Andrew Rose is a Principal Analyst at Forrester Research, where he serves Security & Risk Professionals. He argues that you can delegate responsibility but accountability remains fixed. Firms are now made up of a myriad of off-shored and outsourced services, running on systems that are similarly fragmented and distributed across vendors. This complex tangle of people and data represents a huge challenge to the CISO who remains accountable for the security of his employer yet is no longer responsible for their provision.”]
Source: https://www.csoonline.com/article/2136103/compliance-and-cloud—-responsible-or-accountable-.html