Why is it that risk cannot be completely removed? How low do you believe is an acceptable level of risk for an information security manager to accept and why? If an information security manager decides to accept a certain level of risk and a security breach occurs, should the information security manager be held personally responsible? If so, why and what should happen? If not, why not and who should be held responsible? What is the difference (if any) between someone being responsible and someone being accountable?
You cannot know what you do not know. With such a large and every expanding expanse of unknown knowledge, it is impossible to entirely eliminate risk. As risk management is the balance between the cost of prevention and the cost of repair, I believe any information security manager should be willing to, circumstantially, accept any level of improbable risk, so long as the cost of repair doesn’t outweigh the cost of prevention. For instance, it costs nothing to back up an important flash drive. Although flash drives are widely used and only rarely malfunction, the cost of prevention is so low, there is not any acceptable level of risk that the information security manager should consume.
Were a security manager to suggest non-action to a threat in accordance with the company’s risk appetite, and a breach does in fact occur, one would be hard pressed to find the security manager at fault. Most of his suggestions are just that, suggestions. Any action is typically cleared with the CFO and CEO and unless the security manager neglected entire aspects of the situation when calculating his risk analysis, or inadequately hardened network components that resulted in the breach, I would say he or she should not be held personally accountable, even if he or she is ultimately responsible.
The distinction between responsible and accountable, in this instance, is punitive. Even if the security manager is responsible for the equipment that was breached, and assigned the password, and even calculated the risk analysis, as long as their job was conducted to the best of their ability, they should not be held accountable.
The only time a security manager should be held accountable for a data breach is when they are found to be guilty of gross neglect: not changing default passwords, not updating firewall rules and falsely recording that they had done such actions. As we mentioned earlier, there is no way of knowing what we do not know, and I do not believe someone should be punished for their ignorance, only for their willful inaction.