If you saw a coworker browsing through a database they weren’t supposed to have access to, would you report it? What would you do if you accidentally clicked on a link in a phishing email?

Most people would say they’d do the right thing and let the IT or security team know. But saying you’d do the right thing is very different from actually following through. A recent study from ISACA showed that employees are underreporting security incidents, even when reporting is required. In addition, security professionals don’t always trust their team’s ability to detect and respond to cyberthreats.

Combined, these two issues make organizations even more susceptible to data breaches and compliance violations.

Will I Lose My Job If I Report a Security Incident?

Upper management might be unwittingly hindering the reporting of security incidents. According to Nominet, a third of CEOs said they would fire a chief information security officer (CISO) if they believed that person was responsible for not spotting a data breach.

Because there are few experts in cybersecurity in any given organization, there is a lot of misunderstanding that surrounds security incidents. Not every cyber incident is a data breach, yet “breach” is used as a catch-all term for anything that happens. Perhaps the lack of proper language could put someone unnecessarily at risk for reprimand (or worse), so they decide not to report? Or maybe they are so worried a simple mistake like following directions on a spear phishing email could result in termination that they’ll let the company deal with any repercussions instead?

I know people who are so concerned a phishing email could cost them their job that they won’t even report the email, whether or not they clicked on a link. Creating this level of fear in employees doesn’t help anyone. In fact, it hurts the entire security posture of the organization.

Who’s In Charge of Security?

Employees don’t underreport just because they want to keep their jobs; they underreport because they may not know reporting procedures or even who is responsible for cybersecurity issues. If there is a CISO, sure, that helps clarify things, but not every organization has a defined CISO role, and organizations may have a structured reporting system where management closer to the employee is notified first. But does that manager know what to do when confronted with security incidents?

“Governance dictates confidence level in cybersecurity,” Frank Downs, director of ISACA’s cybersecurity practices, said in a formal statement. “When the cybersecurity team reports directly to a designated and experienced cybersecurity executive, cybersecurity teams report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”

But even among executives, there is a lack of clarity about who is in charge of cybersecurity. Again, it isn’t always the CISO. In many cases, the CEO takes ultimate responsibility for any security incidents. In situations of serious data breaches that require public relations mediation, it is often the CEO who becomes the face of the breach and is responsible for the company’s failure to protect consumer data. The problem here, however, is that most CEOs aren’t familiar enough with cybersecurity to be responsible for incident reporting or mitigation. If a CEO is the top of the line of the security reporting structure, does that executive know what to do with the information?

Again, the lack of a true reporting policy or having an inexperienced executive making crucial decisions ends up hurting the organization’s security posture. In this case, if there is a data breach, it could be the CEO who loses their job.

How the CISO Can Right the Security Ship

There is clearly a huge disconnect between employees at all levels and the responsibility for reporting and mitigating security incidents. Closing that gap requires the CISO to step up and take charge.

According to ISACA, employees feel most confidant about the security team when the CISO is a strong, clearly defined leader. It may come down to working with the organization’s board of directors to create that line of leadership and designate a direct reporting ladder, with the CISO being the top rung, answering directly and only to the board on security issues.

The CISO should also provide a well-defined, readily available security policy that includes security incident reporting and information on penalties for violations. An employee shouldn’t have to worry about their job security if they report an incident, but at the same time, there should be some defined retribution if the employee knowingly doesn’t report an incident when required by compliance regulations.

This policy should define the security reporting line, which should be someone within the security team and not the business management structure; what situations must be reported by law or company policy (and what could happen legally if that’s not followed); what situations management highly recommends be reported; and whether this can be done anonymously. Punishments for not reporting or for being responsible for a security incident should also be spelled out.

Finally, every employee has a role to play in an organization’s security posture, and it is up to the CISO to make sure that happens. This includes regular security awareness training and naming employees across the business to be part of the security team. These employees wouldn’t be responsible for mitigating an incident, but they would be a familiar face within each department that will make reporting more comfortable than it would be to strangers or executives.

When security events and data breaches are underreported, the organization pays a high price in long-term mitigation costs, fines and loss of reputation. Employees need to know they can report incidents without retribution, and it is up to the CISO to make the reporting environment welcoming.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen. Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…