Have you ever been asked to white-wash a security risk?
Sort by:
Security risk should never be white-washed. I have had disagreements on the impact of a risk if it get exploited, and then we start the serious discussion on severity and impact to the organization. In most cases we came to an agreement after we discussed the cost to the organization, the impact to he business, and the harm to reputational damage of the organization. We start the remediation process to mitigate the risk.
How risk is managed by an organization can often reflect the risk maturity of the organizations. Less risk mature organizations will often not realize the total risk the organization faces. Many organizations have compliance requirements, which would not allow legal white washing of risks. Very often, culture impacts risk appetite, which in turn can impact how much risk an organization will willingly or unwillingly take on. I am lucky in that I have always had a seat at the risk table and have been expected to never white wash a risk and to fully address security risks.
There's always the "risk appetite". The risks in "the red zone" (even in the orange zone) should not be overseen. But there are risks that the company can afford to accept, that I call "risk appetite". But no, I've never been asked to white-wash a security risk once it has been identified.
It's an interesting discussion. Below the topic of whitewashing risk is the topic of normalizing the risk, right? I'm extremely conservative, by the book, be inspection ready at all times, don't deviate, defend the perimeter. I'm that kind of person, but I recognize the fact that there are other views, from different lenses that view risk in a different manner. I find myself grappling with the balance of right sizing the risk and acknowledging the fact that sometimes things have to just play out. There's a balance between...okay, we're going to normalize it, I've got to let it play out a little bit...but then at some point I step in to communicate a defined risk.
There's been times where I've been asked, directed, or coached to characterize risk differently. I call it whitewashing risk or rinsing risk or something that just dilutes the discussion and the impact. I know there's times where I've reacted to it negatively and it's been the executive wanting to push and poke to see how firm I was going to stand, to know if I was elaborating on the risk or elevating it beyond. So sometimes it's also just a poke to really test whether or not you really think it's a real risk. It just comes across as a request to water it down or whitewash it or change it. On the other hand, at previous companies, I saw how the enterprise risk map, and other things, that literally had been vetted for months with every business unit, every risk and control lead, my team, lawyers in those business units...i saw those things sometimes get aggregated into a broader context. Sometimes that made sense and other times it seemed a bit watered down so that by the time it went to the board, it was a more benign issue, when perspectives from those who created the initial risk mapping believed it to be a standalone issue that needed to be addressed and needed to be discussed.
Yeah. That's exactly the experience for me across the companies I've worked at. The thing we qualify and quantify in a security risk council, then get white-washed by the enterprise risk management committee. I think the part that's interesting about this is that you can have a really strong mechanism around quantification and have a lot of data driven approaches around how you quantify that risk, but at the end of the day a lot of this comes down to qualitative analysis. You have to determine, is this as important as investing in two more stores in the northeast? Are we really going to get a certain reward by reducing the risk? You have to figure out who's a friend, who's a foe. Who understands that by downplaying this there is an impact beyond technology. I think the best thing that I've been able to do is get the CIO to understand the different variables beyond security, availability, reliability, resilience..bring some of those other data points. Because he's obviously in more meetings than I am with the executive team where he can prevent whitewashing.
In some of my previous roles, I had the luxury of growing up on the finance side and I helped create the enterprise risk map. It was easy for me to plug into it, and then contextualize cyber risk into the enterprise risk map. Why? Because I helped construct the damn thing. If the CISO, CSO is not an equal participant in the construction of the enterprise risk map, it will always be watered down.
Anyone who has been in security for more than a year almost certainly has.
There are gradations of white-washing. At it’s worst, it can be an almost career-ending more, and put your certifications at risk.
At it’s least, it be using compensating controls.