Who owns risk after the CISO flags it? Today, that critical question still goes unanswered by most in enterprise security. Now, a risky accountability gap is beginning to widen as a result. Without clear ownership, most security leaders are being held responsible for outcomes they have no real power to control.

For an expert's take, we spoke with Nick Nolen, a VP and cybersecurity executive with over 15 years of experience leading security programs at a tier-one firm. In a recent LinkedIn post, he claims that the current model is broken. "The CISO is responsible for raising the risk, articulating the trade-offs, and presenting it in business terms. If nobody accepts the risk, it just sits with security until something happens," Nolen says.

• Playing traffic cop: That accountability gap is creating operational friction, according to Nolen. "One key challenge is that CISOs aren't always the doers. We might raise risks or flag vulnerabilities, but we need the engineering or IT teams to fix them. It feels like you're playing traffic cop," he explains.

• The dog and pony show: Eventually, burnout can misdirect the most valuable resource: time. "The CISO has also become customer-facing, brought out for a 'dog and pony show' in front of clients. That can take up 40% of my time, leaving the other 60% to protect the very environment I was hired for."

For Nolen, the most effective strategy for security leaders is to reframe the conversation in terms of finance—the universal language of the board. "You have to start talking in dollars and cents. As a board member, I don't care whether there are 1,000 or 200 vulnerabilities. What I really want to know is: Are we investing in a vulnerability management program? Is that program being run effectively?"

• Money talks: The goal is to turn an abstract risk into a concrete financial decision, Nolen explains. "If a company is carrying $37.7 million in cyber risk, and their accepted risk threshold is $35 million, I can show them exactly what investments will bring them back under that line."

When risk is quantified financially, security stops being seen as the "department of no," he continues. "I can show the board a clear scenario: An investment of $250,000 in our vulnerability management program will reduce our overall risk exposure by $1.8 million. That's a 487% return on risk reduction."

• The paradox of speed: With this information, companies can redefine security as a system to accelerate innovation safely, Nolen says. "Security is often seen as brakes on a car. Most people interpret that as something that will make them slow down. But what we're actually doing is enabling the business to go faster, because you know there's a safety mechanism there to slow you down when needed."

• The new normal: Still, people are creatures of habit, Nolen admits. "When construction forces a detour on your daily route, it feels inconvenient until it becomes the new normal. I believe what people perceive as a security roadblock is just something they're not yet comfortable with."

To address the accountability gap, leaders can implement Nolen's playbook. In his experience, that process almost always begins with establishing a deeper understanding. "You have to understand what a risk truly is and not just bring a list of issues to the table. Stating that you're not fixing vulnerabilities is just an acknowledgment of an issue. The risk is the answer to the question, 'What happens if we don't?'" Ultimately, that distinction is what will help teams translate technical problems into financial impact.

With that change formalized, security can finally become a framework for growth, Nolen concludes. Making that change, however, often depends on another missing component entirely. "You can tell me I own the risk, but that means you must empower me with the budget and authority to change our risk posture. You cannot tell me I own it, and then not give me the empowerment to make changes. It's the empowerment piece that's missing."