Accountability Without Authority: The Growing Risk Facing Today's CISOs

The role of the Chief Information Security Officer (CISO) has changed dramatically since we started Blackmere in 2011.

What was once primarily a technical leadership position, reporting only to the CIO, now sits at the intersection of cybersecurity, product, governance, legal risk, and executive-level strategic decision-making. CISOs are expected to protect the organization from increasingly sophisticated threats while navigating regulatory requirements, reporting to boards, and defending security decisions long after they are made.

Now, new California privacy regulations are raising an important question for organizations and security leaders alike:

When the business owns the decision, should the CISO own the liability?

What's Driving the Concern?

The California Privacy Rights Act (CPRA) and related regulations are increasing expectations around cybersecurity governance, risk assessments, and executive accountability. 

For CISOs, the concern is not that California law explicitly makes them personally liable for a breach.

The concern is that accountability is becoming increasingly tied to named individuals.

At the same time, high-profile enforcement actions such as the SEC's case against SolarWinds and its CISO, Tim Brown, have raised questions throughout the profession about where organizational responsibility ends and personal liability begins.

Imagine a CISO identifies a serious security risk, recommends remediation, and documents the potential consequences. The business ultimately decides not to act due to budget constraints, operational priorities, or competing business objectives.

If that risk later results in a breach, who bears responsibility?

Many CISOs worry that regulators, attorneys, shareholders, and the public will focus first on the security leader whose name appears on reports, certifications, and risk assessments, even when the final decision was made elsewhere.

The Accountability Gap

This creates a fundamental challenge. If a security leader identifies a problem, documents the risk, and recommends corrective action, should that same individual be personally accountable when the organization decides not to act?

Many CISOs would argue the answer is no.

Accountability should be tied to authority.

Without that balance, organizations create a situation where security leaders are responsible for outcomes they cannot fully influence.

That concern is fueling a broader conversation across the cybersecurity community: if security leaders are expected to accept greater accountability, they must also be given greater authority to influence the decisions that create risk in the first place.

Security Risk Is a Business Decision

One of the most common misconceptions about cybersecurity is that breaches are purely technical failures.

Most significant security incidents involve business decisions.

For example:

• An organization may choose to postpone replacing vulnerable infrastructure because the cost is too high.

• A product launch may proceed despite unresolved security concerns because the market opportunity is too important to delay.

• Security staffing requests may be denied due to competing budget priorities.

• Third-party risks may be accepted because changing vendors would disrupt operations.

These are not technology decisions alone. They are business decisions impacting technology.

When organizations accept risk after being informed of the consequences, responsibility should be shared across the leadership team rather than concentrated on a single executive.

Dan Holden, CISO of Commerce.com, believes the disconnect often stems from a misunderstanding of who owns risk and how it should be communicated across the organization. 

Dan says, “Cybersecurity risk management is a two-way street. Companies cannot reasonably expect CISOs to personally own every risk decision. Their role is to identify, measure, communicate, and help mitigate risk, not unilaterally accept or reject it. Risk acceptance is ultimately a business decision.

At the same time, security leaders must communicate risk in multiple languages: regulatory risk, financial risk, and business risk. The most successful organizations recognize cybersecurity as a shared governance responsibility where accountability is matched with authority, risk decisions are transparent, and security leaders are empowered to communicate risk in terms the business can understand and act upon.”

The danger of expanding personal liability is that it can create the impression that cybersecurity failures are the sole responsibility of the CISO, when, in reality, risk acceptance often occurs at multiple levels throughout the organization.

What This Means for Recruiting Security Leaders

At Blackmere, we spend our days speaking with cybersecurity executives across industries ranging from critical infrastructure and energy to healthcare, technology, and government contracting.  One trend has become increasingly clear.

Top security leaders are evaluating organizations as carefully as organizations evaluate them.

• Compensation remains important.

• Career growth remains important.

• Mission and culture still matter.
  

But increasingly, candidates are asking bigger questions, like:

• Who owns cybersecurity risk?

• How involved is the board?

• What happens when security recommendations conflict with business objectives?

• How are risk decisions documented?

• What support exists when difficult decisions must be made?

• What legal protections are in place for executives (particularly CISOs)?
  

The strongest CISOs want to know whether they are joining an organization that views cybersecurity as a shared responsibility or one that expects a single individual to carry the burden when something goes wrong.

Organizations that cannot answer those questions convincingly may find it increasingly difficult to attract experienced security leaders.

What Organizations Should Do Now

The conversation should not be about eliminating accountability.

Accountability matters.

Strong security leaders should be responsible for identifying risks, communicating clearly, building effective programs, and exercising sound judgment.

The bigger question is whether organizations are creating the conditions necessary for CISOs to succeed.

That starts with governance.

Organizations should ensure that cybersecurity risk acceptance is formally documented and shared among the appropriate decision-makers.

Boards and executive teams should actively participate in cybersecurity discussions rather than treating security as an isolated technical function.

Risk decisions should be transparent, documented, and understood by all stakeholders.

Most importantly, organizations should evaluate whether their CISOs have the authority, resources, and executive support necessary to fulfill their assigned responsibilities.

The Future of the CISO Role

California's evolving privacy regulations may be signaling a broader trend toward increased executive accountability in cybersecurity.

If that trend continues, organizations will need to rethink how they structure security leadership, and the most successful will recognize that cybersecurity is not the responsibility of a single person.

Security is an enterprise-wide responsibility that requires participation from executives, boards, technology leaders, legal teams, and business stakeholders.

As expectations for security leaders continue to grow, so must the authority and support provided to them.

Otherwise, organizations risk creating a role defined by accountability without authority.

And that may become one of the greatest challenges in attracting and retaining cybersecurity leadership in the years ahead.