You confirm a breach exposing customer PII, and legal hesitates to disclose. What does the CISO drive?
Short answer
Breach handling is governed by law and contract: work with legal to meet mandatory notification timelines (such as GDPR's 72 hours to the supervisory authority) and inform affected parties accurately. Concealment risks far larger fines, regulatory action, and reputational damage when it surfaces later. Dumping raw, unverified technical details prematurely can mislead customers and aid attackers. Scapegoating an individual employee is neither accurate, lawful, nor effective crisis management — it deflects from the organization's accountability.
A confirmed breach of customer PII is no longer a purely technical event — it is a legal and regulatory one. The scenario tests whether the CISO understands that disclosure obligations are not optional and that "protecting the brand" by hiding the breach is the fastest way to destroy it.
Why lawful, timely disclosure is correct
Most jurisdictions impose mandatory breach-notification duties. Under GDPR, a controller must notify the supervisory authority within 72 hours of becoming aware of a personal-data breach, and notify affected individuals "without undue delay" when there is high risk to their rights. The CISO's job is to drive the incident-response process while working with legal to map every applicable obligation — regulators, customers, contractual partners — and to disclose accurately, even when the picture is still forming. Honest, staged disclosure ("here is what we know, here is what we're still investigating") satisfies the law and preserves trust.
Why the distractors fail
- Stay quiet to protect the brand. Concealment is the opposite of protection. It typically converts a manageable incident into a regulatory violation with much larger fines, and the cover-up usually does more reputational harm than the breach itself.
- Publish every technical detail immediately. Premature, unverified dumps can be wrong, can mislead affected customers, and can hand attackers a roadmap or confirmation. Disclosure must be accurate, not merely fast and raw.
- Blame an individual employee publicly. Scapegoating is inaccurate (breaches are usually systemic), legally reckless, and corrosive to the culture you need for people to report incidents early.
What the interviewer is probing
They want to see that you treat disclosure as a legal obligation driven by the CISO in partnership with legal, not a PR decision made to spare embarrassment. The mature answer balances speed (the 72-hour clock) with accuracy, resists the instinct to hide, and never reaches for a scapegoat. The weak candidate optimizes for short-term brand comfort — which is exactly what regulators and courts punish.
Likely follow-ups
- Which regulators and contractual parties would you map notification duties to, and how do you track the clock?
- How do you disclose accurately when the investigation is still ongoing and facts are incomplete?
- What is the difference between notifying a supervisory authority and notifying affected data subjects?