Should you hold employees accountable for cyber security?

There’s a big difference between accountability and responsibility.

“Employees should be held more accountable for security”

I hear this statement just about every day. Security professionals are often frustrated that employees don’t seem to take security seriously. What’s to be done?

… “People keep making the same mistakes over and over again!”

… “Security should be everyone’s responsibility.”

… “We need to do a better job at holding people accountable.”

In our society, we use the words Responsibility and Accountability interchangeably — but there’s an important difference. Understanding this distinction is critical if you want to create lasting behavior change in your organization.

Responsibility happens INSIDE the mind.

Accountability happens OUTSIDE the mind.

To be Accountable is to be held to account — to someone or something else. To be Responsible is, literally, to have the ability to respond — when there’s a challenge, an upset, or when something needs to change.

Often, when we drive accountability INTO the organization, we drive fear in along with it. This causes responsibility to be driven OUT of the organization.

As shown by self-determination theory, an internal felt sense of responsibility is a much more powerful motivator of behavior change than a structure of external accountability. And before you ask — I’m not saying that there can’t be sanctions for negligent or careless behaviors. It really comes down to a question of effective leadership — how do I apply the most leverage to change a situation?

If you want to learn more, a great starting point is Christopher Avery’s work on The Responsibility Process. Chris’s work has been really influential in the agile software movement, and has been adopted by some of the leaders in that realm, including Tim Miller, the former CEO of Rally Software (now part of CA).

I’ll be writing more in my upcoming posts on the subject of personal responsibility and influencing behavior change. In the meantime, I’ll leave you with one final thought — it turns out that responsibility is not a character trait — it’s a state of mind. Being responsible means being in a responsible state of mind — and we can learn to cultivate this state of mind in ourselves.

As leaders, we need to be careful not to spend our energy trying to get everyone else to “take more responsibility” — that’s not how this works. 😀

Watch here as Christopher Avery explains the differences between responsibility and accountability.

As always, I’d love to hear your feedback. If you have any questions or want to suggest topics I should cover in future posts, please comment below. If you’d like to stay up to date with my latest articles, please click the +Follow button next to my name below.

-Chad