Every organization has a moment when something goes wrong and the first question asked is, “Whose fault was this?” If the answer isn’t immediately clear, your RACI matrix has failed at its primary job. And if the answer points to someone who never had the authority to prevent the failure, your RACI is worse than useless. It’s actively creating the dysfunction it was designed to eliminate.
The RACI framework exists for one purpose: to establish a single point of accountability for every activity that matters. Old-school operators call this the “single wringable neck,” a term popularized in Andy Grove’s management doctrine at Intel. The principle is simple. Responsibility can be distributed. Accountability cannot.
What RACI Actually Means (and Where Most Teams Get It Wrong)
RACI assigns four roles per activity: Accountable (the single owner who answers for the outcome), Responsible (the person or team doing the work), Consulted (those whose input is sought before decisions), and Informed (those kept in the loop after decisions are made).
The most common mistake is treating Accountable and Responsible as interchangeable. They are not. The Responsible party executes. The Accountable party owns the outcome, including the decision rights, budget authority, and organizational clout to make things happen. When those are split between two different people, you need to be deliberate about who holds which role.
The second most common mistake is assigning multiple “A” entries to a single activity. Once you have two Accountable parties, you have zero. Shared accountability is a polite way of saying nobody owns it.
The CISO Problem: Accountability Without Authority
Nowhere is this dysfunction more visible than in information security. The CISO role has become a case study in misaligned accountability, and the consequences are playing out in boardrooms, courtrooms, and resignation letters across the industry.
The pattern is familiar. A breach occurs. The board wants answers. The CISO’s name surfaces first. But the infrastructure decisions that enabled the breach were made by DevOps. The application vulnerability was an engineering choice. The vendor that introduced risk was selected by procurement. The budget that constrained remediation was set by finance.
The data tells the story clearly. According to the Splunk CISO Report 2025, only 29% of CISOs report having adequate budget for their cybersecurity initiatives, and 62% said that postponing an upgrade due to budget cuts directly led to a successful attack. The Hitch Partners 2025 survey found that more than half of private company CISOs lack D&O insurance or indemnification policies. The UK’s National Cyber Security Centre found that in many organizations, CISOs believe the board is accountable for cybersecurity, while the board believes it’s the CISO. Everyone is pointing at someone else’s neck.
Meanwhile, the regulatory environment keeps tightening the noose on CISOs specifically. The SEC now mandates disclosure of material cybersecurity incidents within four business days. The NYDFS requires CISOs to personally certify compliance. The SolarWinds and Uber CISO cases demonstrated that security leaders face individual legal exposure for organizational failures. As Harold Rivas, CISO at Trellix, described at RSAC 2024: CISOs have high responsibilities that too often come with low authority.
Only 20% of CISOs operate at the C-level, according to Help Net Security research. In large enterprises, just 12% report directly to the CEO. The average CISO tenure is 26 months, significantly shorter than other C-suite roles. When you combine personal liability with limited authority and short tenure, you’ve built a system designed to burn through talent rather than manage risk.
The Root Cause: Confusing Risk Stewardship with Risk Ownership
The fundamental error is treating the CISO as the Accountable party for security outcomes when the CISO is actually the organization’s risk authority and framework owner. There is a critical distinction between these two roles.
A risk owner is the executive whose business outcomes are directly affected by the risk materializing. If a breach in the application code damages customer trust and revenue, the risk owner is the executive responsible for the product, not the person who wrote the security policy. If a cloud misconfiguration causes a data leak, the risk owner is whoever has decision rights over that infrastructure.
A risk steward (the CISO, in most organizations) defines the control framework, measures adherence, provides expert guidance, and escalates gaps. They are Consulted on activities where risk decisions happen. They are Accountable for the security program’s design and posture reporting. They are not Accountable for every outcome in every domain they touch.
This isn’t semantic. It’s structural. When the CISO is made Accountable for application security but has no authority over engineering priorities, you’ve created a guaranteed failure mode. The person who can see the risk can’t fix it. The person who can fix it isn’t measured on it.
Building a RACI That Puts Accountability Where It Belongs
A well-constructed RACI follows three principles.
First, the Accountable party must have decision rights. If they can’t prioritize the work, allocate the budget, or direct the team, they shouldn’t be the “A.” Accountability without authority is just a setup for blame.
Second, exactly one “A” per activity. No exceptions. If you can’t decide who should be Accountable, that itself is the problem you need to solve first.
Third, the CISO’s role should primarily be Consulted or Accountable only for activities they directly control, such as security controls, incident response, and GRC program management. For everything else, the operational owner is the Accountable party, and the CISO provides the risk framework they operate within.
Here is a RACI for information security domains that follows these principles:
| Domain / Activity | DevOps | Eng | IT | Sec/GRC | HR | Legal | Finance | Product | Exec |
|---|---|---|---|---|---|---|---|---|---|
| Infrastructure & Cloud | A/R | C | C | C | – | – | C | – | I |
| Application Code | C | A/R | – | C | – | – | – | C | I |
| Internal Apps (SaaS, Endpoints) | C | – | A/R | C | – | – | – | – | I |
| CI/CD & Release Mgmt | A/R | R | – | C | – | – | – | C | I |
| Identity & Access (IAM) | C | C | R | A | C | – | – | – | I |
| Security Controls & IR | C | C | C | A/R | – | C | – | – | I |
| Privacy & Data Protection | C | C | C | R | – | A | – | – | I |
| Hiring / Onboarding / Offboarding | – | – | R | C | A/R | – | – | – | I |
| Employee Relations & Policy | – | – | – | C | A/R | C | – | – | I |
| Contracts (Commercial & Vendor) | – | – | – | C | – | A/R | C | – | I |
| Vendor Mgmt & Procurement | C | – | R | C | – | C | A | – | I |
| Budgeting & Spend | – | – | C | C | C | C | A/R | – | I |
| Product Roadmap & Requirements | – | C | – | C | – | – | – | A/R | I |
| Strategy & P&L | – | – | – | – | – | – | – | – | A/R |
Legend: A = Accountable (single wringable neck) | R = Responsible (does the work) | C = Consulted (input before decisions) | I = Informed (notified after decisions)
Legend: A = Accountable (single wringable neck), R = Responsible (does the work), C = Consulted (input before decisions), I = Informed (notified after decisions)
A few things to notice in this matrix.
Security / GRC is Accountable for exactly two domains: Security Controls & Incident Response, and Identity & Access Management. These are the domains where the CISO directly controls the team, the tools, and the decisions. Everything else, the CISO is Consulted. This isn’t a demotion. It’s a correction. It means the CISO’s expert judgment informs decisions without making the CISO the scapegoat for decisions they didn’t make.
Legal is Accountable for Privacy & Data Protection. This reflects the reality that privacy regulation is fundamentally a legal compliance obligation. Security provides the controls (Responsible), but the accountability for the organization’s privacy posture belongs with the function that interprets regulatory requirements and accepts legal risk.
DevOps owns Infrastructure & Cloud and CI/CD. Engineering owns Application Code. These teams make the daily decisions that determine whether security controls actually get implemented. Making them Accountable means their performance metrics include security outcomes, not just feature velocity.
Finance is Accountable for Vendor Management & Procurement and Budgeting. If the budget is inadequate to address a risk the CISO has escalated, that’s a Finance and Exec decision, not a CISO failure.
How to Validate Your Own RACI
Run your current RACI through four tests.
The authority test: for every “A” in the matrix, ask whether that person can unilaterally prioritize the work. If they need to lobby someone else for resources or attention, the “A” is in the wrong place.
The single neck test: count the “A” entries per row. If any row has more than one, resolve it. If any row has zero, that’s an unowned activity and a ticking liability.
The blame test: imagine a failure in each domain. Does the Accountable party have a defensible answer for what they did or didn’t do? If their only defense is “I told someone else to fix it and they didn’t,” accountability is misplaced.
The resignation test: if the person in the “A” column quit tomorrow, would the organization immediately know which risks are now unowned? If not, your RACI isn’t operationally real.
Fixing the System, Not the Symptom
The CISO accountability gap isn’t a CISO problem. It’s a governance problem. Organizations that load accountability onto their security leader without matching authority are optimizing for blame, not for outcomes. They will cycle through CISOs every two years, wonder why security posture doesn’t improve, and keep treating breaches as individual failures instead of systemic ones.
The fix is straightforward. Position the CISO as the risk authority who defines the framework, measures adherence, and escalates gaps to the executives who own the risk. Give operational accountability to the leaders who actually control the people, the budgets, and the systems. Make the executive team Informed on everything and Accountable for the strategic risk posture.
A RACI that works doesn’t protect anyone from hard conversations. It ensures those conversations happen between the right people, about the right decisions, before something breaks.
The single wringable neck should belong to the person who can actually turn their head.
© 2026 Chris Bollerud, Bollosoft. Unauthorized reproduction prohibited.