COMMENTARY: Few jobs have evolved faster, or carry more pressure, than the role of the
CISO. What was once a technical discipline has become core to enterprise risk, a boardroom priority, and a source of personal liability.
Every decision gets scrutinized, and every omission has consequences.
Regulation has formalized this shift: In the U.S., the SEC’s disclosure rules raise expectations for transparency and board oversight. EU laws like NIS2, DORA, and GDPR also impact U.S. companies operating in European markets. It’s a clear message: cybersecurity is no longer just a technical issue — it’s a business imperative that's evolved the CISO role into a strategic business enabler.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
When the
SEC first charged SolarWinds and its CISO (
a case recently dismissed), the warning was unmistakable: personal accountability in cybersecurity is not hypothetical. Major breaches of late — from
Change Healthcare and UnitedHealth to
MGM Resorts — show how quickly a technical failure can become a business crisis. Operations stall, customers are affected, and the spotlight falls on leadership: who knew what, when, and how it was handled.
CISOs still bear disproportionate accountability for risks beyond their control. To move beyond the blame culture, CISOs need clear data that quantifies risk, supports defensible decisions, and spreads responsibility across the organization.
Accountability without control
Most CISOs only own a fraction of what drives security outcomes. The tools, processes and people that shape cyber resilience sit across business units, technology teams, and third parties. Yet when something fails, CISOs are expected to answer for all of it, without the authority that ensures security has been effectively managed across the company.
While other functions can rely upon on a system of record to offer a single source of truth, security cannot. People teams have Workday. Sales has
Salesforce. Finance has
SAP.
CISOs, on the other hand, have spreadsheets. Without a single source of truth, they can’t maintain a complete asset inventory, verify control status, assign ownership, translate risk into business terms or track remediation.
So we get a predictable result. Blind spots and coverage gaps that lead to breaches — often preventable by existing controls if correctly deployed — yet difficult to explain to boards, regulators and customers.
This isn’t a failure of people or effort. It’s a process problem born from complexity. The pace of digital transformation has expanded the attack surface faster than visibility has kept up. More technology means more dependencies, more interfaces, and more room for error. And with security responsibilities spread across teams who may not understand the technical context, accountability becomes blurred.
Build collective assurance
Right now, most CISOs can’t confidently assess coverage gaps or prove compliance with evolving regulatory demands. Shared accountability begins with shared visibility, clarity, and clear prioritization — and holding those responsible for the work to account. That requires establishing a true system of record.
Because traditional tools can only report on what they can see, they cannot identify where they are not deployed — they make unreliable witnesses. Establishing a verified inventory of all assets and controls, mapped to business context, eliminates these blind spots.
Once that visibility gets shared across teams, risk management becomes a collective effort rather than one confined to the CISO and their team. Finance can see exposure and understand how it might impact the bottom line. Operations can identify where controls aren’t performing and address issues. Business teams, technology teams, and third parties understand priorities based on business risk — and security leaders can demonstrate diligence and progress using traceable evidence, not assumptions.
This transparency builds trust and creates a defensible position for the entire organization. Indemnity insurance may still serve as a safety net, but it’s no substitute for true visibility and cyber resilience.
The accelerating pace of business and technology has led to complexity that’s made digital estates harder to see and control. The knowable becomes unknown — and those blind spots lead to preventable breaches. By mastering the knowable — assets and controls — organizations can better protect against the unknowable, like emerging threats and third-party risks.
When we shine a light on these areas of vulnerability and give context to threats, security teams can collaborate with control owners to validate and prioritize the areas of greatest risk. With that foundation, cybersecurity becomes something the whole organization can engage with — translating technical risk into language and actions that make sense to every function.
This spreads responsibility across the business and lowers the odds of a preventable breach. CISOs who establish a system of record to close the accountability gap enhance collaboration and reduce organizational risk, while also demonstrating cyber resilience and mitigating exposure to litigation and regulatory scrutiny.
Jonathan Gill, chief executive officer, Panaseer SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
