How should you respond when asked to white-wash a security risk?  How does the CISO protect themselves from unfairly taking the blame and being held liable?

2.2k views1 Upvote8 Comments

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
I think that's why the reporting lines are so important.  I'm not going to make the decision that you like; I'm going to make the decision I need to make to defend the data and/or company.  So we're going to have a conversation about how is the risk positioned.   How is it positioned with the board versus the operating teams.    There's a time when you have to say what you have to say, and you need to make sure it's documented that you delivered the risk in the way it needed to be delivered. Results vary depending upon how this role is structured.
Board Member, Advisor, Executive Coach in Software, Self-employed
From a financial reporting and a financial integrity perspective there's an art in how you write things, but there has to be a level of accuracy and transparency with it for that financial integrity and financial reporting.  It makes me wonder if perhaps we need that type of, for lack of better word, regulation.  You can interpret accounting rules in a variety of different ways, but it's fairly clear when you're manipulating accounting and the reporting and stuff like that. It’s about how you manage but not massage the message.  There's a difference, right? It's subtle, but one is clearly whitewashing and another one is doing it in a way that's open, direct, not over-elevated, but not under-called.
2 1 Reply
Senior VP & CISO, 10,001+ employees

I think that you've really hit the nail on the head.  With insurance, there's a common taxonomy. When you wreck a car, you know exactly how much a quarter panel costs to replace on a BMW versus on a Toyota. You know how much it costs to replace a bumper or a tire or a race tire. We don't have the commonality of taxonomy.  We don't have the commonality of liability.  So when we talk about risk in different industry verticals as well as different geographies there's a contextualization to it that is not common.  It's one of the reasons why we as CISOs struggle to have the conversation around risk rather than IT security, because every company measures risk in a different way for some reason. I've not figured it out. I wonder sometimes, is it whitewashing? Is it contextualization? Is it rookie errors by companies or industries that just don't understand risk and they don't know how to quantify it? It very well could be, because I can talk to an executive all day long in their language around market risk, saturation risk, credit risk. But when I start talking ransomware or cyber-attacks, sometimes they go, “Oh, this is too deep.  You’re getting too technical on me.”  *Sigh*.

Board Member, Advisor, Executive Coach in Software, Self-employed
Perhaps it’s just a matter of ignorance and I'm being too harsh on the questions and perceiving it as an intentional act to water it down, rather than viewing it as ignorance, not some intentional act.  But to maintain our integrity we need to understand what is driving the intent to portray risks in various ways by not only ourselves but other executives
1 1 Reply
Senior VP & CISO, 10,001+ employees

Yeah. I think that it could be a broad spectrum of things, anywhere up to and including really just not understanding cyber risk.  Anywhere on a spectrum, we are expected to be the unicorns in the room and speak 18 different business languages, quantify risk, and understand our industry vertical.  I've learned so much about CPG, luxury products, packaging, data integrity from an FDA perspective, cosmetovigilance, skin care claims, and on and on.  With my team, we are still educating everyone else about cybersecurity.

CIO in Energy and Utilities, 11 - 50 employees
You document the risk, probability of occurrence and potential damage. Then you present it to top management and internal auditing with a mitigation action plan and aprox. costs. If the plan gets approved then work on it, if not then fill an "appetite for risk" document signed by all involved.
Director of IT in Education, 1,001 - 5,000 employees
I also would “document the risk, probability of occurrence and potential damage”. I would highly emphasize the risk and potential damage factors and have upper management sign off, both the CIO and corresponding VP, on a document stating they fully understand and accept the risk and implications for white washing this risk.  Although it is a CYA approach, it also highlights to upper management the risk impact this could have?
Director of IT in Energy and Utilities, 5,001 - 10,000 employees
The things are at times located in a grey area and there may be an instance of it affecting core functionalities, which may cause certain decisions to be enforced.

Content you might like

Important solution for today’s way of working52%

Interesting idea to explore for 202242%

Not necessary6%


971 views1 Upvote1 Comment





Crisis management23%

Personal accountability23%



Continuous learning14%



Relationship management10%


Other (please specify)0%



Chief Technology Officer in Software, 51 - 200 employees
My personal experience. 

I usually get the feedback and go back with data driven analysis providing details to cross leaders to understand the context and make decision basis data and and not gut feeling. 
Read More Comments
1.6k views2 Comments