More than two-thirds (69%) of industry professionals have argued that current cybersecurity laws still aren’t strict enough, according to a new survey by the Chartered Institute of Information Security (CIISec).
The organization’s annual State of the Security Profession survey is compiled from interviews with CIISec members and the wider security community.
Some early findings were shared in a blog post last week by CEO Amanda Finch, who revealed that the report focuses heavily on regulation this year.
It’s been a big 12 months for security-related regulation, with theEU AI Act, DORA, NIS2, the UK Data (Use and Access) Act and the UK Cyber Security and Resilience Billall coming into force or passing various legislative milestones.
The Cyber Security and Resilience Bill, DORAand NIS2 were cited by respondents as having the “most significant impact on the profession” – despite the former still making its way through parliamentand the latter two laws applying only to UK firms with European operations.
Read more on regulations: Cyber Security and Resilience Bill Will Apply to 1000 UK Firms
Respondents were also clear about whom they think should take responsibility for breaches: 91% pointed to the board, while less than a third (31%) said CISOs.
In fact, only 34% argued that specific employees who breach policy should be held responsible for their actions, while over half (56%) said senior management should face sanctions, prosecutionsor fines for serious cyber incidents.
That is certainly the direction of travel in new laws like NIS2 and DORA, which for the first time make senior leadership personally liable for serious infractions.
“If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions,” wrote Finch.
“This means more learning for cybersecurity professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”
As part of the Cyber Security and Resilience Bill, the UK government is pushing to ban ransomware paymentsfor certain public sector and critical infrastructure organizations, and to roll out a mandatory incident reporting regimewith penalties for organizations that refuse.