As cyber incidents become an inevitable reality for organizations of all sizes, questions around accountability, ownership, and responsibility continue to grow in importance.
Nearly three-quarters of organizations (73%) now say the CISO is ultimately responsible when breaches occur. But rising accountability hasn’t come with rising authority. That gap, Fastly CISO Marshall Erwin says, is reshaping — and straining — the role. The finding comes from Fastly’s 2026 Global Security Report, “The AI Speed Tax,” based on a survey of 2,000 IT decision-makers fielded in Q4 2025.
Accountable, but not in control
At first glance, a 73% figure might look like clarity about who is responsible for remediation, incident response, and refining a defensive posture. According to Erwin, the number simply underscores the unfortunate fact that CISOs too often get saddled with post-breach blame.
“The CISO should be responsible ultimately for shaping the response to an incident,” Erwin says. But concentrating responsibility for a breach on a single department, or on the CISO alone, is counterproductive.
“The challenge is that the tactical response often sits elsewhere in the organization,” says Erwin. “Who’s acting as incident commander, analyzing security events, or managing technical remediation may not report directly to the CISO at all.”
That’s accountability without the tactical execution — the triaging, containing, and remediating — to back it up. Not good, Erwin says.
Inside the organization, the picture is split on basic clarity: 43% say there’s a clear answer to who’s responsible for incidents, and 43% say there isn’t. Asked which departments actually carry that responsibility, respondents named IT operations (69%) and cybersecurity teams (64%) most often, while executive leadership — the CISO included — was named by just 36%.
When a CISO isn’t singled out as the sole point of blame, and accountability is shared across departments, organizations see improved incident response times by as much as 62%, Erwin says.
This reflects a broader shift in how organizations are approaching cybersecurity leadership, according to Erwin. The effectiveness of incident response is determined less by reporting lines and more by relationships across the organization.
Yet there is still work to be done. The CISO’s office is named as a responsible party by little more than a third of respondents (36%) — far behind IT operations and cybersecurity teams — suggesting many organizations remain caught between traditional hierarchical structures and modern collaborative security models. Translation: accountability has been pushed toward the CISO faster than control or resourcing has followed.
That mismatch shows up most sharply at AI-first organizations. Among them, 79% say the CISO is ultimately held responsible for breaches, versus 57% at traditional organizations — meaning blame concentration on the CISO is rising fastest exactly where security complexity is increasing fastest.
“I actually think it’s less a question of where the CISO sits and more a question of the relationship between other key stakeholders and whether there’s a shared responsibility model,” Erwin says. “Almost any reporting structure can work if the CISO has the right relationships with engineering and IT leaders.”
This becomes especially important during complex incidents involving third parties, software suppliers, or operational technology. Supply chain attacks and vendor-related incidents have demonstrated that cybersecurity risks often extend beyond an organization’s direct control.
“Third-party risk management is often one of the responsibilities that a CISO organization owns directly,” he says. “It’s part of managing the outer perimeter of the organization.”
Shifting toward liability
While accountability remains a critical part of the role, the conversation is increasingly shifting toward liability. The Fastly report finds that 94% of organizations made policy changes over the past year to address concerns about increased personal liability for CISOs — among them, additional resources and legal support (45% each), giving the CISO a seat at the table for strategic decisions (44%), and increased scrutiny of security disclosure documentation (42%).
Erwin is skeptical that these changes move the needle on actual risk. The report describes many of these measures as “CYA (cover your ass) policies.”
“These measures are nice, but little more than self-preservation,” Erwin says. “Those aren’t actually improving your security posture.”
Incident response: Engagement up, outcomes mixed
CISO involvement in incident response has also jumped, with 82% reporting active participation and 74% reporting increased CISO engagement over the past year.
One bright spot: investment in incident response appears to be paying off. Organizations that invested in post-incident reviews (52%) and response automation (43%) saw real improvement — average recovery time across all organizations dropped from 7.34 months to 6.08 months year over year. That’s an investment-and-process story, not a shared-responsibility one, Erwin says, and worth being precise about.
Beyond governance, transparency has also emerged as a defining characteristic of effective incident response. “The worst thing that can happen during a major incident is being perceived as not being transparent,” Erwin says. “Customers need to understand what happened, what you’re doing about it, and how you’re going to prevent it happening again.”
The findings ultimately cut against a clean accountability success story. CISO responsibility for breaches is more concentrated than ever, but the authority, resourcing, and organizational alignment needed to back that accountability haven’t kept pace.