10-K, I opted to leave the organization.ā