95% of security leaders feel pressure to bury bad news
A new Checkmarx report, "The Future of Application Security in the Era of AI," found that 95% of CISOs feel pressured to suppress or delay compliance-related security findings.
The pressure comes from every direction: the board, PR, product and sales, and C-level execs worried about timing, the classic "not before the earnings call." It is rarely said out loud. Security findings get framed as obstacles to business goals rather than as risk insight.
The experts quoted point to one real fix: pull the CISO into business strategy, and make routine disclosure normal before a crisis, not during one.
Source: Dark Reading · Checkmarx report, 15 Jun 2026
My take
95%. Read that number again. Almost every security leader has been leaned on to stay quiet, slow down, or soften a finding. Not by villains. By a board protecting a number, a sales team protecting a deal, a comms team protecting a launch date.
Here is the trap. The pressure is almost never written down. Nobody emails you "bury this." You just feel the room go cold when you raise it. That deniability is exactly what makes it dangerous, and exactly why it works.
The answer is not heroics. It is making disclosure boring. Normalise it when nothing is on fire, so that when something is, telling the truth is already the habit. If your board only hears from security after an incident, you lost the argument months ago.
86,000 Fortinet logins, and nobody had to break in
A campaign now called FortiBleed has produced a verified database of more than 86,000 working credentials for internet-facing Fortinet firewalls and VPNs, across 194 countries. Researcher Kevin Beaumont puts that at roughly half of all Fortinet firewalls exposed online. Many of the passwords were stolen in earlier incidents and never rotated.
A Russian-speaking actor cracks the SSL VPN hashes and pivots into internal Active Directory. On June 18, CISA issued an alert telling Fortinet customers to reset credentials, store admin logins with PBKDF2, review logs, enable phishing-resistant MFA, and lock down management access.
Source: SecurityWeek · CISA alert, 18 Jun 2026
My take
Half the Fortinet firewalls facing the internet, with working logins sitting in a database somebody compiled. And part of it is worse than a fresh breach: a chunk of those passwords were stolen long ago and simply never changed.
This is the line to keep. The attackers are not breaking in. They are logging in. Valid credentials, front door, no exploit required.
If you run Fortinet edge gear, CISA gave you the weekend list: kill the sessions, reset the credentials, force phishing-resistant MFA, lock down management access. But the lesson sits upstream of all that. A stolen password you never rotate is not an incident you survived. It is a permanent key you are paying to keep cut.
One forgotten GitHub token. Two months inside Novo Nordisk.
Novo Nordisk, the Danish maker of Ozempic, disclosed a breach on June 11. The reported way in was a single high-privileged GitHub access token, left exposed in client-side JavaScript on an obscure subdomain. From there the attackers cloned private repositories, harvested more credentials sitting inside the code, and pivoted deeper.
The group claiming the attack says it spent more than two months inside and took over 700,000 files, around 1.3TB, including source code, drug data, internal AI models, and records on roughly 11,500 pseudonymized trial participants, then started leaking after a 25 million dollar ransom went unpaid.
The experts' verdict: repos and CI/CD pipelines are production systems now, machine credentials rarely have an owner or a rotation schedule, and the blast radius of that one credential was the whole breach.
Source: Dark Reading · disclosed 11 Jun 2026
My take
One token. Sitting in client-side code, on a subdomain nobody was watching. That was the entire way in. Two months inside one of the biggest pharma companies on the planet, and out the door with source code, drug data, and trial records.
Same story as FortiBleed, different costume. Nobody breached a perimeter. They were authenticated. And the extra credentials they needed to go deeper were just lying in the repos, waiting.
The uncomfortable part for you: you almost certainly have hundreds of machine credentials, tokens, service accounts, API keys, with no owner, no rotation, no monitoring. You watch your people. Who watches the keys? Treat repos and pipelines as production, because to an attacker the code repo is the building plans, not a filing cabinet.
You can't keep a former employee's mailbox. I had to explain that this week.
I ran an ISO 27001 audit this week for a certification body. The company has held the certificate for years, and they were genuinely surprised to learn they cannot simply keep former employees' mailboxes running. It is not new.
Earlier this year, Belgium's data protection authority fined a large tech company about 176,000 euros for exactly this: a former employee discovered their mailbox was still active six months after leaving. The regulator's position is blunt.
You can rely on a legitimate interest to keep a mailbox for a short handover, think a month, and then it has to go. And restricting access is not the same as deleting it. Stored data is still being processed.
Source: Baker McKenzie · Belgian DPA decision, May 2026
My take
Same theme as the three above, from the compliance side. Access and data that should have been gone, still sitting there. Nobody attacked anything. The exposure was already in the building.
Two things people get wrong. One: locking an account is not deleting it. A mailbox you can no longer open is still being stored, and storage is still processing under GDPR. The regulator said it plainly. Two: that mailbox is not just the ex-employee's data. It is full of everyone who ever wrote to them. The blast radius is bigger than one person, again.
And here is the part that should sting: this company was certified. Had been for years. Still got it wrong. A framework tells you what good looks like. It does not do your offboarding for you. So go check, honestly: when someone leaves, what actually happens to their mailbox, and who signs off that it is gone?
My new PECB webinar is live: closing the decision gap
On the subject of decisions made under pressure: my webinar for PECB is now online. It is called "Closing the Decision Gap: How Risk-Informed Decisions Build Digital Trust." It is about the space between knowing your risks and actually acting on them, and why good risk decisions are what build trust, inside the organisation and with the people you serve. If the thread running through this whole issue hit a nerve, this is the strategic version of the same conversation.
Source: Watch on YouTube · PECB webinar
My take
Look back at the four items above. Every one is, underneath, a decision nobody made in time. Rotate the key. Delete the mailbox. Say the hard thing to the board. Risk management lives or dies in that gap between knowing and doing.
That gap is the whole talk. If you are the one who has to make those calls, or defend them to people who would rather not hear it, give it a watch. Then tell me if I got it wrong.