Imagine it’s 3:00 AM. Your phone vibrates: a major service provider in your supply chain has been hit by ransomware. On paper, your internal systems are “Green.” Your firewalls held. Your data is encrypted.
But by 8:00 AM, the reality sets in: Because that provider is down, your customers can’t access critical services. By noon, the story has hit the national news because the disruption is affecting public infrastructure. You realize that being “technically secure” didn’t stop you from being “societally irresponsible.”
In a recent research paper published in Information Systems Frontiers (2025), researchers Niki Panteli, Boineelo R. Nthubu, and Konstantinos Mersinas argue that we must move past this narrow view. To be a leader in 2026, you must adopt a Responsible Cybersecurity Framework: one that looks less like a wall and more like an onion.
The Shift: From Security Architect to “Steward”
The research identifies a fundamental evolution in our industry: we are moving away from seeing cybersecurity as a purely mathematical or cryptographic problem and toward seeing it as a collective commitment to stewardship.
According to the study, a responsible CISO acts as a “steward.” This means you aren’t just protecting bits and bytes; you are a steward of other people’s information, their services, and the broader well-being of society. The paper posits that responsibility is not a one-way street, it is a bilateral relationship between the individual, the organization, and the network at large.
The Onion-Shaped Framework: Five Layers of Responsibility
The core insight is a multi-layered model that expands the CISO’s scope far beyond the server room.
1. The Techno-Centric Layer (The Core)
This is your technical foundation. However, “responsibility” here goes beyond patching. It involves:
- Secure by Design: Integrating security into the architecture phase, ensuring that software doesn’t “accrue ethical debt” down the line.
- Mandated Leadership: The research emphasizes that responsibility fails without a dedicated CISO who has the specific mandate and funding to oversee these technical defenses.
2. The Human-Centric Layer: Well-being as Defense
The researchers highlight a critical gap in traditional strategy: the human factor. This layer isn’t just about training; it’s about care.
- The Burnout Crisis: The paper explicitly notes the 24/7 pressure on SOC teams. A responsible CISO manages the “psychological safety” and mental health of their team to prevent the fatigue that leads to breaches.
- Inclusive Security: Responsibility means recognizing neurodiversity within security teams and ensuring systems are usable for a diverse workforce, rather than forcing humans to adapt to rigid, “unfriendly” technical protocols.
3. The Intra-Organizational Layer: Breaking the “Police” Stigma
One of the most profound findings in the study is the disconnect between security and business.
- The “Police” Perception: Business teams often see security as a “Police Department” that slows them down.
- Shared Ownership: Responsible cybersecurity requires a mindset shift where HR, Finance, and Marketing realize they own the risk in their departments. The CISO’s role is to bridge the “entrepreneurial mindset” (which takes risks) with the “security mindset” (which manages them).
4. The Inter-Organizational Layer: The Supply Chain Paradox
The research found that supply chain compromises account for up to 62% of intrusions. The paper offers a stark warning: You cannot transfer risk.
- Liability in Transit: Even if you use a third-party cloud, you remain the data owner. If data is breached in transit or at a partner’s site, the responsibility (and reputational hit) remains yours.
- The SME Support Role: Large organizations have a responsibility to act as “mentors” to the smaller vendors in their chain who may lack the resources to defend themselves.
5. The Societal-Centric Layer: The “Blast Radius”
The outermost layer recognizes that your company does not exist in a vacuum. A breach in a food supplier or a laboratory service (like the recent NHS incidents) has catastrophic consequences for the public. A responsible approach requires us to consider the ethical intentions of our technology and how its failure might cause societal chaos.
The Vector of Change: Leadership as the Connector
The study concludes that these layers don’t connect themselves. Senior leadership is the vector that binds the onion together.
Fostering this mindset requires a “top-down” approach. It is the role of the CISO to translate these complex societal and technical risks into the “language of the board.” When leadership treats security as a core value rather than a line-item expense, the organization moves from “vulnerable” to “responsible.”
Orchestrating the “Onion” with a Cyber OS
While the research provides the strategic framework, the modern CISO faces a massive operational hurdle: How do you monitor all layers at once?
Managing team burnout metrics, vendor risk assessments, and technical vulnerabilities across fragmented tools is a recipe for oversight. This is where a Cyber OS for CISOs becomes the essential “Operating System” for responsibility.
By orchestrating your entire security posture in one place, you gain the visibility to see the “Blast Radius” across the entire onion. This is how CISOteria allows you to bridge the gap between business and security, providing the single pane of glass needed to move from a technical protector to a societal steward.
For Further Reading
This blog post was based on the insights presented in: Panteli, N., Nthubu, B.R. & Mersinas, K. Being Responsible in Cybersecurity: A Multi-Layered Perspective. Inf Syst Front 28, 209–227 (2025). https://doi.org/10.1007/s10796-025-10588-0
