If you saw a coworker browsing through a database they weren’t supposed to have access to, would you report it? What would you do if you accidentally clicked on a link in a phishing email?

Most people would say they’d do the right thing and let the IT or security team know. But saying you’d do the right thing is very different from actually following through. A recent study from ISACA showed that employees are underreporting security incidents, even when reporting is required. In addition, security professionals don’t always trust their team’s ability to detect and respond to cyberthreats.

Combined, these two issues make organizations even more susceptible to data breaches and compliance violations.

Will I Lose My Job If I Report a Security Incident?

Upper management might be unwittingly hindering the reporting of security incidents. According to Nominet, a third of CEOs said they would fire a chief information security officer (CISO) if they believed that person was responsible for not spotting a data breach.

Because there are few experts in cybersecurity in any given organization, there is a lot of misunderstanding that surrounds security incidents. Not every cyber incident is a data breach, yet “breach” is used as a catch-all term for anything that happens. Perhaps the lack of proper language could put someone unnecessarily at risk for reprimand (or worse), so they decide not to report? Or maybe they are so worried a simple mistake like following directions on a spear phishing email could result in termination that they’ll let the company deal with any repercussions instead?

I know people who are so concerned a phishing email could cost them their job that they won’t even report the email, whether or not they clicked on a link. Creating this level of fear in employees doesn’t help anyone. In fact, it hurts the entire security posture of the organization.

Who’s In Charge of Security?

Employees don’t underreport just because they want to keep their jobs; they underreport because they may not know reporting procedures or even who is responsible for cybersecurity issues. If there is a CISO, sure, that helps clarify things, but not every organization has a defined CISO role, and organizations may have a structured reporting system where management closer to the employee is notified first. But does that manager know what to do when confronted with security incidents?

“Governance dictates confidence level in cybersecurity,” Frank Downs, director of ISACA’s cybersecurity practices, said in a formal statement. “When the cybersecurity team reports directly to a designated and experienced cybersecurity executive, cybersecurity teams report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”

But even among executives, there is a lack of clarity about who is in charge of cybersecurity. Again, it isn’t always the CISO. In many cases, the CEO takes ultimate responsibility for any security incidents. In situations of serious data breaches that require public relations mediation, it is often the CEO who becomes the face of the breach and is responsible for the company’s failure to protect consumer data. The problem here, however, is that most CEOs aren’t familiar enough with cybersecurity to be responsible for incident reporting or mitigation. If a CEO is the top of the line of the security reporting structure, does that executive know what to do with the information?

Again, the lack of a true reporting policy or having an inexperienced executive making crucial decisions ends up hurting the organization’s security posture. In this case, if there is a data breach, it could be the CEO who loses their job.

How the CISO Can Right the Security Ship

There is clearly a huge disconnect between employees at all levels and the responsibility for reporting and mitigating security incidents. Closing that gap requires the CISO to step up and take charge.

According to ISACA, employees feel most confidant about the security team when the CISO is a strong, clearly defined leader. It may come down to working with the organization’s board of directors to create that line of leadership and designate a direct reporting ladder, with the CISO being the top rung, answering directly and only to the board on security issues.

The CISO should also provide a well-defined, readily available security policy that includes security incident reporting and information on penalties for violations. An employee shouldn’t have to worry about their job security if they report an incident, but at the same time, there should be some defined retribution if the employee knowingly doesn’t report an incident when required by compliance regulations.

This policy should define the security reporting line, which should be someone within the security team and not the business management structure; what situations must be reported by law or company policy (and what could happen legally if that’s not followed); what situations management highly recommends be reported; and whether this can be done anonymously. Punishments for not reporting or for being responsible for a security incident should also be spelled out.

Finally, every employee has a role to play in an organization’s security posture, and it is up to the CISO to make sure that happens. This includes regular security awareness training and naming employees across the business to be part of the security team. These employees wouldn’t be responsible for mitigating an incident, but they would be a familiar face within each department that will make reporting more comfortable than it would be to strangers or executives.

When security events and data breaches are underreported, the organization pays a high price in long-term mitigation costs, fines and loss of reputation. Employees need to know they can report incidents without retribution, and it is up to the CISO to make the reporting environment welcoming.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read