A majority of cyber professionals believe responsibility for security and regulatory compliance lies with the board, according to new research.
CIISec’s recent State of the Security Profession report shows 91% of practitioners believe the burden for security lies with the board, and not security managers or CISOs.
Notably, more than half (56%) said they believe senior management figures should “face consequences”, including fines, prosecution, and sanctions, for serious cybersecurity failings.
Just 34% believe the employee who breached policy - if that’s the case - should be held responsible.
Amanda Finch, CEO of CIISec, said the study highlights the need for a more aligned approach to cybersecurity between the board and frontline practitioners.
“If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions,” she said.
“This means more learning for cybersecurity professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”
Regulatory concerns drive demand for change
A key factor behind changing sentiment on board-level responsibility comes amidst a period of growing regulatory scrutiny on both sides of the Atlantic, Finch noted.
The introduction of the EU AI Act, DORA, NIS2, and the UK’s Data (Use and Access) Bill, mean practitioners are more conscious of regulatory compliance than ever before.
“It’s important to remember that regulations aren’t imposed to make the security profession more challenging, although sometimes it may feel that way,” she said.
“They have been developed to help address failures from the past, close gaps that have previously been overlooked and establish a minimum standard across the industry.”
Finch noted that while these regulations have created fresh challenges for enterprises and security professionals alike, they serve a vital purpose and therefore require close attention.
“These laws have been introduced to protect citizens, improve their quality of life and ensure that businesses can be held accountable for irresponsible actions,” she added.
“As cybersecurity matures as a profession, we should view increased regulation not as a burden but as a sign of progress.”
Compliance is easier said than done, however. Research earlier this year showed a significant number of companies were struggling to achieve compliance with NIS2 regulations.
Separate research on DORA showed four-in-ten UK financial services firms were struggling to achieve compliance with the legislation ahead of its introduction.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Why does cybersecurity still struggle with professionalization?
- Cyber professionals call for a 'strategic pause' on AI adoption
- Work-related stress “keeps cyber security professionals awake at night”
-
Does the US AI Action Plan add up and how will it change the global AI landscape?Long read Businesses should expect to feel benefits in the short term, especially AI developers with potential to land government contracts – but experts warn of risks on the horizon
-
Zyxel WBE510D reviewReviews This affordable dual-band Wi-Fi 7 access point will appeal to businesses that want the option of moving to 6GHz services at a time of their choosing
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
