Last December, Park Dae-jun, the chief executive of Coupang’s South Korean business, resigned. A data breach had exposed the personal data of nearly 34 million customers, almost its entire user base. Park said he was stepping down to accept “grave responsibility” for the breach.
His resignation followed South Korean government investigators discovering that no one had pulled off a never-before-seen, impossible-to-stop attack. A former engineer who knew the system’s weaknesses walked back in through a virtual door the company forgot to close. Investigators called it a management failure, not a technical one. The blame fell on the CEO, not the CISO.
In other words, someone at the top made decisions, or failed to make them, that left millions of people exposed. Boards are starting to connect those dots, and they are looking higher up the org chart.
Misplaced Blame
For years, business leaders pointed at the CISO when something went wrong. CISOs own the security program, so they own the outcome. The problem with that reasoning is that they don’t own the decisions that actually determine whether an organization is secure.
CISOs don’t set the budget. They don’t decide how much risk the business is willing to accept. They can’t force other business units to comply with security policies when those units have different priorities. They present the potential risk and how to mitigate it to the board, then leave it to leadership to decide the next course of action.
Cyber outcomes reflect those decisions, which means accountability has to follow the decision-making power. Underinvesting in security is a leadership choice, not a CISO failure. And in most organizations, the person holding that decision-making power is the CEO.
Why the Reckoning Is Happening Now
Boards didn’t use to see a breach as their problem. That’s changing as the financial and reputational damage becomes too big to put on IT’s shoulders. A breach that exposes tens of millions of customers doesn’t just create a legal headache. It creates negative headlines, moves stock prices, and triggers regulatory scrutiny. CEOs are answerable for all of that.
While boards ask the harder questions before a breach, regulators ask them after one occurs. Governments worldwide are treating cybersecurity failures as evidence of corporate negligence rather than bad luck.
That pressure is reshaping the CISO job description. I’ve always believed the CISO’s role is to give leadership clear visibility into risk. Then it’s up to the CEO to decide what to do about it. Without a mandate from the top, security strategies stall at the proposal stage.
Taking Accountability
Building accountability into a company’s operations can be hard. It starts with how organizations measure and compensate executive performance. If the board ties the CEO’s compensation to revenue growth without accounting for security outcomes, the message to the organization is clear: security is not a business priority.
That has to change. Boards should define specific, measurable security expectations and hold CEOs responsible for meeting them. That includes establishing thresholds with real consequences for failing to act on known risks.
CEOs also need to mandate Zero Trust across the enterprise. I introduced the Zero Trust security model 15 years ago while working as an analyst at Forrester Research, and have spent every year since making the case that Zero Trust is a leadership decision, not a technology purchase. It’s a strategic decision that establishes how the organization treats risk. It says we assume a breach will occur, so our focus is on containing it.
Stop Scapegoating the CISO
Park Dae-jun’s resignation changed Coupang’s internal accountability structure. It demonstrated that when boards force CEOs to own cybersecurity outcomes, they create an incentive structure that aligns cybersecurity with business priorities. A government investigation declared a massive breach a management failure, and the CEO resigned to accept responsibility. Clearly, something has shifted.
Organizations don’t change until the people making decisions feel the consequences of those decisions. For cybersecurity, that moment is arriving. Boards are paying attention. Regulators are paying attention. And CEOs who haven’t treated security as a core business responsibility are running out of time to start.
The CISO’s job isn’t to absorb blame. It’s to give leadership the visibility it needs to make smart decisions. What leadership does with that visibility is on them.
Join our LinkedIn group Information Security Community!
