Over the years, I have been witness to many instances of “responsible”/”accountable” word feuds. In truth, I have been maneuvered into the early stages of these tangents on more than one occasion. I believe that their presence is almost always an signal that effective risk management is no longer the mission.
Whenever compliance discussions evolve into arguments about the meaning of “responsible” versus “accountable,” stop and think about the trajectory of your effort. Chances are that you are no longer involved in “risk management.” The key is generally to ensure that there remains a strong link to compliance monitoring, reporting, and enforcement. Where there is no link, there is no information security, infrastructure, or infrastructure operations risk management activity. If you are a lawyer, and your focus is to use the “responsible”/”accountable” vocabulary to achieve some gain or to dodge some liability for your corporation, you have my support, but it is not related to the security business.
Tight-enough coupling between the descriptions of what must or should be achieved, and the monitoring, reporting, and enforcement used to ensure an appropriate level of compliance is a key indicator of an effective risk management focus.
Absent that coupling, attempt to re-focus the effort participant’s energy away from “responsible”/”accountable” word-smithing, and back toward the job at hand.