- The Board of Directors
- Employees (as individuals)
- Suppliers, distributors
- Outsource partners
- Legal authorities
This dimension includes most of the processes of governance and compliance, at least the interfaces between organization units and the external interfaces. But I chose not to call it "Governance & Compliance" because those are both formally codified processes and I felt it was important to include some of the less formal and tacit aspects. This is especially important if we want to encourage wide-spread acceptance of responsibility and accountability beyond the core executives. In addition, I felt the title "Responsibility & Accountability" focuses attention on performance, not just activity or formal structures.
"Responsibility" means that individuals take ownership of some aspect of cyber security and that they take action proactively to develop competence and to execute the associated tasks well. It also means they are thinking broadly about their area of responsibility, and not just following orders or instructions from above or from some mandates.
The prerequisite for any performance in this dimension is deciding who should be responsible for what. The biggest gap that most organizations face is that responsibility is not taken up by line of business managers and thus, de facto, it falls on the shoulders of specialist teams in Information Security, IT, Legal, or Government Affairs. By making this a separate performance dimension in the cyber security framework and measuring performance against goals, it puts a spotlight on this gap and calls for executive attention.
"Responsibility" includes both the formal governance structure and processes, but also all the informal and tacit aspects. The latter are often carried in an organization's culture and make their appearance outside of formal channels. The most visible example are disaster events where people spontaneously create ad hoc organizations without regard to their formal positions and roles in "normal times". Outside of disasters, there are similar opportunities for ad hoc organizations to seek the root causes of cyber security problems or to lead cross-organization improvement projects.
"Accountability" is related but different, and instead focuses on which individuals will be expected to "pay the price" when something goes wrong, either deficient performance or a cyber security incident. "Pay the price" need not have punitive meaning, because the most important form of accountability is the personal commitment of a manager or leader to "make it right" through commitment of their time, their resources, and even their personal reputation.
This is the proper performance dimension for compliance and other mandate regimes, as applicable. In a previous post on Operational Cyber Security and Single Loop Learning I was harsh and blunt in my opinion on compliance -- it should never be the sole reason for any aspect of operational cyber security. But, at a higher level and in the context of stakeholder relationships, it does have some value. Here, compliance is a mechanism to maintain trust between an organization and its outside stakeholders who are distant in time and space, and thus aren't in a position to monitor continuously or in much detail.
From the perspective of cyber security performance, an organization should aim to fulfill their compliance obligations in such a way that the stakeholders increase their trust and confidence in its cyber security performance overall, and not just in the specific details of the compliance regime. This means that "complying to the letter but not the spirit" of the mandates is unacceptable performance and should be judged as such.
The best way to guard against this and other dysfunctions is to measure responsibility and accountability broadly. The best measurement method is to look for visible behaviors, actions, and communications that demonstrate that the person in question is taking responsibility and accountability in the right circumstances. It is also useful to look for evidence that other people recognize the focal person as taking responsibility and/or accountability.
(That's it for the Ten Dimensions. I have one more post to summarize the interactions in the Second Learning Loop.)