Have you ever been asked to white-wash a security risk?

Top Answer : There's been times where I've been asked, directed, or coached to characterize risk differently. I call it whitewashing risk or rinsing risk or something that just dilutes the discussion and the impact.  I know there's times where I've reacted to it negatively and it's been the executive wanting to push and poke to see how firm I was going to stand, to know if I was elaborating on the risk or elevating it beyond. So sometimes it's also just a poke to really test whether or not you really think it's a real risk. It just comes across as a request to water it down or whitewash it or change it.  On the other hand, at previous companies, I saw how the enterprise risk map, and other things, that literally had been vetted for months with every business unit, every risk and control lead, my team, lawyers in those business units...i saw those things sometimes get aggregated into a broader context.  Sometimes that made sense and other times it seemed a bit watered down so that by the time it went to the board, it was a more benign issue, when perspectives from those who created the initial risk mapping believed it to be a standalone issue that needed to be addressed and needed to be discussed.

Orange Monitor
Software
There's been times where I've been asked, directed, or coached to characterize risk differently. I call it whitewashing risk or rinsing risk or something that just dilutes the discussion and the impact.  I know there's times where I've reacted to it negatively and it's been the executive wanting to push and poke to see how firm I was going to stand, to know if I was elaborating on the risk or elevating it beyond. So sometimes it's also just a poke to really test whether or not you really think it's a real risk. It just comes across as a request to water it down or whitewash it or change it.  On the other hand, at previous companies, I saw how the enterprise risk map, and other things, that literally had been vetted for months with every business unit, every risk and control lead, my team, lawyers in those business units...i saw those things sometimes get aggregated into a broader context.  Sometimes that made sense and other times it seemed a bit watered down so that by the time it went to the board, it was a more benign issue, when perspectives from those who created the initial risk mapping believed it to be a standalone issue that needed to be addressed and needed to be discussed.
1 upvotes
Pink Monitor
Software
It's an interesting discussion.  Below the topic of whitewashing risk is the topic of normalizing the risk, right? I'm extremely conservative, by the book, be inspection ready at all times, don't deviate, defend the perimeter. I'm that kind of person, but I recognize the fact that there are other views, from different lenses that view risk in a different manner.  I find myself grappling with the balance of right sizing the risk and acknowledging the fact that sometimes things have to just play out.  There's a balance between...okay, we're going to normalize it, I've got to let it play out a little bit...but then at some point I step in to communicate a defined risk.
0 upvotes
Yellow Processor
Construction
There's always the "risk appetite". The risks in "the red zone" (even in the orange zone) should not be overseen. But there are risks that the company can afford to accept, that I call "risk appetite". But no, I've never been asked to white-wash a security risk once it has been identified.
1 upvotes
Pink Processor
Health Care and Social Assistance
How risk is managed by an organization can often reflect the risk maturity of the organizations. Less risk mature organizations will often not realize the total risk the organization faces. Many organizations have compliance requirements, which would not allow legal white washing of risks. Very often, culture impacts risk appetite, which in turn can impact how much risk an organization will willingly or unwillingly take on. I am lucky in that I have always had a seat at the risk table and have been expected to never white wash a risk and to fully address security risks.
1 upvotes
Yellow Server
Software
Anyone who has been in security for more than a year almost certainly has.   There are gradations of white-washing. At it’s worst, it can be an almost career-ending more, and put your certifications at risk. At it’s least, it be using compensating controls.
1 upvotes