Think of a military mission.
Who is taking the risk of its failure?
Is it the General back at HQ? The overall responsibility, he (or she) would say, lies with him as commander. He is accountable to his men and his superiors for the success of the mission.
Is it the colonel in Intelligence providing information about enemy forces? If the information he (or she) provides is lacking and leads to the loss of troops or the failure to secure the target, he will carry a lot of the blame.
Is it the captain leading his (or her) troops into enemy territory? He will bear personal risk as well responsibility for the men and women under his command.
Is it the troops who are following orders? They also are taking risk, especially if they have a chance to express concerns.
Surely, it is all of them.
The people taking the greatest risk are those who are putting their lives at risk.
Who, then, is taking cyber risk?
Is it the board and top management, who are deciding how much scarce resource to invest in breach prevention, detection, and response?
Is it the CRO who provides information to leadership on risk, including cyber risk?
Is it the CISO and his team, who actually defend the enterprise?
Or is it the business leaders whose initiatives are damaged or worse should there be a security incident?
Surely, it is all of…