Security Pros Demand Stricter Regulations, CIISec Reports
▼ Summary
– 69% of industry professionals believe current cybersecurity laws are not strict enough, according to a CIISec survey.
– The Cyber Security and Resilience Bill, DORA, and NIS2 were identified as having the most significant impact on the profession.
– 91% of respondents believe the board should take responsibility for breaches, while only 31% pointed to CISOs.
– Over half (56%) of respondents said senior management should face sanctions for serious cyber incidents, aligning with new laws like NIS2 and DORA.
– The UK government is pushing to ban ransomware payments and mandate incident reporting with penalties under the Cyber Security and Resilience Bill.
A significant majority of cybersecurity professionals believe current regulatory frameworks fall short in addressing modern threats, with 69% calling for stricter cybersecurity laws according to a recent industry survey. The findings, drawn from the Chartered Institute of Information Security’s annual assessment, highlight growing concerns about legal preparedness in an increasingly volatile digital environment.
This year’s report places particular emphasis on regulatory developments, reflecting a period of notable legislative activity across Europe and the UK. Landmark regulations such as the EU AI Act, DORA, NIS2, and the UK Cyber Security and Resilience Bill have either been enacted or reached critical stages in the legislative process. Among these, professionals identified NIS2, DORA, and the pending UK Cyber Security and Resilience Bill as having the most significant impact on the profession, even though some are not yet fully in force or apply only to specific jurisdictions.
When it comes to accountability, an overwhelming 91% of respondents believe corporate boards should bear responsibility for security breaches, compared to just 31% who pointed to Chief Information Security Officers. Only about a third of those surveyed felt individual employees should be held accountable for policy violations, while more than half argued that senior management should face legal or financial consequences for serious incidents.
This shift toward executive accountability is already reflected in newer regulations like NIS2 and DORA, which introduce personal liability for top-level leaders in cases of major compliance failures. As one industry leader noted, this trend necessitates a more collaborative approach to cybersecurity, ensuring that boards are not only aware of risks but are actively involved in strategic decisions.
The push for stronger regulation is also evident in specific policy proposals, such as the UK government’s effort to ban ransomware payments for critical infrastructure organizations and introduce mandatory incident reporting with penalties for non-compliance. These measures signal a broader move toward enforceable standards and clearer lines of responsibility in cybersecurity governance.
(Source: Info Security)
