A majority of cyber professionals believe responsibility for security and regulatory compliance lies with the board, according to new research.
CIISec’s recent State of the Security Profession report shows 91% of practitioners believe the burden for security lies with the board, and not security managers or CISOs.
Notably, more than half (56%) said they believe senior management figures should “face consequences”, including fines, prosecution, and sanctions, for serious cybersecurity failings.
Just 34% believe the employee who breached policy - if that’s the case - should be held responsible.
Amanda Finch, CEO of CIISec, said the study highlights the need for a more aligned approach to cybersecurity between the board and frontline practitioners.
“If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions,” she said.
“This means more learning for cybersecurity professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”
Regulatory concerns drive demand for change
A key factor behind changing sentiment on board-level responsibility comes amidst a period of growing regulatory scrutiny on both sides of the Atlantic, Finch noted.
The introduction of the EU AI Act, DORA, NIS2, and the UK’s Data (Use and Access) Bill, mean practitioners are more conscious of regulatory compliance than ever before.
“It’s important to remember that regulations aren’t imposed to make the security profession more challenging, although sometimes it may feel that way,” she said.
“They have been developed to help address failures from the past, close gaps that have previously been overlooked and establish a minimum standard across the industry.”
Finch noted that while these regulations have created fresh challenges for enterprises and security professionals alike, they serve a vital purpose and therefore require close attention.
“These laws have been introduced to protect citizens, improve their quality of life and ensure that businesses can be held accountable for irresponsible actions,” she added.
“As cybersecurity matures as a profession, we should view increased regulation not as a burden but as a sign of progress.”
Compliance is easier said than done, however. Research earlier this year showed a significant number of companies were struggling to achieve compliance with NIS2 regulations.
Separate research on DORA showed four-in-ten UK financial services firms were struggling to achieve compliance with the legislation ahead of its introduction.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Why does cybersecurity still struggle with professionalization?
- Cyber professionals call for a 'strategic pause' on AI adoption
- Work-related stress “keeps cyber security professionals awake at night”
-
We need more academic thinking in techOpinion Greater focus on theoretical thinking and disciplines like ethical AI are needed to rein in big tech's worst tendencies
-
Infosys co-founder Narayana Murthy called for a 70 hour week last year — now he says that’s not enoughNews Murthy thinks longer hours akin to China’s '996' approach are the key to success
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
Laid off Intel engineer accused of stealing 18,000 files on the way outNews Intel wants the files back, so it's filed a lawsuit claiming $250,000 in damages
