Are You Accountable for Projects You Have No Authority Over?
If you’re a chief information security officer (CISO), or other-titled security leader, the world is awash with fantastic opportunities for career growth and learning. That is, until you start digging into some of the opportunities. If you’re investigating the future for yourself, I would like to offer you a short post about one of the most common pitfalls out there. I’ve had friends, colleagues and those I advise fall into situations where they get a raw deal based on two very simple words: accountability and authority.
First, let’s define these words.
Accountability refers to being ultimately responsible for the success or failure of something—whether it’s a General Data Protection Regulation (GDPR) project or a patch being applied. If you’re accountable, the buck stops with you. If the thing succeeds, it’s your win. If it fails, it’s yours to own.
Authority refers to your ability to enact change and mandate (force) things to happen. If you have authority over a team, you can make them do things with consequences for failure to comply. If you don’t have authority, you can simply ask nicely and hope that your sparkling personality is enough.
Here’s where it gets tricky. The CISO often is accountable to at least one executive leader in the company and often times to the board. Meaning, if there are security failures the CISO is the person called to stand before the board and explain. Accountability is a funny thing, though. Alone, without authority, you may be in serious trouble. Allow me to give you an example.
I have a friend who was hired in to be a company’s first CISO. He was very excited as this was his first real CISO role, and the company seemed to be very receptive to making him their security lead. There was a team, and there was no precedent for him to live up to. So, how could he possibly fail? Simple… he had no authority.
The company fundamentally didn’t understand that things couldn’t just be “secured”. He was assigned to take and build a third-party risk management program. Sounds pretty interesting, and definitely necessary, right? Except that a CISO should probably never own and be accountable for something he or she has very little authority over.
What I mean is, even though some third parties were deemed “high-risk,” company employees would still sign contracts with them, and the CISO had no veto power. Then the inevitable happened: a breach. Of course, an expensive incident response firm came in and pointed their fingers at a relatively high-risk third party that had been red on the dashboard for a while but was vital to the company; thus, no one really did anything. However, because this was a security-owned (accountability) project, the CISO was held to account for a failure he had very little control over.
Was that fair? Of course not, and it demonstrated the immaturity of this organization.
Unfortunately, by the time everyone realized it, the relationship with the new CISO was over, and they were left to fix this accountability/authority gap for the next CISO. Meanwhile, my friend was left looking for a job after being fired for something that was out of his control. Tough lesson learned, I’m sure.
So, my friends, as you go through your day, ask yourself this: Are you accountable for projects you have no authority over? If so, is it too late to renegotiate or at least make a note of this with the right level of leadership? If not, maybe it’s time to start polishing off the resume and thinking about how to strike that right balance at your next job.