On "Responsibility Without Authority"

Traditionally, the response to this problem has been to undertake building a security organization that could essentially assert authority over key areas (access management, risk management, audit/testing, logging and monitoring, incident response, etc.). This approach made sense because most orgs were (are?) rife with people who simply do not "get" security. Rather than undertake a massive educational effort alone, which would take time and extend exposure, it instead made sense to just take ownership of these areas to ensure that the "right things" were done.

Today, however - and really the underlying point of my post - is that this may not necessarily be the best approach today. It will absolutely depend on the organization, no doubt about it. And I'm not saying you cannot or should not continue with the traditional approach. However, it bears consideration whether or not it is optimal and effective to grab authority rather than to simply make sure that the responsibility itself is properly placed.

If you think about it, security likely should not be truly responsible for much of anything. This whole "responsibility without authority" scenario is, in fact, a grave injustice that enables bad behavior; specifically, behavior where people deflect responsibility inappropriately. Culturally, this seems to jive with a larger issue (reminds me of Douglas Adams' "SEP field generator" concept). If you don't have to own your actions, then you don't have to act responsibly or appropriately. Requirements without consequences for failing to conform are worthless.

In the end, I'm increasingly inclined to believe that the reason we are where we are in this industry is because we in security roles have taken on too much responsibility. It's time to stop enabling bad behavior.