While debates over cybersecurity risk ownership paralyze most corporate leaders, a framework from the military is emerging to help.
Wesley Belleman, an Operations Manager for the California Air National Guard, explains how the model decentralizes accountability by pushing risk ownership to frontline teams.
Instead of adopting the model as-is, effective business leaders will adapt it to build more resilient systems.
Who owns cybersecurity risk when the stakes are highest, and how far up and down the chain does accountability stop? For most corporate leaders, the question alone is paralyzing. Now, in the absence of a definitive answer, a practical framework is emerging to break the stalemate—and it comes from an unlikely source. To avoid blame-shifting after a breach, some experts suggest the military's model of accountability. Like their corporate counterparts, commanders regularly make risk-based decisions to keep operations running smoothly. Already, the approach is influencing how strategic leadership thinks.
As an Operations Manager for the California Air National Guard's cyber protection team, Wesley Belleman has a front-row seat to both the military and private sectors alike. With experience that includes leading planning for FEMA's "Cyber Dawn" exercise and serving as a Ukrainian interpreter, Belleman's work in incident response and threat hunting often parallels the duties of elite corporate cybersecurity teams. From his perspective, a simple communication failure is usually at the root of every major breach.
"Every organization I've ever seen breached already had all the information they needed to prevent it. The failure was a result of the left hand not talking to the right hand in time," Belleman says. Instead of copying the military, he encourages enterprise leaders to learn from how it fixes its own flawed systems.
Mission impractical: "The military operates on the 'talk softly and carry a big stick' idea," Belleman explains. "We conduct extensive training for scenarios we hope never occur. At that scale, I don't see that happening in the private sector. It just wouldn't be feasible."
For example, Belleman points to NIST's Risk Management Framework (RMF) as precisely the box-checking compliance exercise to avoid. Such rigid reporting creates a false sense of security, he explains.
Chain of command: Inevitably, when a failure does occur, a reactive search for the scapegoat ensues soon after. "The person signing off on the risk—the 'authorizing official'—has no way of understanding the full context of the system. A flawed idea persists that you can communicate everything to the CEO and make it their sole responsibility. The reality is, they don't have the context, so that risk gets distributed. This leads to the real issue: when a breach happens, who do we blame?"
A breakdown in top-down risk ownership is precisely why a new, decentralized model is gaining traction, Belleman says. "I've seen people try to communicate risk with a cool-looking stoplight chart that misses a ton of context from the lower levels. Functionally, this is precisely why risk must be distributed."
Builders, not bureaucrats: Any debate about who's responsible is a distraction from the core goal of making systems more secure, he continues. "As security professionals, we must remember our purpose is to solve problems and be builders."
The military's response to this structural problem is the "Team of Teams" philosophy, Belleman explains. Introduced by General Stan McChrystal, former commander of American forces in Iraq, the model is built on mission command. "You understand the intent of your higher-ups, but the people at the lower level are the ones who execute. Our goal is to push risk acceptance further down, not just in cyber, but across the entire military."
Conscious collaboration: By decentralizing risk and mandating transparency, McChrystal’s model addresses accountability directly, Belleman explains. "General McChrystal promotes what he calls a 'shared consciousness,' which is built on constant communication among peers. The idea is to ensure leaders are making decisions with their eyes wide open."
Accountability in action: For Belleman, a culture of open communication also clarifies the CISO's own accountability. "If a CISO hides something or fails to present the full picture to business leaders, then of course the CISO accepts responsibility—potentially all of it."
Ultimately, a new operational mindset is already reframing the definition of readiness, Belleman concludes. "The goal isn't to build an impenetrable system, but a survivable one that can continue after an incident," he explains. "That is the true Zero Trust mindset. It means assuming an attacker is already successful, then asking, 'What would they do next?' so you can block that next step."
In closing, Belleman encourages leaders to focus on the main event. "The best security professionals I've ever worked with are problem-solvers. When they see a gap, they don't look for someone to blame. They look for a solution. The purpose of defining organizational roles is to empower people to build more resilient systems. That should be the primary goal. Blaming people is not the goal."
