Accountability vs. responsibility

Image of someone pointing their finger up the sky - Destination Certification

CISSP is a management-level certification. As an infosec manager, one of the most important concepts to wrap your head around is the difference between accountability and responsibility. We often use these terms interchangeably, so it’s easy to get confused. In this specific context, the distinction is critical, so you need to have a clear understanding of the differences between accountability and responsibility.

What is accountability?

In contrast, responsibility refers to being in charge of a process or a task. It can be outsourced or delegated, and it can even be held by multiple people. The person who is responsible creates plans and gets things done.

The distinction between accountability and responsibility

This may still seem a little confusing, so let’s give you an example to make the distinction more clear. Let’s say a company has a financial system. This asset would ultimately be owned by the VP of finance or another senior person within the finance department. The VP of finance would be close to the asset and have a thorough understanding of it, which puts them in a good position to be accountable. They can set the rules and policies surrounding it to ensure that it is functional, secure, and maintains its integrity.

Does this ownership and accountability mean that the VP of finance is also responsible for configuring the servers and every other minute detail of the system? No, that would obviously be impractical. The VP of finance would lack the skills and the time to do it effectively. This is where responsibility comes in. The VP of finance can delegate responsibility to specific teams and individuals within the IT department to get everything done. These people are then responsible for keeping the financial system functioning smoothly. But they are never accountable! Accountability remains with the VP of finance.

If something goes wrong, it is ultimately the VP of finance who is liable. The VP may not even be the direct cause of the problem—it could be due to negligence from someone in the IT department. Still, the VP of finance remains accountable, because it was the VP who established the rules and policies, and it was the VP who delegated responsibility. If the team that they appointed was not up to the task of running the financial system smoothly, then the blame comes back to the VP of finance for not setting up the team and policies that are required to do the job successfully.

Summarizing accountability vs. responsibility

To recap, an asset owner is always accountable:

  • They are ultimately liable and answerable for the asset.
  • They set the rules and policies surrounding the asset.
  • Accountability can never be delegated.

To get things done, the asset owner can delegate responsibility to others:

  • Multiple people can be responsible.
  • The responsible parties are in charge of the processes or tasks.
  • They develop plans and implement appropriate controls.
Image of the author

Josh Lake

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Checkout the other DestCert Weekly newsletters

The OECD Privacy Guidelines

Threat modeling: The STRIDE model

The OWASP Top 10 for LLM Applications

The OWASP Top 10

What is OpenID Connect (OIDC)?

The 2024 OWASP Mobile Top 10

What is OAuth?

What is Federated Identity Management (FIM)?

What is single sign-on (SSO)?

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]

First

Previous

Next

Last