Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

How Not to Get Fired For Someone Else’s Failure

Are You Accountable for Projects You Have No Authority Over? 

Are You Accountable for Projects You Have No Authority Over? 

If you’re a chief information security officer (CISO), or other-titled security leader, the world is awash with fantastic opportunities for career growth and learning. That is, until you start digging into some of the opportunities. If you’re investigating the future for yourself, I would like to offer you a short post about one of the most common pitfalls out there. I’ve had friends, colleagues and those I advise fall into situations where they get a raw deal based on two very simple words: accountability and authority. 

First, let’s define these words. 

Accountability refers to being ultimately responsible for the success or failure of something—whether it’s a General Data Protection Regulation (GDPR) project or a patch being applied. If you’re accountable, the buck stops with you. If the thing succeeds, it’s your win. If it fails, it’s yours to own. 

Authority refers to your ability to enact change and mandate (force) things to happen. If you have authority over a team, you can make them do things with consequences for failure to comply. If you don’t have authority, you can simply ask nicely and hope that your sparkling personality is enough. 

Are CISOs Responsible for Security Failures?

Here’s where it gets tricky. The CISO often is accountable to at least one executive leader in the company and often times to the board. Meaning, if there are security failures the CISO is the person called to stand before the board and explain. Accountability is a funny thing, though. Alone, without authority, you may be in serious trouble. Allow me to give you an example. 

I have a friend who was hired in to be a company’s first CISO. He was very excited as this was his first real CISO role, and the company seemed to be very receptive to making him their security lead. There was a team, and there was no precedent for him to live up to. So, how could he possibly fail? Simple… he had no authority.

The company fundamentally didn’t understand that things couldn’t just be “secured”. He was assigned to take and build a third-party risk management program. Sounds pretty interesting, and definitely necessary, right? Except that a CISO should probably never own and be accountable for something he or she has very little authority over.

What I mean is, even though some third parties were deemed “high-risk,” company employees would still sign contracts with them, and the CISO had no veto power. Then the inevitable happened: a breach. Of course, an expensive incident response firm came in and pointed their fingers at a relatively high-risk third party that had been red on the dashboard for a while but was vital to the company; thus, no one really did anything. However, because this was a security-owned (accountability) project, the CISO was held to account for a failure he had very little control over. 

Was that fair? Of course not, and it demonstrated the immaturity of this organization.

Unfortunately, by the time everyone realized it, the relationship with the new CISO was over, and they were left to fix this accountability/authority gap for the next CISO. Meanwhile, my friend was left looking for a job after being fired for something that was out of his control. Tough lesson learned, I’m sure. 

So, my friends, as you go through your day, ask yourself this: Are you accountable for projects you have no authority over? If so, is it too late to renegotiate or at least make a note of this with the right level of leadership? If not, maybe it’s time to start polishing off the resume and thinking about how to strike that right balance at your next job. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.