How should you respond when asked to white-wash a security risk?  How does the CISO protect themselves from unfairly taking the blame and being held liable?

Top Answer : I think that's why the reporting lines are so important.  I'm not going to make the decision that you like; I'm going to make the decision I need to make to defend the data and/or company.  So we're going to have a conversation about how is the risk positioned.   How is it positioned with the board versus the operating teams.    There's a time when you have to say what you have to say, and you need to make sure it's documented that you delivered the risk in the way it needed to be delivered. Results vary depending upon how this role is structured.

Orange Terminal
Software
I think that's why the reporting lines are so important.  I'm not going to make the decision that you like; I'm going to make the decision I need to make to defend the data and/or company.  So we're going to have a conversation about how is the risk positioned.   How is it positioned with the board versus the operating teams.    There's a time when you have to say what you have to say, and you need to make sure it's documented that you delivered the risk in the way it needed to be delivered. Results vary depending upon how this role is structured.
1 upvotes
Red Terminal
Software
From a financial reporting and a financial integrity perspective there's an art in how you write things, but there has to be a level of accuracy and transparency with it for that financial integrity and financial reporting.  It makes me wonder if perhaps we need that type of, for lack of better word, regulation.  You can interpret accounting rules in a variety of different ways, but it's fairly clear when you're manipulating accounting and the reporting and stuff like that. It’s about how you manage but not massage the message.  There's a difference, right? It's subtle, but one is clearly whitewashing and another one is doing it in a way that's open, direct, not over-elevated, but not under-called.
1 upvotes
Red Terminal
Software
Perhaps it’s just a matter of ignorance and I'm being too harsh on the questions and perceiving it as an intentional act to water it down, rather than viewing it as ignorance, not some intentional act.  But to maintain our integrity we need to understand what is driving the intent to portray risks in various ways by not only ourselves but other executives
1 upvotes
Pink Hard Drive
Construction
You document the risk, probability of occurrence and potential damage. Then you present it to top management and internal auditing with a mitigation action plan and aprox. costs. If the plan gets approved then work on it, if not then fill an "appetite for risk" document signed by all involved.
3 upvotes
Green Server
Educational Services
I also would “document the risk, probability of occurrence and potential damage”. I would highly emphasize the risk and potential damage factors and have upper management sign off, both the CIO and corresponding VP, on a document stating they fully understand and accept the risk and implications for white washing this risk.  Although it is a CYA approach, it also highlights to upper management the risk impact this could have?
0 upvotes