Accountability the Non-Negotiable Asset
In business, accountability is something that cannot be stressed enough. This was true before the economic breakdown of 2009, and will continue to be long after. Accountability is of paramount importance and perhaps more so than anything else, it is a good thing. Accountability is something that at some base level, all humans can relate to. Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’. If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come. Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.
Accountability is a good thing. It is of imperative importance. Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present). Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence). Accountability provides much more in the way of freedom than most would initially suspect.
As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability. If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable. We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable. In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture. Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams. When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management. There is blood in the water and sharks can smell it for miles off.
The impact upon the organizational culture, receptivity and tone becomes more pronounced as well. The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units. Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective. Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes. The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin. This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).
You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to. I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”. Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”. Crazy you? Unrealistic? Immature? Handsome (had to throw that in to see if you were paying attention 
. My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.
So how do we get there from here in the absence of accountability? The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date. Odds are, something does though the state and maturity might vary. Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not. This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.
