In the event of a security breach, is the CISO ultimately at fault regardless of the business’s risk acceptance?

When risk manifests itself, we are still responsible for detecting and responding to it to prevent material harm or impact, regardless of the business’s acceptance of risk. We are risk managers, which means we always have to be prepared for risk potential to manifest itself and ready to minimize the damage. The damage may still be large, but at least it's contained enough that it doesn't create cataclysmic, material or significant harm. I've seen so many peers who say, “Well the business accepted the risk,” and absolve themselves of any responsibility to react to it because the business accepted it.

Anonymous Author
When risk manifests itself, we are still responsible for detecting and responding to it to prevent material harm or impact, regardless of the business’s acceptance of risk. We are risk managers, which means we always have to be prepared for risk potential to manifest itself and ready to minimize the damage. The damage may still be large, but at least it's contained enough that it doesn't create cataclysmic, material or significant harm. I've seen so many peers who say, “Well the business accepted the risk,” and absolve themselves of any responsibility to react to it because the business accepted it.
1 upvotes
Anonymous Author
When the VP engineer says, "I got the boss to sign off on it, so what’s your problem?" the common response among the younger generation CISOs is, "Fine, you guys deal with it." But if there is a breach, it’s the CISO that will be dragged in. They all will be fine.
0 upvotes