How should you respond when asked to white-wash a security risk? How does the CISO protect themselves from unfairly taking the blame and being held liable?
Sort by:
I also would “document the risk, probability of occurrence and potential damage”. I would highly emphasize the risk and potential damage factors and have upper management sign off, both the CIO and corresponding VP, on a document stating they fully understand and accept the risk and implications for white washing this risk. Although it is a CYA approach, it also highlights to upper management the risk impact this could have?
You document the risk, probability of occurrence and potential damage. Then you present it to top management and internal auditing with a mitigation action plan and aprox. costs. If the plan gets approved then work on it, if not then fill an "appetite for risk" document signed by all involved.
Perhaps it’s just a matter of ignorance and I'm being too harsh on the questions and perceiving it as an intentional act to water it down, rather than viewing it as ignorance, not some intentional act. But to maintain our integrity we need to understand what is driving the intent to portray risks in various ways by not only ourselves but other executives
Yeah. I think that it could be a broad spectrum of things, anywhere up to and including really just not understanding cyber risk. Anywhere on a spectrum, we are expected to be the unicorns in the room and speak 18 different business languages, quantify risk, and understand our industry vertical. I've learned so much about CPG, luxury products, packaging, data integrity from an FDA perspective, cosmetovigilance, skin care claims, and on and on. With my team, we are still educating everyone else about cybersecurity.
From a financial reporting and a financial integrity perspective there's an art in how you write things, but there has to be a level of accuracy and transparency with it for that financial integrity and financial reporting. It makes me wonder if perhaps we need that type of, for lack of better word, regulation. You can interpret accounting rules in a variety of different ways, but it's fairly clear when you're manipulating accounting and the reporting and stuff like that. It’s about how you manage but not massage the message. There's a difference, right? It's subtle, but one is clearly whitewashing and another one is doing it in a way that's open, direct, not over-elevated, but not under-called.
I think that you've really hit the nail on the head. With insurance, there's a common taxonomy. When you wreck a car, you know exactly how much a quarter panel costs to replace on a BMW versus on a Toyota. You know how much it costs to replace a bumper or a tire or a race tire. We don't have the commonality of taxonomy. We don't have the commonality of liability. So when we talk about risk in different industry verticals as well as different geographies there's a contextualization to it that is not common. It's one of the reasons why we as CISOs struggle to have the conversation around risk rather than IT security, because every company measures risk in a different way for some reason. I've not figured it out. I wonder sometimes, is it whitewashing? Is it contextualization? Is it rookie errors by companies or industries that just don't understand risk and they don't know how to quantify it? It very well could be, because I can talk to an executive all day long in their language around market risk, saturation risk, credit risk. But when I start talking ransomware or cyber-attacks, sometimes they go, “Oh, this is too deep. You’re getting too technical on me.” *Sigh*.
The things are at times located in a grey area and there may be an instance of it affecting core functionalities, which may cause certain decisions to be enforced.