Cyber pros say the buck stops with the board when it comes to security failings

Boardroom meeting with executives, including CEO, CISO, CTO, CIO and CFO discussing company strategy.

(Image credit: Getty Images)

published 25 August 2025

A majority of cyber professionals believe responsibility for security and regulatory compliance lies with the board, according to new research.

CIISec’s recent State of the Security Profession report shows 91% of practitioners believe the burden for security lies with the board, and not security managers or CISOs.

Notably, more than half (56%) said they believe senior management figures should “face consequences”, including fines, prosecution, and sanctions, for serious cybersecurity failings.

Just 34% believe the employee who breached policy - if that’s the case - should be held responsible.

Amanda Finch, CEO of CIISec, said the study highlights the need for a more aligned approach to cybersecurity between the board and frontline practitioners.

“If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions,” she said.

“This means more learning for cybersecurity professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”

Regulatory concerns drive demand for change

A key factor behind changing sentiment on board-level responsibility comes amidst a period of growing regulatory scrutiny on both sides of the Atlantic, Finch noted.

The introduction of the EU AI Act, DORA, NIS2, and the UK’s Data (Use and Access) Bill, mean practitioners are more conscious of regulatory compliance than ever before.

“It’s important to remember that regulations aren’t imposed to make the security profession more challenging, although sometimes it may feel that way,” she said.

“They have been developed to help address failures from the past, close gaps that have previously been overlooked and establish a minimum standard across the industry.”

Finch noted that while these regulations have created fresh challenges for enterprises and security professionals alike, they serve a vital purpose and therefore require close attention.

“These laws have been introduced to protect citizens, improve their quality of life and ensure that businesses can be held accountable for irresponsible actions,” she added.

“As cybersecurity matures as a profession, we should view increased regulation not as a burden but as a sign of progress.”

Compliance is easier said than done, however. Research earlier this year showed a significant number of companies were struggling to achieve compliance with NIS2 regulations.

Separate research on DORA showed four-in-ten UK financial services firms were struggling to achieve compliance with the legislation ahead of its introduction.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.