Many organizations hold CISOs legally accountable for cyber risk while leaving budget control with other executives, creating a structural failure that surfaces only after incidents occur.
Jeremiah Udy, Managing Principal and Client vCISO at Vectari, draws on his federal and private-sector experience to show how accountability breaks when authority and financial control are split.
He calls for enforcing the authorizing official model, pairing top-down cultural support with clear responsibility mapping so risk ownership follows budget power throughout the organization.
Cybersecurity keeps repeating the same mistake: holding CISOs accountable for risks they don’t control and budgets they don’t own. When breaches happen, the blame lands on security leaders who lack the authority to fix the underlying problems. The fix isn’t another framework or tool, but the simple act of enforcing a basic principle of accountability that already exists. At the end of the day cyber risk is a financial decision, and ownership belongs with the leaders who control the money.
Jeremiah Udy, Managing Principal and Client vCISO at consultancy Vectari, has spent more than two decades in cybersecurity and risk leadership, and he views the CISO accountability debate through a different lens. That perspective was shaped early in his career in the federal government, including a key role at the U.S. Department of the Treasury, where responsibility and authority were tightly aligned. Moving into the private sector, he saw a sharp contrast: CISOs expected to answer for security outcomes without control over the budgets needed to address them. It is a structural flaw he believes organizations are only now beginning to confront.
"Every major cybersecurity framework already says the same thing in different ways: accountability has to sit with a senior executive who can actually accept risk and fund the decision. If the person signing off on risk can’t influence the budget, then the model is broken, no matter how good the framework looks on paper," says Udy. In practice, this disconnect leaves CISOs legally exposed while real decision-making power remains elsewhere in the organization.
Follow the money: "My role is to present risk clearly and honestly to the executive authorizing official and ask them to formally sign off on it," he continues. "And if that person can’t influence the budget behind the system they’re approving, then they’re probably not the right authorizing official." But a new structure isn't enough. For it to work, the CISO has to lead a cultural change. In this new model, the old stereotype of the security leader as a roadblock becomes less viable, a change that explains the growing calls for CISOs to earn a seat at the board table.
Guardrails, not roadblocks: Real empowerment, Udy explains, depends on top-down support, a philosophy he uses to vet his own employers. "I'm not here to be a roadblock; I am here to facilitate success. You want to work fast? Let's build guardrails for what success looks like. I'm going to go as fast as you want to go, but I need to be integrated as much as I can to make that happen."
The kind of partnership model Udy advocates for is built on a unified risk management framework. Security, he explains, is just one expertise under a larger organizational risk umbrella that includes legal, HR, and operational risks. By creating a "common language" for risk across the business—a practice aligned with the growing trend of integrating cybersecurity into Enterprise Risk Management (ERM)—the CISO becomes a central facilitator and "risk partner."
From tech bugs to org flaws: In Udy's view, a top-down cultural change is only effective when it's paired with a deep focus on organizational mechanics. Today, that perspective comes from a lesson learned early in his career. "I pivoted from doing something like penetration testing into that next layer because I realized, after I identified vulnerabilities and watched them not really get resolved at a root layer, that to really change security, you need to understand things at a different level in the organization," he recalls. "There's this whole mechanism that needs to be learned and tweaked."
The responsibility matrix: Eventually, that realization led him to his most practical tool for empowering the middle layer: the responsibility matrix. "When I go into a large organization, I can find the org chart, but where can I find the responsibility matrix of who's responsible for what?" he asks. The matrix he's describing isn’t a full RACI chart mapped across the org chart, but a clearer articulation of what each leader is responsible for and how that accountability is sponsored at every level. Organizations often avoid doing this because it requires hard conversations, yet those conversations speed up discussions later when they matter and strengthen clarity well beyond risk ownership.
Ultimately, Udy argues that real organizational resilience isn't found in individual heroics, but in systematic processes. "When you push accountability beyond the executive layer, you start to see where ownership actually breaks down," he says. "That’s what empowers middle management and exposes conflicts that would otherwise remain hidden and unresolved."
He contrasts this with companies that rely on key leaders to force change—a fragile approach prone to frantic, one-off decisions. "If you have to wave a magic wand as an executive to make change happen in your organization, there's a problem. You should be able to facilitate those changes in a process-driven way," Udy concludes. "If you can't do that, you're going to be behind the curve. The next thing you know, you're going to have to wave that executive magic wand over and over again. And as soon as you swap out leadership, things are going to grind to a halt."
