Let’s not waste time.

Yes, accountability in cybersecurity is broken.

Badly. In fact, it’s been broken for a long time.

We talk a big game in this industry about “responsibility” and “doing the right thing,” but when something goes wrong–when someone gets hurt, when data is stolen, when systems fail–who’s actually held accountable?

Rarely the people who should.

And that’s the problem.

Responsibility ≠ Accountability

We’ve confused the hell out of these two terms, so let’s set the record straight:

Responsibility means you’re supposed to do the work.
Accountability means you take the fall when the work fails.

You can hand off responsibility. You can outsource it, delegate it, automate it.
But you can’t outsource accountability.

Accountability lives at the top—CEO, Board, Owner.
They decide the priorities. They approve the budgets. They accept the risks.
So when those decisions lead to failure, they’re the ones who should own it.

(TRUTH: if we’re going to fix this broken industry, they’re the ones who MUST own it.)

But do they? Hardly ever.

Proof We’re Still Confused

Here’s a LinkedIn poll that pissed me off (but didn’t surprise me):

“Who is ultimately responsible for cybersecurity in an organization?”

At last count, there were 7,755 votes cast, most of them likely from cybersecurity professionals.

Here’s how they voted:

• 55% said the CISO
• 21% said the Board
• 19% said the CEO
• 6% said “Other”

Either more than half the people in our industry think the CISO should be on the hook when things go south, or more than half know the CISO is on the hook (regardless of whether they should be).

Either way. No. Just… no.

The CISO might run the security program, but they don’t set the company’s direction. They don’t control resources. They’re not the ones deciding how much risk to take. That’s the job of the board, CEO and/or owner. So, when security fails in a big way, it’s an organizational leadership failure.

The Three Groups (a.k.a. The Dark Triad)

Cybersecurity’s accountability problem isn’t just about outsiders breaking in—it’s about the people inside the system who either exploit it or refuse to own it.

I break them down like this:

1. The Overt Attackers (a.k.a. The Assailants)
These are the criminals we expect—ransomware gangs, nation-state hackers, cyber crews exploiting vulnerabilities. They’re aggressive, skilled, and motivated. You know where they stand.

2. The Wolves in Sheep’s Clothing (a.k.a. The Exploiters)
These are the vendors, consultants, influencers, and “thought leaders” who pretend to help but actually profit from chaos. They sell fear, confusion, and overcomplicated solutions that solve nothing. They’re insiders with their fangs hidden.

3. The Willfully Ignorant Decision-Makers (a.k.a. The Abdicators)
This group sits at the top. CEOs, boards, owners, policymakers—people who don’t understand security, don’t want to understand it, and conveniently dodge accountability when things go sideways. They have the power to make change but choose not to. This makes them dangerous.

These are the true forces undermining cybersecurity accountability. Not just external threats—but internal failures of ethics, courage, and leadership.

Sometimes these groups overlap. Sometimes the biggest threat is sitting in the boardroom, not behind a keyboard in Russia.

I’ll write more about these groups throughout the series.

Who Gets Screwed?

At the end of the day, it’s not the vendors. It’s not the attackers.
And it’s definitely not the business executives or policymakers.

It’s the everyday people—the consumers, patients, students, employees–who suffer.
The people who never asked for their data to be mishandled.
The ones who trusted someone else to protect them.

They’re the ones who pay the price for everyone else’s bad decisions.
And they don’t even know it–yet.

This is what pisses me off most. They deserve better, and we’re supposed to be better.

Why I’m Writing This

I’m not writing this to make friends. I’m more likely to make enemies (with this series).
I’m not writing this to make a name for myself. I already have the people who matter in my life.
I’m not writing this to make money. Money never comes before doing the right thing.

I’m writing this because I’m tired of watching people get screwed—over and over again—while the people who should be held accountable walk away untouched (or worse, enriched).

The information security industry is broken, and like anything that’s broken, it only gets worse until someone fixes it. Until we fix it.

Accountability. What better place to start?

What This Series Will Cover

This isn’t just a rant.
I mean, I will rant, but we have to go further.

I want to dig into why accountability is broken and what’s keeping it this way. These are the root causes, the stuff we don’t like talking about in polite company:

The Series:

Part 2: It’s Not Real Until It Hurts: Why No One Demands Change
People won’t demand accountability until the pain hits home.

Part 3: Cybersecurity Doesn’t Win Elections: So Politicians Don’t Give a Shit
If the voters don’t care, the policymakers won’t either.

Part 4: Breach? Jackpot. How the Legal System Profits from Failure
Class-action lawsuits are a business model. Prevention isn’t.

Part 5: Selling Fear: Why the Industry Loves the Chaos
Confusion sells. Simplicity doesn’t. That’s intentional.

Part 6: We’re Addicted to Short-Term Thinking (And It’s Screwing Us All)
Security is long-term. Most leadership is not.

NOTE: I’ll drop examples, stories, and/or sources between series posts. Probably.

Let’s Fix This (Or At Least Try)

I’m not claiming to have all the answers. I don’t.

But I do know this: we’re not going to fix cybersecurity until we fix accountability.

So let’s talk about it.
Let’s challenge the bullshit.
Let’s start calling things what they are.

Follow the series here and on the InfoSec to Insanity podcast (links posted here soon).
If you have something to say about any of this, speak up, whether you agree or disagree.

If you’re tired of watching the same broken system hurt people, you’re in the right place.

Let’s go.