A is for Accountability

Information security ABCs – An exercise in the fundamentals and basics of information security for everyone.


the state of being accountable, liable, or answerable.

This is where information security starts. If accountability were better understood, agreed upon, practiced, and enforced, we’d have much better information security.

Who’s ultimately responsible for information security in your organization?

This is a question I’ve asked 100s of organizations over the years. You’d be surprised by the answers:

  • “I don’t know.”
  • “That’s a good question.”
  • “Well, I am (the CIO, CISO, etc.).”
  • “We all are.”
  • “Nobody is.”

What’s the right answer? Simple, do this:

  • Grab an organization chart.
  • Find the person/people at the top of the chart

This is the correct answer. Always.

Sample Org Chart

Three questions then:

  1. Does the person/people at the top know they’re ultimately responsible for information security?
  2. If so, do they act like it (demand periodic status updates, champion the cause, plot direction, delegate effectively, etc.)?
  3. If not, who’s responsible for telling them?

The sample organization chart above is semi-typical for a business. Let’s look at a city, county, and/or school district. Same thing applies, the person/people at the top is/are ultimately responsible.

This slideshow requires JavaScript.

If this ultimate accountability is missing or broken, then expect the information security program to be missing or broken. The lack of accountability at the top permeates through all other information security efforts.

Tip: Define ultimate responsibility for information security in your organization and document it in an information security charter.


There’s a saying, “information security is everyone’s responsibility.” This is sort of true, but sort of not true. It’s true that everyone has responsibilities in information security, it’s not true that information security is everyone’s responsibility. Ultimately, information security is a responsibility that lies at the top. Only once this is realized, can we effectively begin to define and communicate delegated and supporting responsibilities.

Don’t assume that people know what their responsibilities are. Once responsibilities are defined and agreed upon, we can start practicing/enforcing accountability.


In simplest terms, a CISO only has two responsibilities.

  1. Consult on information security risk, enabling the business to make sound risk decisions.
  2. Implement the business’ risk decisions in the best manner possible.

Both of these responsibilities are delegated from the top. In some cases, the top may delegate risk decisions to the CISO as well. This can work if the parameters are well-defined (and documented) and the CISO is empowered to do so.

NOTE: This approach is a delegation only, and should/does not absolve the top from their responsibility.

Honorable Mention for “A”

  • Asset (and asset management) – something that has value to a person or organization. Assets can be tangible (hardware, facility, etc.) or intangible (software, data, intellectual property, etc.).
  • Authentication – proof of an identity (subject or object). Three factors; something you know (password, PIN code, etc.), something you have (token, mobile phone, etc.), and something you are (biometric).
  • Access (Control) – what a subject can do with a system, file, object, etc.

Next up, “B”.


I don’t do spam. I don’t eat it and I don’t send it. Not to mention, it’s also illegal!

I’ll write a privacy policy soon (that you won’t read).

About the Author

Leave a Reply

You may also like these