Boards should bear ultimate responsibility for cybersecurity

A new State of the Security Profession survey from The Chartered Institute of Information Security (CIISec) shows that 91 percent of the profession believe ultimate responsibility for cybersecurity lies with the board and not security managers or CISOs (just 31 percent).

The survey focused on regulation in the light of a wave of major regulations either recently passed or coming into force -- including the EU AI Act, DORA, NIS2 and the UK’s Data (Use and Access) Bill.

The findings show 56 percent say senior management should face consequences such as sanctions, prosecutions, or fines for serious cyber incidents. Only 34 percent believe the specific employee who breached policy should be held responsible.

In addition 69 percent think current laws are still not strict enough, with the Cyber Security and Resilience Act, DORA, and NIS2 cited as having the most significant impact on the profession.

Amanda Finch, CEO of CIISec, writes on the institute’s blog, “If the buck stops with senior management -- as the survey makes clear -- our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions. This means more learning for cyber security professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”

When it comes to addressing the challenges respondents point to enhanced data sharing between organizations and mandatory, responsible disclosure as immediate actions the profession can take towards regulatory maturity. But in the longer term, professionalization across the industry also featured highly.

You can find out more on the CIISec site.

Image credit: monkeybusiness/depositphotos.com