How should you respond when asked to white-wash a security risk?  How does the CISO protect themselves from unfairly taking the blame and being held liable?

I think that's why the reporting lines are so important.  I'm not going to make the decision that you like; I'm going to make the decision I need to make to defend the data and/or company.  So we're going to have a conversation about how is the risk positioned.   How is it positioned with the board versus the operating teams.    There's a time when you have to say what you have to say, and you need to make sure it's documented that you delivered the risk in the way it needed to be delivered. Results vary depending upon how this role is structured.

Anonymous Author
I think that's why the reporting lines are so important.  I'm not going to make the decision that you like; I'm going to make the decision I need to make to defend the data and/or company.  So we're going to have a conversation about how is the risk positioned.   How is it positioned with the board versus the operating teams.    There's a time when you have to say what you have to say, and you need to make sure it's documented that you delivered the risk in the way it needed to be delivered. Results vary depending upon how this role is structured.
1 upvotes
Anonymous Author
From a financial reporting and a financial integrity perspective there's an art in how you write things, but there has to be a level of accuracy and transparency with it for that financial integrity and financial reporting.  It makes me wonder if perhaps we need that type of, for lack of better word, regulation.  You can interpret accounting rules in a variety of different ways, but it's fairly clear when you're manipulating accounting and the reporting and stuff like that. It’s about how you manage but not massage the message.  There's a difference, right? It's subtle, but one is clearly whitewashing and another one is doing it in a way that's open, direct, not over-elevated, but not under-called.
1 upvotes
Anonymous Author
Perhaps it’s just a matter of ignorance and I'm being too harsh on the questions and perceiving it as an intentional act to water it down, rather than viewing it as ignorance, not some intentional act.  But to maintain our integrity we need to understand what is driving the intent to portray risks in various ways by not only ourselves but other executives
1 upvotes
Anonymous Author
You document the risk, probability of occurrence and potential damage. Then you present it to top management and internal auditing with a mitigation action plan and aprox. costs. If the plan gets approved then work on it, if not then fill an "appetite for risk" document signed by all involved.
3 upvotes
Anonymous Author
I also would “document the risk, probability of occurrence and potential damage”. I would highly emphasize the risk and potential damage factors and have upper management sign off, both the CIO and corresponding VP, on a document stating they fully understand and accept the risk and implications for white washing this risk.  Although it is a CYA approach, it also highlights to upper management the risk impact this could have?
0 upvotes