If you can demonstrate due process and reasonable effort to secure against breaches, your doing your job. For instance with described procedures, sane defaults, locked down environments ect. But if you're a CSO and have not described threatmodels, workflows, and security practices, then you've not done your job and should be held accountable for data breaches.