The CISO has always been accountable for incidents. That hasn’t changed, and it shouldn’t. What has changed is this: we’ve increased accountability without giving CISOs more control.
The role has moved closer to the center of the business. CISOs are more involved in incident response, more exposed to board-level scrutiny, and more tied to regulatory outcomes.
On the surface, that looks like progress. Security is now treated as a business issue, not just a technical one. But a seat at the table doesn’t mean control.
In most organizations, CISOs don’t own the systems they’re securing or the decisions that shape risk. Accountability sits with the CISO. Control sits across the organization.
That mismatch is starting to make the role unsustainable.
Accountability Alone Isn’t Improving Security
If accountability alone led to better security outcomes, this would be a different conversation. But that’s not what’s happening. Cyberattacks continue to grow in frequency and impact.
Organizations are reacting. Our research shows that 94% have made changes in response to rising CISO accountability. The issue isn’t whether they’re acting — it’s how. Many of the changes focus on managing exposure: more documentation, more scrutiny, more legal protection. Accountability is often driving defensive behavior — protecting the organization after the fact, rather than reducing the likelihood of an incident in the first place.
Instead, accountability should drive alignment. It should force clear conversations with the executive team about what the real risks are. It should lead to better ownership and ensure that budgets and resources match the threat landscape. In many cases, they don’t, which makes it harder to act on the risks that have already been identified.
Why the Gap Keeps Growing
This model — where accountability is centralized and control is distributed — only works when the organization moves as one. In practice, that rarely happens.
And as organizations move faster, that misalignment becomes harder to manage. Security teams can identify risk, but addressing it depends on decisions made by other teams. So the gap grows, not because security leaders aren’t doing their job, but because the system around them isn’t set up to support it.
What’s missing isn’t the ability to act when incidents arise. It’s visibility and enforcement. At a basic level, many organizations still struggle to know what’s running in their environment — what tools are in use, where data is flowing, or how widely something is deployed.
Even when risks are visible, acting on them depends on coordination, ownership, and the ability to enforce change across teams, and that’s where many organizations fall short.
In a breach, CISOs aren’t just judged on what happened, but whether they had the visibility and authority to act. In practice, that means demonstrating that risks were understood and that the organization was in a position to act, even if execution depended on other teams.
This isn’t new, but it becomes harder as environments grow and change faster.
Just as Security Caught Up, AI Reset the Playing Field
For a while, it felt like security teams were getting on top of things. Controls were maturing, the fundamentals were improving, and there was a sense that the gap between attackers and defenders was narrowing.
Then the ground shifted again. AI has changed the shape of the environment almost overnight. New tools are being adopted quickly, and the attack surface is expanding. Usage spreads before policies catch up. In some cases, security teams don’t fully understand the risk until it’s already present. And even when visibility improves, enforcement is not guaranteed.
Many security teams are back in a familiar position: trying to catch up. At the same time, expectations haven’t reset. If anything, they’ve increased.
This is even more visible in AI-first organizations, where ownership of incident response is often unclear and the pace of change is higher. More than half of AI-first organizations report confusion over ownership — more than double the rate of traditional organizations.
What Needs to Change
The answer isn’t to reduce accountability. CISOs should be accountable. That’s not in question.
But accountability without control doesn’t improve security, it creates friction. Organizations are holding one function responsible for outcomes that depend on the entire system.
Security needs to be built into how decisions are made, not layered on afterward. If the business is moving quickly — especially with AI — security needs to move with it.
That requires alignment at the leadership level. It requires clarity on ownership and resources that reflect the actual level of risk. And until control matches accountability, the gap will keep growing.
How Fastly Helps
Security teams need visibility into what tools are being used and whether they’re introducing risk into the environment.
Fastly’s Web Application and API Protection products help teams understand the traffic hitting their applications and identify malicious activity faster. The tooling is designed to reduce false positives, so teams spend less time chasing harmless activity and more time responding to real threats.
As AI tools spread across organizations, operational complexity increases too. Fastly brings capabilities like WAF, bot management, and DDoS protection together in one platform, which helps reduce operational overhead and makes incident response easier to coordinate.
If your security team is trying to keep pace with AI adoption, growing attack surfaces, and rising accountability pressure, learn how Fastly’s security products can help reduce noise, improve visibility, and speed up response times.