As a new-to-role CISO, I am wondering how do you make RACI look better than it looks `on-paper` in your company? What I am specifically looking for is, ways of fostering real collaboration and reaching to consensus between oldies and newcomers in their roles.
Sort by:
I would second what Gary said. Have the conversation about what the outcomes are that people are trying to achieve, and then talk about where your team is the accountable group. Let people know you are there to help and that your team has the expertise so their people do not need to worry about it.<br><br>If you are looking for a RACI within your own team, regarding responsibilities, I think the best way to start is by assessing your overall team, and sharing your version of what you want work to look like. If you have a team of people who all do the same thing, even though you have more senior people, you will likely hear the senior folks say something like - "I wish I could to more of XYZ, but I cannot get to it because there is not enough time in the day because I am busy spending time on ".<br><br>In those cases, I started out talking about the end goal, of having the senior people focus on things that really move us forward, and building our lower level staff by designating them to do specific tasks. Once you start having that conversation and you start getting buy in, a RACI that removes certain level staff from certain tasks is just another document that outlines how you envision your group working.<br><br>HTH
I have found the typical approach to RACI not to be reflective of the way people really think and operate. At the end of the day, we have those who get to decide things, those who leads execution, and everyone else that migh play a flexible set of subject matter advisory roles / requirements providers. I'd focus more on clearly defining the scope and elevation of decisions that will be made by the leads at different levels (with tangible examples, or better yet anticipated decision areas ahead), and what limited set of people will direct day to day tasking of others. For execution, I have also found that it helps to focus on the measures of success, and not the process of execution itself. This can make for a great collaboration and alignment workshop for your newly forming team. Good luck.
Thanks for these great insights, what stands out to me is that a RACI works best when it’s treated as a bridge for trust, not just a chart. For me, that means framing it around shared outcomes, co-creating it with stakeholders, and reviewing it often so it stays relevant. When people see it reduce friction and speed decisions, it becomes more than a document, it becomes part of the culture.
I’ve found that the biggest challenge with a RACI isn’t the chart itself, it’s making it “live” in the culture of the organization. On paper, a RACI is tidy. In practice, people don’t work in boxes, and success comes down to how you enable collaboration and alignment.
When I was a State CISO, we operated in a federated IT model where cybersecurity was the only enterprise-wide shared service. The RACI we developed clarified expectations, but what made it effective was not the chart, it was the conversations it forced us to have. A few lessons that may apply in your situation:
-Start with shared purpose. Before diving into roles, anchor the group in why the RACI exists: to reduce ambiguity, speed decision-making, and build trust. Framing it as an enabler of collaboration (not control) helps everyone engage.
-Use it as a dialogue tool. Don’t present the RACI as “done.” Workshop it with stakeholders so they see themselves in it. People are much more likely to honor boundaries they helped define.
-Tenured people often bring institutional memory, while newcomers bring fresh perspective. Explicitly valuing both in the RACI discussions helps prevent one group from feeling sidelined.
-RACIs are snapshots in time. Roles shift, organizations change. Building in a review cadence (e.g., quarterly or after major initiatives) keeps it relevant and avoids the perception that it’s a bureaucratic artifact... something very relevant in the public sector!
-Celebrate when clarity from the RACI prevents delays, avoids duplication, or resolves conflicts. When people see real wins, the RACI becomes more than a chart... it becomes part of the culture.
My objective was to take it from paper into practice. I would encourage you not to focus on making the RACI “look” better but rather focus on making it work better through dialogue, iteration, and connection to results.