More than two-thirds (69%) of industry professionals have argued that current cybersecurity laws still aren’t strict enough, according to a new survey by the Chartered Institute of Information Security (CIISec).
The organization’s annual State of the Security Profession survey is compiled from interviews with CIISec members and the wider security community.
Some early findings were shared in a blog post last week by CEO Amanda Finch, who revealed that the report focuses heavily on regulation this year.
It’s been a big 12 months for security-related regulation, with the EU AI Act, DORA, NIS2, the UK Data (Use and Access) Act and the UK Cyber Security and Resilience Bill all coming into force or passing various legislative milestones.
The Cyber Security and Resilience Bill, DORA and NIS2 were cited by respondents as having the “most significant impact on the profession” – despite the former still making its way through parliament and the latter two laws applying only to UK firms with European operations.
Read more on regulations: Cyber Security and Resilience Bill Will Apply to 1000 UK Firms
Respondents were also clear about whom they think should take responsibility for breaches: 91% pointed to the board, while less than a third (31%) said CISOs.
In fact, only 34% argued that specific employees who breach policy should be held responsible for their actions, while over half (56%) said senior management should face sanctions, prosecutions or fines for serious cyber incidents.
That is certainly the direction of travel in new laws like NIS2 and DORA, which for the first time make senior leadership personally liable for serious infractions.
“If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions,” wrote Finch.
“This means more learning for cybersecurity professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”
As part of the Cyber Security and Resilience Bill, the UK government is pushing to ban ransomware payments for certain public sector and critical infrastructure organizations, and to roll out a mandatory incident reporting regime with penalties for organizations that refuse.
No tags.
