It’s hot out here in downtown DC and we’re chatting up “accountability” over ice-cream.
You asked, “What’s accountability and why is it so important… and please don’t get all technical?”
I’m glad you asked.
That’s one management principle that has gotten a bad name. Seriously though, people think they understand it. They don’t talk about it as they should yet it’s the dreadful word that typically creeps out when the organization is forced to investigate something or is trying to prove to the public or the media that it is trustworthy and reliable – and should not be judged by what went wrong.
Sadly, the word accountability is often associated with getting in trouble, like being the person to get fired, to take the blame, the person in the hot seat, demoted, or warned. In a nutshell, accountability is perceived and treated as everything but sweet, cool, good, positive, or rewarding like ice-cream.
Hold up for a minute, let’s look up the word. Okay, here’s how Merriam-Webster defines accountability, “the quality or state of being accountable; especially: an obligation or willingness to accept responsibility or to account for one’s actions”
Sounds noble and fulfilling. Right? Because it should be.
In a real-life corporate setting the “noble and fulfilling” element should work if done well by management.
Definitely, it’s much more than just telling someone they’re in charge and then when something doesn’t work out they’re the first to get the boot. Management should carefully consider who they’re giving authority to, specify and assign appropriate responsibility and accountability to roles of authority to accomplish the business goals of the organization. Early on, management should also set clear expectations, obligations, what the performance measures are, and put a reporting structure in place to facilitate feedback and establish the right reporting lines to properly manage accountability. Each person accountable for a role should understand management’s expectations and willingly accept and commit to be accountable and responsible. If they don’t understand the expectations, management is responsible for making sure they do. Communication is in the form of reporting and training is important to reinforce expectations.
The person who is made responsible and accountable should be able to explain the “why” and “how” of what’s going on in their role, their decisions and actions and how they align those with enterprise business goals. Everyone that has a job in the organization is accountable for their role, not just senior leaders or information governance roles like the Chief Information Security Officers (CISO) or Chief Privacy Officers (CPO). So everyone who is getting paid by the organization should “walk their talk” everyday they show up at work? Yes, business units, contractors and vendors included.
Accountability gets its bad name when management waits until compliance and audit time to start talking about it because a member of management is afraid they’ll be the scapegoat so they look for someone to trade places with. Investigators and auditors discern this. Also, accountability is not a good term to throw around after a major data breach has already happened. It’s too late then to pressure your people about their obligations when you should be looking for the root causes and solutions together.
Do you want to increase the trustworthiness of your organization?
You’ve answered, “Yes”
Then don’t go around firing people when flaws were not detected on time or other unavoidable events like that. For information security and privacy there’s no 100 percent assurance that something you didn’t anticipate as a high risk won’t become one due to many factors. Unless you can really prove negligence on that person’s part, you’re just throwing away your knowledge base. In today’s digital economy you need that knowledge.
What do you think knowledge is? You build it from experience – what works, what doesn’t, what’s weak, what’s strong, what new risks you’ve discovered and where additional monies and human resource allocation are needed for risk mitigation.
Building strong relationships is an important factor in making accountability and feedback work. We trust people who are comfortable enough to tell us (before we walk into a meeting), “you’ve got something green stuck between your front teeth.” Same thing applies to everything else at work. Anyone who is in charge or accountable is at the mercy of other roles at various levels for support. When juniors and equals are empowered to be open with the person who is the most accountable (for example, CPO or CISO), they show them their blind spots along the way even before a tiny oversight becomes a problem. Accountability should be at work daily, weekly, monthly, in every situation for the organization.
Firing kills morale. It interrupts the development of sound experience and relationships that foster accountability.
We’re chatting up accountability in general, but look at these reasons why some organizations fired their CISOs (via CSOonline.com):
- A damaging breach
- Failed to identify or report a bug
- Poor purchasing decisions
- Disagreements with senior management
- Inability to address risk to a satisfactory state
- Inability to address risk in an economical manner
- Poor reporting, exceeding their budget, not following business strategies
- For spreading FUD (Fear, Uncertainty and Doubt) rathr than delivering practical solutions to these same problems
Well, whatever your reason and the situation, make informed decisions about firing a CISO or CPO. If management keeps firing them long enough, sooner or later it reflects on enterprise governance. The question will become, “How does management contribute to these same reasons for firing?” After all, it does take more than one to tango.
As executive management, here’s what you need to remember. Lessons learned is great if the person who was/is accountable is still around to apply them. When an incident unfolds and you’re the person accountable, you own that lesson forever – that’s your baby! For your CISOs and CPOs its bad for business if you don’t have a very good reason for firing them or forcing them out of their roles. Have you yet assessed the risk of firing your CPO or CISO for the wrong reason only to repeat the same mistake? You should. That’s part of what you’re accountable for. That’s corporate accountability.
Hope I answered your question. Thanks for a nice chat over ice-cream! 🙂
Check out my post on Roles & Responsibilities
Photo courtesy: Unsplash
- April 2019 (1)
- March 2019 (1)
- February 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- September 2018 (1)
- August 2018 (1)
- July 2018 (1)
- June 2018 (1)
- May 2018 (1)
- April 2018 (1)
- March 2018 (1)
- February 2018 (1)
- January 2018 (1)
- June 2017 (1)
- May 2017 (1)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (1)
- June 2016 (1)
- May 2016 (1)
- April 2016 (1)
- March 2016 (1)
- February 2016 (1)
- January 2016 (1)
- December 2015 (1)
- November 2015 (1)