July 12, 2019 By Sue Poremba 4 min read

If you saw a coworker browsing through a database they weren’t supposed to have access to, would you report it? What would you do if you accidentally clicked on a link in a phishing email?

Most people would say they’d do the right thing and let the IT or security team know. But saying you’d do the right thing is very different from actually following through. A recent study from ISACA showed that employees are underreporting security incidents, even when reporting is required. In addition, security professionals don’t always trust their team’s ability to detect and respond to cyberthreats.

Combined, these two issues make organizations even more susceptible to data breaches and compliance violations.

Will I Lose My Job If I Report a Security Incident?

Upper management might be unwittingly hindering the reporting of security incidents. According to Nominet, a third of CEOs said they would fire a chief information security officer (CISO) if they believed that person was responsible for not spotting a data breach.

Because there are few experts in cybersecurity in any given organization, there is a lot of misunderstanding that surrounds security incidents. Not every cyber incident is a data breach, yet “breach” is used as a catch-all term for anything that happens. Perhaps the lack of proper language could put someone unnecessarily at risk for reprimand (or worse), so they decide not to report? Or maybe they are so worried a simple mistake like following directions on a spear phishing email could result in termination that they’ll let the company deal with any repercussions instead?

I know people who are so concerned a phishing email could cost them their job that they won’t even report the email, whether or not they clicked on a link. Creating this level of fear in employees doesn’t help anyone. In fact, it hurts the entire security posture of the organization.

Who’s In Charge of Security?

Employees don’t underreport just because they want to keep their jobs; they underreport because they may not know reporting procedures or even who is responsible for cybersecurity issues. If there is a CISO, sure, that helps clarify things, but not every organization has a defined CISO role, and organizations may have a structured reporting system where management closer to the employee is notified first. But does that manager know what to do when confronted with security incidents?

“Governance dictates confidence level in cybersecurity,” Frank Downs, director of ISACA’s cybersecurity practices, said in a formal statement. “When the cybersecurity team reports directly to a designated and experienced cybersecurity executive, cybersecurity teams report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”

But even among executives, there is a lack of clarity about who is in charge of cybersecurity. Again, it isn’t always the CISO. In many cases, the CEO takes ultimate responsibility for any security incidents. In situations of serious data breaches that require public relations mediation, it is often the CEO who becomes the face of the breach and is responsible for the company’s failure to protect consumer data. The problem here, however, is that most CEOs aren’t familiar enough with cybersecurity to be responsible for incident reporting or mitigation. If a CEO is the top of the line of the security reporting structure, does that executive know what to do with the information?

Again, the lack of a true reporting policy or having an inexperienced executive making crucial decisions ends up hurting the organization’s security posture. In this case, if there is a data breach, it could be the CEO who loses their job.

How the CISO Can Right the Security Ship

There is clearly a huge disconnect between employees at all levels and the responsibility for reporting and mitigating security incidents. Closing that gap requires the CISO to step up and take charge.

According to ISACA, employees feel most confidant about the security team when the CISO is a strong, clearly defined leader. It may come down to working with the organization’s board of directors to create that line of leadership and designate a direct reporting ladder, with the CISO being the top rung, answering directly and only to the board on security issues.

The CISO should also provide a well-defined, readily available security policy that includes security incident reporting and information on penalties for violations. An employee shouldn’t have to worry about their job security if they report an incident, but at the same time, there should be some defined retribution if the employee knowingly doesn’t report an incident when required by compliance regulations.

This policy should define the security reporting line, which should be someone within the security team and not the business management structure; what situations must be reported by law or company policy (and what could happen legally if that’s not followed); what situations management highly recommends be reported; and whether this can be done anonymously. Punishments for not reporting or for being responsible for a security incident should also be spelled out.

Finally, every employee has a role to play in an organization’s security posture, and it is up to the CISO to make sure that happens. This includes regular security awareness training and naming employees across the business to be part of the security team. These employees wouldn’t be responsible for mitigating an incident, but they would be a familiar face within each department that will make reporting more comfortable than it would be to strangers or executives.

When security events and data breaches are underreported, the organization pays a high price in long-term mitigation costs, fines and loss of reputation. Employees need to know they can report incidents without retribution, and it is up to the CISO to make the reporting environment welcoming.

More from CISO

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today