Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

How Not to Get Fired For Someone Else’s Failure

Are You Accountable for Projects You Have No Authority Over? 

Are You Accountable for Projects You Have No Authority Over? 

If you’re a chief information security officer (CISO), or other-titled security leader, the world is awash with fantastic opportunities for career growth and learning. That is, until you start digging into some of the opportunities. If you’re investigating the future for yourself, I would like to offer you a short post about one of the most common pitfalls out there. I’ve had friends, colleagues and those I advise fall into situations where they get a raw deal based on two very simple words: accountability and authority. 

First, let’s define these words. 

Accountability refers to being ultimately responsible for the success or failure of something—whether it’s a General Data Protection Regulation (GDPR) project or a patch being applied. If you’re accountable, the buck stops with you. If the thing succeeds, it’s your win. If it fails, it’s yours to own. 

Authority refers to your ability to enact change and mandate (force) things to happen. If you have authority over a team, you can make them do things with consequences for failure to comply. If you don’t have authority, you can simply ask nicely and hope that your sparkling personality is enough. 

Are CISOs Responsible for Security Failures?

Here’s where it gets tricky. The CISO often is accountable to at least one executive leader in the company and often times to the board. Meaning, if there are security failures the CISO is the person called to stand before the board and explain. Accountability is a funny thing, though. Alone, without authority, you may be in serious trouble. Allow me to give you an example. 

I have a friend who was hired in to be a company’s first CISO. He was very excited as this was his first real CISO role, and the company seemed to be very receptive to making him their security lead. There was a team, and there was no precedent for him to live up to. So, how could he possibly fail? Simple… he had no authority.

The company fundamentally didn’t understand that things couldn’t just be “secured”. He was assigned to take and build a third-party risk management program. Sounds pretty interesting, and definitely necessary, right? Except that a CISO should probably never own and be accountable for something he or she has very little authority over.

Advertisement. Scroll to continue reading.

What I mean is, even though some third parties were deemed “high-risk,” company employees would still sign contracts with them, and the CISO had no veto power. Then the inevitable happened: a breach. Of course, an expensive incident response firm came in and pointed their fingers at a relatively high-risk third party that had been red on the dashboard for a while but was vital to the company; thus, no one really did anything. However, because this was a security-owned (accountability) project, the CISO was held to account for a failure he had very little control over. 

Was that fair? Of course not, and it demonstrated the immaturity of this organization.

Unfortunately, by the time everyone realized it, the relationship with the new CISO was over, and they were left to fix this accountability/authority gap for the next CISO. Meanwhile, my friend was left looking for a job after being fired for something that was out of his control. Tough lesson learned, I’m sure. 

So, my friends, as you go through your day, ask yourself this: Are you accountable for projects you have no authority over? If so, is it too late to renegotiate or at least make a note of this with the right level of leadership? If not, maybe it’s time to start polishing off the resume and thinking about how to strike that right balance at your next job. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem