Responsibility Vs Accountability - About Cyber Security

What is Responsibility Vs Accountability?

Responsibility and accountability are two terms that are often considered synonymous and are used interchangeably. However, they actually have very distinct meanings (Responsibility Vs Accountability).

Responsibility is being delegated the job of completing a task or usually having the skills and experience required. people who ensure actions that are to be carried out in order to maintain and support the infrastructure or the ecosystem are completed. An example could be that whilst a Risk Manager Role is accountable for the overarching risk strategy (threat, vulnerability and business impact assessments etc.) outcomes of those assessments might be tasked to other teams to remediate identified issues.

Accountability is being legally liable for the task being achieved by the responsible individual/s. Also liable for the task completion by the responsible person. Ensures key roles within the environment hold appropriate powers to make decisions in the environment. In addition, these roles hold the budget to ensure the ecosystem is maintained. This can be referred to as the “who” and “why” of the four quadrants of the responsibility and accountability model.

How should accountability and responsibility be assigned?

Responsibility must be assigned to security functions, and the ability, and experience to carry out the tasks. Accountable individuals must have suitable management authority. Identify the tasks and resources essential to complete the objective. For example, a skilled manager should be assigned to any Risk Assessment project.

Roles are largely dependent on the size of the organisation. Subject to how those roles are structured in the environment (GRC, Strategy, Architecture, Security Management, Operations, Continuity Management) accountability and responsibility can be assigned to these business units. A single business unit can be responsible for a group of tasks to achieve an overarching objective. That objective is owned by a person or persons who are accountable for that deliverable.